He looked at, me with desperation, and almost whispered, “Can’t you do something my man?” I promised to revert back to him with a solution, this was the second incident in as many days where a client had asked me for a solution to what has become the “most serious” threat on the internet; RANSOMWARE aka Crypto-Ransomware.
By Prof Changamire
What is this threat that is constantly evolving at such a rapid pace and with the same deadly efficiencies as notorious worms of the past, such as SQL Slammer et al? It is no surprise then that the next wave is going to be more bold and malicious this is evidenced by how the attackers have migrated from “indiscriminate shooting in the dark hoping to hit a target” where payloads were delivered via mass distribution root kits etc, to cryptoworms or self-propagating payloads, and a potential increase in the price of decryption keys, though the exact attack vector is anyone’s guess.
Cryptoware has basically 5 stages which I will break down here as follows.
Registry changes are made to enable auto startup of the infection.
- Contact Its Servers
At this point the ransomware contacts its home servers
The victim PC authenticates with the attacker’s server which generates 2 cryptographic keys, a set will be stored on the victim’s whilst another is kept at the remote server
- Initiates Encryption
The victim’s files with all common file extensions are encrypted
A message is usually delivered asking for ransom and a time limit where the attackers threaten to destroy the decryption key
According to the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall3 totaled US$325 million in the first nine months of 2015 alone, Africa and Zimbabwe in particular are not exceptions to this menace.
Whilst it is true that everyone is vulnerable to this attack, some precautions are worth taking such as
- Increasing security on your internet facing side of your LAN
- Discourage “click happy” users from opening emails from unknown users
- Opening attachments that lead to a URL rather than a file type.
- Enable Web filtering
- Restrict Write permissions on file servers as much as possible
- Perform regular offline backups
- Disconnect from network the moment you suspect infection
- EDUCATE USERS
This is not exhaustive but should protect you and your network.
To pay or not to pay the ransom is more of a moral question that you would have to make.
Prof Changamire is a young proud, trailblazing African IT consultant who owes much of his knowledge to those who had the patience to show him the ropes and awaken his hunger for IT, and the power of social collectivism.