Whitepaper

Protecting Your Enterprisefrom Ransomware Attacks

www.seqrite.com

$

Most treat ransomware as a ghost- it does not exist. But, we all knowwhat happens when we see one!

1. Introduction 012. Understanding Ransomware 023. Understanding and Pre-Empting Ransomware Attacks 044. Ransomware Protection Mechanisms for Enterprises 055. Conclusion 07

Table of ContentsRansomware attacks are emerging as the newest security nightmare for enterprises worldwide. In a ransomware attack, hackers hold a user’s files hostage by encrypting it and demanding a ransom in order to release it. The attackers encrypt the infected systems’ files and claim that they will decrypt these assets once the ransom is paid. They further add elements of fear by suggesting that if the money is not paid within the stipulated time, the decryption key will be deleted permanently, leading to irretrievable information loss.

Is there a way to decrypt documents which have been encrypted, without knowing the decryption key? The short answer is ‘No’. The only way to retrieve the documents is through the key, which only the attacker possesses and keeps private.

To understand this situation better, consider this analogy. A hostile attacker locks up your house, so that you cannot enter it; and in addition has planted a time bomb inside the house which will go off unless you pay up the ransom within the stipulated time. If you succumb and pay up, the attacker claims that they will unlock your home and also defuse the time-bomb. But of course there is no guarantee that they will.

Ransomware attacks are audacious and highly disruptive. The stark reality about a ransomware attack is that once an attack has happened, there is nothing that can be done to reverse it. The files cannot be retrieved without the key, and there is no guarantee of any sort that the key can be obtained from the attacker. The smart way to get out of this situation is to not get into it at all.

On May 12, 2017, a ransomware attack spread across the globe with frightening rapidity. It went under the name of WannaCry, and affected several organisations across 150 countries. Overall, the ransomware, touted as the ‘biggest ransomware attack in history’, affected more than 300,000 computers worldwide.

Introduction

Ransomware Attacks - Whitepaper 01

Fig 1. Screenshot of a version ofWannaCry RansomwareSource: Wikimedia Commons

The impact of WannaCry on UK’s NHS was so high that the staff was forced to turn back patients, and resort to pen-and-paper for carrying out their work. The recovery process was a long and arduous one, involving a broad strip of affected computers and rebuilding them again from scratch.

The rest of this paper will give a clearer understanding of ransomware, the different types of prevalent ransomware, and what steps enterprises can take to prevent ransomware attacks on their assets.

Ransomware has been around for more than two decades. In 1996 Adam Young and Moti Yung published a paper in IEEE Symposium on Security and Privacy where they showed how asymmetric key based cryptography could be used to mount extortion attacks. They even presented a Proof of Concept on the Apple Macintosh computer.

What is asymmetric key cryptography? It essentially means that there are two keys used, one for encrypting files and a separate one for decrypting them. By not revealing the decrypting key, the person who encrypts data can have control over the owner of the files. There is no way to ‘crack’ the key as it is highly secure. Only a knowledge of the decrypting key can unlock the files.

Usually, parties have two sets of keys, one of which they publish as their ‘public’ key, and keep the other one secret; the secret key is known as their private key. Anyone can send them information by encrypting it with their public key, but only the correct recipient can decrypt it - using their private key.

In this situation, if an attacker manages to sneak-in malware into a victim’s computer, the malware can encrypt the files and leave them unusable. They can then demand a ransom for decrypting the files.

The question that naturally arises is – if the concept of ransomware was known as early as 1996, why are such attacks becoming rampant now? The answer is that ransomware became viable only after 2009, when Bitcoin was introduced. Until then, collecting the ransom was tough for the attackers as their payments could always be traced.

But with Bitcoin, which is cryptocurrency, the ransomware sustenance chain became suddenly viable. It does not require the owner’s credentials to be revealed and doesn’t need any central banking authority to validate the currency.

Another reason for the explosion of ransomware attacks is the easy availability of “ransomware-as-a-service’ on the dark web. This lets rookies, people with no deep knowledge of ransomware, to become distributors and users who would end up sharing their profits with the original creator of the malware.

Understanding Ransomware

Ransomware Attacks - Whitepaper 02

- Robert Mueller, FBI Director, 2012

There are only two types of companies: thosethat have been Hacked, and those that will be.

The lifecycle of a Ransomware attack has the following main phases:

a. Infection: The malware is distributed through Phishing Emails to employees of the company. The email either contains a link, or an attachment. If the recipient clicks the link or opens the attachment, the malware gets downloaded into their system. Phishing attacks are very effective because despite all the security training, humans are still very gullible and click links or open attachments out of curiosity or plain reflex action. Once the malware has landed on the victim’s computer, it starts the preparations for the attack, which will include stopping the Windows Defender, Security Center and Update Center; it will install itself to run at start-up; it will generate a unique computer identifier to identify this instance of the malware; it deactivates shadow-copies, disk repair etc. which makes it impossible to get the backup of the files. It will inject itself into windows explorer, and get the IP addresses for contacting the external key servers.

b. Communication: In this phase the malware requests and receives public key from the key server.

c. Encrypting the files: In this phase the malware systematically searches for all important files, identifying them by their extension- like .doc, .xls, .ppt, .pdf, .jpg and so on; and then it starts encrypting them. Some malware like Petya encrypt the Master Boot Record (MBR) of the computer.

d. Ransom Demand: In this phase the malware takes over the screen of the infected computer and displays a prominent ransom demand message, which demands payment within a stipulated period and of a certain amount in Bitcoins.

How does ransomware work?How an attack works

The impact of a ransomware attack on an enterprise can be of varying degrees, depending on the severity of the outbreak, which in turn is primarily determined by the number of systems impacted, and their distribution amongst the various departments of the company.

The most common impacts of ransomware are: Impaired productivity High cost of recovering the affected systems

The Impact of Ransomware

Ransomware Attacks - Whitepaper 03

Infected file opened by user(a URL or a file attachedto an email etc.)

Ransomware virus encryptsand locks all files on computer

Virus may spread across the network.Message displayed demands bitcoinpayments to restore access.

1

2

3

- George Grachis

If you’re not doing scans and penetration tests, then justknow that someone else is. And they don’t work for you.

Understanding how the ransomware infects systems is the first step towards minimizing the chance of an infection. As the saying goes- prevention is indeed better than a cure. Ransomware originates from attackers based anywhere in the world, and is spread by distributors who need not necessarily have an in-depth knowledge of the malware. More than half of ransomware attacks originate from email attachments. Using Social Engineering, attackers lure their victims to click on email attachments, which lead to the malware being downloaded and installed on their systems.

Although organizations keep educating and warning their employees against opening email attachments from unknown sources, the victims are fooled into opening them because the email might ‘appear’ to have originated from a known or a trusted source. Emails may also contain URLs which lead to compromised or malicious websites that trigger the malware attack. Apart from emails, ransomware can also originate from malicious or compromised websites that lure their victims into downloading the malware by clicking on alluring ads.

Some ransomware attacks are also triggered by known vulnerabilities in software like Adobe Flash or Microsoft Silverlight to launch drive-by-downloads attacks. There are also operating system vulnerabilities which, if not patched in time, can leave loopholes for malware to exploit. These attacks, although not targeted, can still be quite damaging to the enterprise.

Seqrite recommends a particular set of dos and don'ts for staying safe from ransomware

Loss of IPR and critical data Damage to the company’s reputation- fear among the company’s clients Revenue losses

A disruption in IT services leads to crippling of the company’s operations, leading to their clients not being served. This can have an impact and show repercussions far beyond the duration of the outbreak.

Apart from disruption to business, companies that hold their customers’ confidential information can be faced with devastating lawsuits from their clients if their data is compromised. Organizations like credit card companies, banks and hospitals that hold their patients’ private health information, etc., are particularly vulnerable to this kind of a situation. Recovering from ransomware attacks can be a long drawn out process.

Understanding and Pre-EmptingRansomware Attacks

DOs and DON’TsTo Stay Safe From RANSOMWARE

Fig 2: Dos and Don’ts for staying safe from ransomware

Ransomware Attacks - Whitepaper 04

DOs DON’Ts

POPUP

Keep your antivirus software updated and ensure you are

using the latest version

Install all security updates for your computer. Keep Automatic

Updates enabled

Do not click on links in unwanted or unexpected emails

Do not download attachments received in unknown emails

Do not click on pop-up ads on unknown websites

Beware of emails that ask you to enable ‘macros’ to view the

content

Always keep a secure backup of your important data

Don’t pay the ransom. There’s no guarantee that you will get your

files back even if you do so

A chain is only as strong as its weakest link. All it takes is one gullible or careless employee, to compromise an entire company’s network security. So, in the unfortunate event of falling prey to such an attack, what can an enterprise do to make sure that their operations are up and running and the impact is minimized?

Recovering from a ransomware attack comprises the following actions:

Recovering the affected data: This is usually done by restoring the previous backups, assessing the extent to which the backups might be out of date and updating the systems manually

Identifying the source of the attack: Knowing where the attack originated from is the means to ensure it doesn’t happen again. It might trigger fresh rounds of campaigning and educating the employees to exercise vigilance with respect to email security, doing new security audits and so on.

Assessing if the systems have been secured or are still vulnerable: Often the malware attack may subside but might still continue to reside, in an untriggered mode. This makes the systems vulnerable to further attacks. A proper assessment and scanning is a must.

Assessing the legal ramifications: Notify affected customers, if any

Taking all actions to ensure safety of customers’ data and legal consultation to prevent lawsuits

Recovering from Ransomware Attacks

Securing an enterprise from ransomware attacks involves a multi-layered and end-to-end approach that detects and seals all attack surfaces and points of vulnerability of the company. Seqrite is a trusted provider of comprehensive security solutions for enterprises. Seqrite protects customers from ransomware attacks which continue to be on rise across the globe. Apart from releasing regular updates (signatures) and enhancing heuristic solution – BDS (Behavior Detection System), Seqrite’s Anti-Ransomware feature keeps pace with the emerging and complex ransomware to protect users from potential ransomware attacks.

1. Signature Based Detection

An Intrusion Prevention System (IPS) is a threat prevention technology which examines the network traffic flows to detect and prevent vulnerability exploits. In the recent outbreak of WannaCry ransomware,

Ransomware Protection Mechanisms for Enterprises

Ransomware Attacks - Whitepaper 05

A research by IDG has shown that about half of allthe affected enterprises take a few days to recoverfrom an attack, while 29% take several weeks to recover.

Seqrite’s Intrusion Prevention layer successfully blocked attacks right on the zero-day itself. In the first few days, over 48, 000 attacks were blocked thereby keeping users protected and safe.

Most malware including ransomware are propagated through emails. These infected emails and attachments are not only carefully crafted but have an appealing subject line to lure users. Email Scan Protection is one of the first layers of protection. Seqrite’s Email Scan feature has been able to successfully block a high percentage of ransomware. It also provides zero day protection.

Virus Protection feature provides real-time protection and defense against viruses to keep user’s system secure from any potential threats.

2. Behavior Based Detection

BDS (Behavior Detection System) is a dynamic and advanced pro-active protection that helps to eliminate new and unknown malicious threats in the system. The Advanced DNA Scan technology provides zero-day protection. It actively monitors the activity on the system and takes immediate action if any suspicious activity is found by suspending the application/process from executing any further action.

Note: BDS is not supported on Windows Server platforms.

3. Anti-Ransomware Feature

Anti-Ransomware feature is a more comprehensive solution specifically developed to detect/block ransomware. It has been able to successfully detect and block hundreds of ransomware across enterprises (as well as individual consumers) every month.

4. Screen Locker Protection

This feature helps to disable malware/ransomware which specifically lock your computer screen and prevent you from accessing it. In case your computer gets infected with this kind of a malware, you can press Alt + Ctrl + Shift + A to disable the malware and gain access to your computer.

5. Backup and Restore

What if you know your data is securely backed up in case of a ransomware attack and you don’t have to worry about your critical files being inaccessible. Well, Seqrite Backup and Restore feature helps you achieve this. Through the backup and restore feature, Seqrite has successfully been able to recover the data of its clients.

Ransomware Attacks - Whitepaper 06

Ransomware blocked by Quick Heal/Seqritein 2017 (Jan-June)

On an average, 1 million ransomware (per month)were successfully detected and blocked by Quick Heal/Seqrite in

2017 [Jan-June].

1100000

1000000

800000

900000

Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17

10026131005645

944729

1017774

10502191041613

Ransomware threats have grown in frequency and sophistication in recent times. They are fuelled by various factors including the availability of the ransom food chain in the form of anonymous bitcoin-based transactions, and the Malware-as-a-service business model that takes the complexity out of distributing and monetizing malware. Enterprises suffer devastating impacts from malware, which range from loss of revenue and reputation, to complete damage, if faced with customer data loss. The recovery process is very arduous and long-drawn.

Security agencies like the FBI do not recommend succumbing to the attackers’ demands and paying up the ransom, as this has not proven effective; in most of the cases, the attackers take the money and do not hand over the decryption key.

Prevention is always the best way, and this requires eternal vigilance and commitment on part of every employee of the enterprise. But humans are prone to error, and there is a real need for a layered and multi-pronged security strategy supported by the latest set of security tools and solutions to secure the enterprise.

Conclusion

Ransomware Attacks - Whitepaper 07

Seqrite is a world-class Enterprise Security brand defined by innovation and simplicity. Our solutions are a combination of intelligence, analysis of applications and state-of-the-art technology, and are designed to provide better protection for our customers.

Seqrite is backed by Quick Heal’s cutting-edge expertise of producing cybersecurity solutions for over two decades. Our products help secure the networks used by millions of customers in more than 80 countries.

Quick Heal Technologies LimitedCorporate office: Marvel Edge, Office No. 7010 C & D, 7th Floor,Viman Nagar, Pune - 411014, India.Support Number: 1800-212-7377 | info@seqrite.com | www.seqrite.com

All Intellectual Property Right(s) including trademark(s), logo(s) and copyright(s)are properties of their respective owners. Copyright © 2017 Quick Heal Technologies Ltd.All rights reserved.

Ransomware Attacks - Whitepaper 08

Expanding international presence

Certifications

TOP

PROD

UCT

02/2

017

USAQuick Heal Technologies

America Inc.

JAPANQuick Heal Japan KK.

UAEQuick Heal Technologies

(MENA) FZE

KENYAQuick Heal Technologies

Africa Ltd.

Experience the best-in-class solutions offered bySeqrite and how they can address the securitychallenges of your enterprise. Boost your cybersecurity,

Request Demo