Two New Security Risks Detected: Beware Ransomeware
By Julie King | December 15, 2014
Security experts are warning companies about two new "ransomware" vulnerabilities that put companies with unpatched computer workstations at risk.
Ransomeware is a computer vulnerability that locks the files on a compromised computer, so that the owner can only retrieve the files by paying a ransom.
Security expert Stu Sjouwerman, CEO of KnowBe4, explains that the two new Ransomware vulnerabilities are very sophisticated, which increases the risk.
The vulnerabilities
OphionLocker: This attack will encrypt data and then ransom the files. Ransoms are paid in Bitcoin currency and the amounts differ depending on the country the company is in, with US companies being charged the highest ransoms.
Sjouwerman said, "The new wrinkle is that when a workstation is infected with, it will generate a unique hardware ID based on the serial number of the first hard drive, the motherboard's serial number, and other information. It will then contact the malware's Control & Command server via TOR site and check if this particular hardware ID has been encrypted already. When you go to the ransomware site, it will prompt you to enter your hardware id. Once entered it will display the amount of ransom you are required to pay and provide a bitcoin address that you should send the payment to."
Since the files are not removed from affected computers, it is possible to recover them using a file recovery tool or a program like Shadow Explorer.
TorrentLocker: This ransomware attack has already generated $40 million this year, with 82,000 Bitcoins being paid into the Bitcoin wallet the cyber gang uses to receive payments since March. Sjouwerman notes that while TorrentLocker attacks have previously focused on countries outside of North America, it like the criminal gang behind the attack are getting ready to target companies in Canada and the US.
Technically, the attack uses 256-bit keys stored on a remote sever. Options to restore data without paying the ransom are limited, but researchers from the Finnish security firm NIXU say they have found a mistake in the way encryption was done that would enable an expert to retrieve the key and decrepit the files. (However, now that the mistake has been published, it is possible that newer versions of the virus will have been updated to close this recovery avenue.)
Protecting your business
These attacks and others like them only impact compromised computers and most computers become compromised one of two ways:
- User behaviour: The sad truth is that most computers become compromised because a user does something to let the attacker in. Known as "social engineering" what happens is that the user is tricked into activating a file that will run on his or her workstation. The most common ways this happens is through spam emails and malicious links online. For example, a user might get a "suspicious activity" alert telling them that someone has changed a password on their social media account. The user is then urged to go to a website to reset their password "for security reasons" and if they fall for this bait, they allow the attack to happen.
The risks to companies are significant: In a private meeting I attended a person from a large Canadian company explained that their IT department ran an experiment to see how effective education was. The company first educated their staff about safe email behaviour and then ran an email "phishing" attack to see if people would recognize that they should not click on the message. The outcome was shocking: 50 per cent of the staff members clicked on the attack email, despite having been recently trained not to do this.
In terms of preventing attacks, education and ongoing reminders should form part of your company's strategy, backed by strong protection suite that covers all vulnerabilities to help cover the times when employees will make mistakes.
- Computer updates: The second point of vulnerability lies in the software and hardware itself. Sjouwerman notes that it is critical for companies to patch their systems diligently. Some companies will also use administrator controls to limit the ability of users to install new program or affect changes on their workstations, although in smaller companies this is sometimes unrealistic as it makes it unwieldy to install new software without the support from an IT professional.
If you enjoyed this article, be sure to visit CanadaOne's article knowledge base for more informative articles.