1. What is ransomware and what is its impact?

Ransomware is a special type of malware, also classified as "denial-of-access attack". The biggest difference between ransomware and other malware is the purpose of the attack. The ransomware will systematically encrypt the victim's files, such as documents, emails, databases, source code, to prevent users from accessing. After the encryption is completed, the ransomware will release the ransom note to intimidate the user into paying the ransom. The following picture shows the ransom note released by ransomware WannaCry.

At present, the mainstream ransomware usually uses an asymmetric encryption algorithm to encrypt data, where the encryption and decryption keys are different. Public and private keys work together, and only a specific private key can unlock data encrypted by a specific public key. Therefore, it is very difficult to recover the encrypted data without knowing the private key.

2. How the ransomware is implanted?

Different ransomware and its variants are usually implanted in different ways, such as by exploits, brute force, spam, drive-by download, and removable medium.

2.1. By exploits

Attackers add code with automatic propagation function to the ransomware, which makes the ransomware combines the characteristics of worm and ransom. For example, the WannaCry ransomware that appeared in 2017 not only encrypts local files, but also exploits the EternalBlue vulnerability to spread to intranet and extranet, and the number of infected hosts presents the characteristics of explosive growth. The picture below shows the scale of WannaCry infection.

2.2. By brute force

The attacker brute-forces the Windows Remote Desktop Service exposed on the Internet. After obtaining the username and password, the attacker has control over the device, thus the ransomware can be spread. For example, the GlobeImposter family controls device and spreads itself to other users on the intranet by cracking Remote Desktop Service exposed on the Internet.

2.3. By spam

The attacker sends an email with a malicious attachment or a malicious link to the user, inducing the user to open and execute, such as Ceber, GandCrab.

2.4. By drive-by download

Drive-by download is also a common method used by attackers to spread ransomware. When a user uses a vulnerable browser plugin or clicks on a spoofed popup, the carefully constructed attack vector automatically downloads the ransomware sample and executes it, such as the Rammit family.

2.5. By removable medium

The attacker first writes the ransomware program to the removable medium and modifies the autorun.inf file to point it to the ransomware program. Once the removable medium is connected to a Windows system with removable medium autoplay function enabled, the Window system will run the ransomware program.

3.   Emergency response recommendations for hacked users

3.1. Host side

1. Isolate the hacked devices by unplugging the cable or modifying the network connection settings etc. to prevent the ransomware from spreading further.

2. Retain the scene of the attacked equipment and ask professional technicians to complete the forensic operation to analyze the attack path of the ransomware.

3. Shut down or set access policies for common high-risk ports (such as 135, 139, 445, 3389) on other uninfected devices in the LAN.

4. If other devices on the intranet use the same password, you need to modify the password and ensure the complexity of it.

5. A decryption tool (available at https://www.nomoreransom.org/), jointly developed by many antivirus software companies against ransomware, can decrypt files encrypted by some ransomware families, so you can give it a try.

3.2. Network side

1. Block access to common high-risk ports, such as 135, 139, 445, 3389.

2. Set the network access control policy to allow only trusted network segments to access the user intranet.

3. Pay attention to network device security logs, such as vulnerability alarms, brute force attacks, etc., to assist in locating attack paths and attack techniques.

4. How to protect yourself against ransomware

4.1. Host side

1. According to the importance of the data, establish a proper data backup strategy and periodically back up the data. If it is a cloud server, be sure to take a snapshot to ensure that the data can be recovered and the business can run normally.

2. Do not open email attachments or links from unknown sources, such as email attachments containing .js, .vbs, .exe, .scr, .bat, etc.

3. Use a complex password which contains uppercase and lowercase letters, number and special symbol, and is not less than 10 characters. Do not use pure numbers such as telephone numbers, employee identification number as password to increase the difficulty of brute force.

4. Set account lockout policy to disable login or lock the user account for a period of time after 5 incorrect password inputs to increase the difficulty of brute force.

5. Timely update system software such as Windows and browsers to prevent ransomware from attacking through vulnerabilities.

6. Install anti-virus software and update the virus database in time to improve defense ability against known viruses.

7. According to business needs, shut down or set access policies for common high-risk ports (such as 135, 139, 445, 3389).

8. Turn on and set the host firewall policy to allow only trusted IPs to access specific services.

4.2. Network side

1. At the network boundary, set a strict network access policy, open only the necessary services to the outside, and only allow trusted IPs to access the necessary services.

2. Segment the internal network and set strict access control policies between different functional networks, especially paying attention to high-risk ports 135, 139, 445, 3389, etc., to reduce the possibility of lateral diffusion of ransomware.

3. If a firewall appliance has been deployed, it is recommended to enable and set the intrusion detection function to block and enhance the difficulty of brute force attacks.

4. If you have deployed an email security appliance or a file detection appliance, it is recommended to pay attention to suspicious emails and their attachments to prevent ransomware from spreading through email.

5. Pay attention to logs of security appliance (such as firewall) to detect suspicious attacks and prevent them in advance.

6. Establish a whitelist mechanism for intranet to prevent the browser from jumping to a malicious webpage.

4.3. Solution

According to several propagation methods of ransomware mentioned above, we know that mitigating ransomware attacks relies on comprehensive perception, detection and analysis of ransomware propagation pathways. In addition, we can reduce the damage caused by ransomware attacks by establishing a good data backup strategy.

It is recommended to deploy Huawei's situational awareness overall solution. The main components include:

1. Deploy NGFW/NGIPS to block detection behaviors before ransomware delivery, such as brute-force and exploits.

2. Deploy switch and firewall that support trapping feature to induce ransomware to invade the emulation service and capture its intrusion behavior and report the detection result to CIS, thereby reducing the probability of real systems being attacked and minimizing losses.

3. Deploy sandbox appliance to detect files in emails. The firewall can restore traffic to files, and send files that need to be detected to the sandbox for detection. The sandbox detection results can be sent to the CIS situational awareness.

4. Deploy CIS situational awareness. CIS can issue policies across the network to block the spread of ransomware by receiving traffic information and detection results of trapping switch, firewall and sandbox.

【Copyright Notice】 This article is the original content of HUAWEI Security Center. When reprinting, you must indicate the source (HUAWEI Security Center), link and author of the article, otherwise you may be held liable.If you find any suspected infringing content on this website, please visit the Feedback page to report and provide relevant evidence. Once verified, we will immediately remove the allegedly infringing content.