In the last few weeks, stories about ransomware have been everywhere. Over the years we have become familiar with viruses and malware, and the industry constantly develops products and strategies to deal with these types of threats. Although the successes have varied, with software and common sense we have managed to maintain relatively safe and user friendly computing environments.
Enter the year 2016. Smarter systems, smarter hackers.
The new vector of attack is shifting from information gathering to directly extorting cash from organizations. Just Google ransomware and you’ll be surprised by the number of incidents and who has been hit and how.
If you are not familiar with the term ransomware, these are file attachments, documents, spreadsheets, etc. that are mostly distributed via email. The subject of these emails varies: invoice details, subpoenas, shipping information, party invitations and insurance benefits. What is common, is that they all contain some sort of document attachment that needs to be opened.
Here is the scary part, these emails look very legit and if they are sent to the right department in an organization, they would not appear at all suspicious. Compromised websites hosting downloadable content have also been identified as a culprit.
It is also worth mentioning that these types of attacks do not spread from PC to PC, but are focused on encrypting an unsuspected user’s system files or documents, both local and network based, hence the term ‘CryptoLocker’.
Once the infected file is executed, the user will be presented with simple instructions on how to deliver payment to get the keys to decrypt.
In addition, there is no easy way to get rid of these types of infections. You need to rebuild the PC and recover network documents from backup or you need to pay the malware operator a ransom to get an encryption key.
Furthermore, the price for the keys keeps going up the longer the infected user waits. Various antivirus companies try to crack these keys and provide them free of charge, but that takes time and users could be in for a long wait.
The traditional antivirus/antimalware tools have not been very successful in stopping these infections. It is important to be diligent when opening email attachments, particularly if they look even a bit suspicious, and aware of how easily it is to be tricked by a compromised website.
In the last two weeks, I have personally received at least 6 of these emails, each with a different type of Cryptolocker ransomware. How did I know they were ransomware? I was able to test each of them using Bromium End Point Protection, a product that uses microVM isolation to deal with any sort of infection.
Bromium uses an endpoint CPU micro-virtualization, a light-weight micro-VM that cannot modify Windows or gain access to high-value files, data, networks or sites, or access any OS services. It isolates each untrusted website, document or executable to defeat attacks from the Web, email, social media and USB. Endpoints are protected even on untrusted networks, and automatically self-remediate when attacked. When an endpoint is attacked, malware may execute in the context of a micro-VM, but no content of value is available to be stolen, and the attacker cannot pivot onto the enterprise network to further the attack. As the website, document or executable is closed the micro-VM is discarded and so is the malware.
Bromium is a premium priced product that may not be suitable for every enterprise. Call us to learn more about its viability for your company.
Remember to always be careful in dealing with suspicious looking emails or websites.