New and Improved Ransomware Spreads in Europe; Targets U.S. Hospitals
Recently, ransomware is on the rise in Northern Europe, with some attacks seen in the U.S. as well. Ransomware is the name for a type of malware that encrypts a computer and/or its files, rendering it unusable to the victim until they pay the attacker’s requested ransom to get the decryption key.
TeslaCrypt 2.0, a file-encrypting ransomware discovered in early 2015, has spread across Europe in a new spam campaign, according to Heimdal Security. The top affected countries include the U.S., Germany, U.K., France, Italy and Spain, according to research from Kaspersky.
Some of the new features of TeslaCrypt 2.0 include:
- Using the elliptic curve encryption algorithm to encrypt data
- Now stores keys on the system registry instead of a file on disk
- Even displays an easy-to-read FAQ for victims, including a short description of what happened to their files, what it means, how it happened and explicit instructions on how to pay up and recover files
After locking out users of their system, attackers using TeslaCrypt will then ask for ransom - ranging from $150-1000 worth of bitcoins.
Ransomware Hits U.S. Hospitals
Recently, three U.S. hospitals were also hit with ransomware attacks. One Kentucky-based hospital’s patients’ files were copied and locked. Attackers deleted the originals.
The particular strain of ransomware used was called Locky, which tried to spread itself to the entire internal network, succeeding in compromising several other systems and shutting down the hospital’s desktop computers, according to KrebsonSecurity.com. Attackers were demanding four bitcoins ($1600) in exchange for unlocking the encrypted backups.
Two other southern California-based hospitals were attacked by malware that disrupted servers and shut down IT systems to contain the spread of the malware, according to NetworkWorld.com.
How is This Ransomware Distributed?
Exploit kits target website visitors, using vulnerabilities in the browser to install malware on their system. Typically, the malicious code targets browser plugins, like Flash or Java - there are many known vulnerabilities that target outdated versions of each.
Ransomware is also spread through malvertising campaigns, in which malicious ads can be found on legit websites. If a user clicks on the ad, they can be redirected to sites hosting the exploit kits, which in turn check their machines for outdated software to exploit.
Opportunistic attacks, such as spam email, target recipients and trick them into opening attached files that contain the ransomware to spread and infect their machines and systems.
Patch for Vulnerabilities: Basic Security Hygiene
As InfoWorld.com recommends, doubling down on security basics can help organizations reduce their risk of ransomware infection. Angler and other popular exploit kits aim for recently patched Adobe Flash and Microsoft Silverlight vulnerabilities.
One example is Silverlight CVE-2016-0034 which installs TeslaCrypt on user systems. This was critical vulnerability was patched by Microsoft in January, but any systems that aren’t fully patched to the latest version may still be susceptible.
Attackers know how important it is to update too - they frequently upload the latest exploits and newest vulnerabilities into their exploit kits in order to take advantage of the fact that organizations and users are slow to update. The Angler exploit kit is often updated with the latest exploits in weeks, if not days after a vulnerability is made public.
Here’s some security basics to help protect against ransomware:
- Keep all software up to date - even if you don’t use it regularly, take a minute to ensure you’re running the latest version of every browser, operating system, Flash, Java, etc.
- Prioritize patching for Flash and Silverlight vulnerabilities
- Uninstall rarely-used software. If there’s not a business need for certain plugins, then disable them, or enable click-to-play
- Regularly backup important files, and keep these backups on media that is physically disconnected from your local system - such as the cloud or an external drive. Don’t keep important data on the local drive.
- It’s important to keep backups disconnected, as TeslaCrypt and other types of ransomware will encrypt any connected drives/network folders and the local drive
- Don’t click on links or open attachments from untrusted sources or suspicious - don’t download or open .zip attachments in spam emails, and report them to your IT or security department immediately to help contain the spread of malware
- Enable two-factor authentication on all of your logins to protect against an attack that leverages stolen passwords to access your accounts
It can be challenging to keep all managed and unmanaged (your users’ personal devices) up to date - consider employing an endpoint security solution that gives you insight into all devices authenticating into your business applications.