Ransomware Attacks in the U.K., Netherlands and Belgium
Last week it was reported that over half (56%) of the U.K.’s universities have been targeted in ransomware attacks in the past year, according to SentinelOne. They also found that two out of three targets were hit multiple times. Bournemouth University reported they suffered a total of 21 different attacks throughout the year.
It was also reported that the majority of universities suffered attacks despite the implementation of antivirus software, oddly enough. Antivirus is not an effective standalone security solution, nor enough to stop a ransomware attack. In fact, AV solutions only detect about 45% of cyberattacks, as Symantec was quoted estimating in The Wall Street Journal last year.
Decryptor Emerges for Ransomware Victims
Meanwhile, there’s now a decryptor available for Wildfire ransomware that has hit victims mostly located in Netherlands and Belgium this summer, according to ZDNet.com. The free decryption tool was released by the No More Ransom project run by Europol, the Dutch National Police, Intel Security and Kaspersky Lab.
The Wildfire attacks appear to be more targeted spear phishing campaigns, meaning the attackers did their research on victims, adding the addresses of real business located in the Netherlands. According to SpamFighter.com, the attackers also registered specific domain names in Holland, hosted from system servers within the country.
Automatic Windows Update: Actually, Just Ransomware
The latest reports of ransomware antics leverages the Windows update process to fool users into complacency. The new Fantom ransomware displays the Windows Update screen after it’s extracted from an executable file, “CriticalUpdate01.exe” and the file “WindowsUpdate.exe.”
This screen is looks like the blue screen displayed for Windows 8, 8.1 and 10 versions of the operating system, according to TomsGuide.com. It buys itself time by deflecting user suspicion as it encrypts all of the files on your machine.
While Windows 7 and 8.1 users can install patches only when they want to, Windows 10 Home users can’t stop automatic system updates, which can make it difficult to know if your home PC’s update is valid or not.
However, if you’re running a professional version of Windows 10 (either Professional, Enterprise or Education), you can disable automatic updates using the Group Policy editor, according to CNET.com. Visit that link for numerous helpful update workarounds for Windows 10 Home users.
What You Can Do to Protect Against Ransomware
With a number of proactive measures to protect your users, devices and access to apps, you can effectively reduce your risk of a ransomware infection and mitigate the spread.
Keep your software up to date - Patch your software regularly, pay attention to emergency patch releases, and invest in endpoint solutions that can detect out-of-date devices as they connect to your apps and data. Keeping your operating system, browsers, Flash, Java and other software updated can prevent a compromise due to an exploit kit that leverages known vulnerabilities to spread malware.
Create backup copies - One stored in the cloud and one stored offline, in physical form (external hard drives, tapes, disks, etc.). Disconnect these from your network to prevent attackers from accessing and encrypting them as well.
Educate employees on phishing - What does a phishing email look like? What should an employee do if they think they might have received one? Set up a reporting email or designate a security contact to enable users to quickly report any phishing attempts, and use a phishing simulation tool to assess your organization’s risks.
For Windows settings, enable “Show file extensions” - According to NoMoreRansom.org, it can make it easier for users to spot potentially malicious file attachments sent via emails. Don’t open certain file extensions like .exe, .vbs or .scr. This setting can also show hidden extensions, which attackers often use, such as .jpg.exe., to obfuscate a malicious attachment.
Configure anti-spam settings - Even better, admins can configure webmail servers to block certain attachments with potentially malicious extensions such as .exe, .vbs or .scr, according to TripWire.
Block macros - In Microsoft Office 16, you can use a Group Policy setting that enables you to block macros from running in Office documents from the Internet. Ransomware is often executed and downloaded after macros is enabled on Office attachments.
Disconnect if you suspect infection - If you see a unknown process running on your machine, disconnect from your network connection and the Internet immediately to help stop the infection from spreading. This can also ensure that the ransomware can’t communicate with the attacker’s command and control servers, which is how they send and receive data about your machine.
Enable two-factor authentication - Protect access to your Remote Desktop Protocol (RDP), virtual private networks (VPN), and logins to any web-based application with two-factor authentication. This can prevent brute-force attacks against weak or default passwords, plus stop entry due to stolen credentials via phishing attacks.
Consider switching platforms - Apple devices have largely escaped the ransomware epidemic, while attackers target older Windows operating systems that are often used in enterprise organizations, including the healthcare industry. Part of the reason for that is interoperability issues with medical devices and healthcare software that often rely on older versions of Windows systems.