Ransomware, without a doubt, is dominating the cyber-threat landscape by holding critical systems and data hostage in industries ranging from health care and finance to government and energy. Ransomware is a class of malware that, when distributed to a system, renders victims’ systems unusable by encrypting computers and data or by locking applications. The attacker’s goal is to blackmail the victim into paying a ransom in exchange for decryption keys, allowing them to regain control of their systems and data.
Most information and reports about ransomware, however, have focused on phishing as a conduit for ransomware delivery and often overlook other distribution methods in use. Attackers are becoming craftier with their methods to spread malware that encrypts files and locks data, blindsiding victims before they even realize they have been attacked.
So while organizations and individuals are performing everyday tasks – like running their businesses in the cloud and using social media – alternative ways to receive ransomware, which don’t require victims to open a phishing email, also pose a serious threat. In this slideshow, Aditya Sood, PhD., director of security and Elastica Cloud Threat Labs at Blue Coat, discusses five alternative ways that organizations can fall victim to ransomware and offers advice on how they can protect themselves.
Ransomware: Beyond Phishing Attacks
Click through for five alternative ways that organizations can fall victim to ransomware and how to protect against them, as identified by Aditya Sood, PhD., director of security and Elastica Cloud Threat Labs at Blue Coat.
Cloud Applications as Ransomware Delivery Platform
Popular cloud applications can easily be leveraged by attackers to spread ransomware and other dangerous content to organizations. Most cloud app users aren’t aware that a file stored in a cloud application that is shared through a URL can be opened by interacting with the cloud app itself, or by automatically downloading the file once the URL is opened in the browser. For example, recent research produced by the Blue Coat and Elastica Cloud Threat Labs discovered that cybercriminals used a popular file sharing app to deliver the notorious ransomware Petya to end users by abusing a commonly used function. If an attacker shares a file containing ransomware with an end user, they can force the end user to automatically download the ransomware. Adding to the magnitude of the threat, once downloaded, there is also the possibility that the ransomware could spread automatically across the victim’s organization.
Users of Cloud Apps Should Take Advanced Precautions
Cloud app users should adopt a CASB solution that can enable granular visibility into the cloud app and network traffic. An effective cloud security operations center (SOC) can also provide complete visibility into how users are interacting with their cloud applications. To provide visibility to both cloud app and non-cloud app channels, users should combine a secure web gateway and advanced malware analysis with a CASB solution. Users should also continually scan all files sitting in file-sharing apps like OneDrive, Google Drive, Dropbox, and Box.
Ransomware via Exploit Kits
An exploit kit is defined as a type of a tool that exploits various security holes in the software installed on a machine. A cybercriminal buys or rents such an exploit kit, like a commercial product, and includes the ransomware that they wish to deliver by exploiting compromised legitimate websites. Victims of this type of ransomware get attacked by visiting an infected website or browsing a web page that contains infected banner ads. The exploit kit scans the vulnerable components and installed plug-ins in the browsers and serves the exploit code. After the successful exploitation, the attacker drops the ransomware onto the end-user’s computer, encrypting the system and locking the user out of their data and demanding a ransom.
How to Stay Protected from Exploit Kits
To stay protected, keep your software updated at all times and back up your data. If backing your data up in the cloud, know that cloud apps aren’t 100 percent protected – many types of ransomware can corrupt cloud applications like Office 365 or Google Drive if they’re synced to the infected computer. Having protection across your cloud and non-cloud environments is key to remaining safe, secure and compliant.
Ransomware Distribution Through Social Media Channels
Like email phishing campaigns, cyber attackers can run elaborate social media phishing scams to distribute ransomware via social media spam. Just by clicking the wrong social media link, an end user can fall victim to dangerous malware, costing money and even online reputations. From malicious links embedded in Facebook videos and Twitter messages, to fraudulent apps and fake links to celebrity profiles, social media users are lured daily by this type of nefarious bait.
Protecting Yourself When Using Social Media
Social media users should be cautious about the links they click, the videos they watch, and the photos they choose to open. Do not trust a link or an enticing offer just because it appears to be coming from a familiar brand. Offers for free iPhones, airline tickets or click-bait — like exclusive photos or videos — are likely tied to a scam that could contain harmful malware. If something looks too good to be true, it probably is. If a user is aware of a malicious URL, a SWF/URL filtering and anti-phishing endpoint solution is a way to protect yourself and your organization from a ransomware attack via social media platforms. If the URL is unknown, a URL scanning security solution to detect malware would be needed.
In the past few months, ransomware has been found to have infected actual websites after cybercriminals gained access to hosting servers. Attackers using this type of method exploit vulnerabilities in web applications or hosting software to upload ransomware that then encrypts files within a website, locks the files hosted on a server, and essentially holds the website itself hostage. In some cases, organizations that have fallen victim to this type of attack have had to resort to rebuilding their entire site. Additionally, the ransomware can potentially spread to multiple websites if the websites are hosted in the same environment.
How to Protect Your Organization’s Websites
Attackers exploit vulnerabilities in web applications to compromise the remote hosts for performing nefarious operations such as uploading malware. Web Application Firewalls (WAFs) should be deployed to prevent application layer attacks. Additionally, system backups and updates are crucial to keeping your website safe – website admins should continuously back up their data and update their software.
Ransomware Distribution via Infected USB Drives
A ransomware identified as CryptoLocker is a good example of this. It has modified itself from a Trojan into what has been called a “USB-spreading worm” – a tactic used to spread the CryptoLocker ransomware to multiple computers via an infected USB drive. As a worm, the ransomware can spread through flash drives. For example, if an individual borrows a USB drive from a co-worker and if that drive was infected with the CryptoLocker worm, then any computer that the USB drive comes in contact with will also be infected. This is especially dangerous if that computer is also connected to a network, potentially enabling the ransomware to infect an entire organization. CryptoLocker can also compromise the cloud in this scenario. Once a system is infected with ransomware via an agent drive, the files on those locally installed cloud drives can be encrypted as well. When a cloud service performs a normal sync, the files are then uploaded as encrypted files, replacing the healthy files.
Protecting Yourself from Infected USB Drives
People using USB drives in their organization should be very cautious the next time they consider installing an untested USB device into their computer. Organizations should take additional steps to perform scanning of USB devices to immunize any threats detected. Also, organizations should reconsider even sharing content with others via USB drives – instead, sharing content via the cloud can be effective and more secure than USB sharing with the protection of an effective CASB solution. In this case, if files already encrypted by ransomware are synced to the cloud, they can be easily detected and prevented using behavior anomalies and policy enforcement respectively. Understanding cloud application risks, discovering and analyzing cloud app usage for both sanctioned and unsanctioned apps, gaining control over user interactions with cloud apps, and developing appropriate cloud app policies are all important steps to securing an organization’s safety in the cloud.