In the last two years both private and public companies, as well as individuals, have been afflicted by one of the most dangerous cyber threats: ransomware.
By Simona Venuti, security manager at GARR-CERT
Ransomware is a kind of malware that, in many different ways, infects our computers with the purpose of encrypting all the files and data in order to block access to everything, and to ask for a ransom, mainly in bitcoin, for all data return. Unfortunately, in most cases, there’s no way to decrypt and recover the lost data. Furthermore, cyber criminals are often able to steal and save all your data before encrypting it, and can threaten victims with its disclosure, asking for a second ransom (the double ransom technique).
These circumstances are worsening due to the increase of remote-working during the pandemic, making organisations more vulnerable to cyber attacks. Cyber criminals took a big advantage of the greater exposure, so much that every organisation observed a peak in ransomware attacks, which became the principal cyber threat for everyone, nobody excluded, even the smallest private and public institutions and ordinary users.
How does ransomware enter our systems? During the last year the infection techniques increased and became more sophisticated, the most used are phishing emails, where users are asked to install software or to read a Word or Excel document or to visit a particular web page, and identity theft and the manipulation of vulnerable programs, service and applications which, due to remote working, have become increasingly more exposed.
In view of this seriously worrying situation, and considering that the trend will worsen, I would like to organise a charity event to fight against ransomware. This is your official and special invitation to the gala dinner, I’m confident that with a little help from everyone, we will be able to face the challenge together:
And now the recipes, so that everyone can prepare these dishes even at home:
Appetiser – Bruschette with up-to-date Operating System and Software
Ransomware is used to install itself on PCs, laptops, mobile phones mostly via operating system and software vulnerabilities, that’s why keeping everything up to date is crucial in every device that we use.
Most of the software and operating systems (like Windows, MacOS, Adobe products, browsers) already have a sort of automatic update procedure, it is important not to postpone the updates and run them as soon as these are available .
For software that is not able to update itself, we should set a reminder to check for updates at least once or twice a week. The check-for-update button will probably be in the “?” or “About” application Menu.
The update procedure aims to remove the known vulnerabilities that would make ransomware life much harder.
Another important thing to keep in mind is which software to install:
- In a work device we should install only the IT Company Policy admitted software, nothing else.
- It is very important to keep personal and gaming devices completely separate from work ones.
- In any case we must avoid to install non-original or cracked software because most of these programs carry viruses and recently also ransomware.
Starter – Tortellini filled with Antivirus in Bolognese sauce
Now even if you have the latest version of all your software, it is also possible to get ransomware via infected documents, files or websites. To fight this cyber threat the antivirus software is our special ingredient.
It is not important which antivirus, as there are many, free or paid, the best solution is simply to follow our own organisation policy and advice, but it is crucial to keep it up to date.
To taste this dish at its best, be sure to install a “trusted” antivirus, from its official HomePage. Never trust pop-up pages saying: YOU GOT A VIRUSSS!!!!!11111 CLICK HERE FOR ANTIVIRUSSSS!!!!111 These are fake pages, trying to force you to install malware with your own hands!
Main course – Slow baked Backup, ALONE in the plate
This is the gala dinner showpiece: the backup and a backup strategy, is the most powerful weapon in your fight against ransomware.
Even if we have updated all our software and have a strong antivirus we can still be infected.
If ransomware enters our devices it immediately starts to encrypt every file it finds, with an unknown secret key, that’s why it is almost impossible to decrypt the files after infection has taken place. Without that secret key the data will be lost forever. So, the best way to avoid losing our data is by keeping a copy (or more copies) of it elsewhere. Backup is the better strategy to mitigate ransomware attacks, and it can be done by everyone, no need to be an IT expert.
This dish has special tasting recommendations:
- The backup should be done every time it is needed: keep in mind that something could be wrong at any moment, once a day or once a week or once a month, it depends on how often you work on your data and change it.
- The backup should not stay in the same disk as the backed-up device: if a ransomware arrives it will surely encrypt the backup too! Keep it somewhere else.
- The “somewhere else” should be outside the internet or the local network. Should be completely OFFLINE: ransomware hits not only the attached devices, such as internal disks, but also USB keys or attached hard disks. It even checks the network connection to encrypt everything it can reach on the net!
So, the advice is to back up your data wherever you want, but, please, DISCONNECT the backup device as soon as possible from any PC, laptop, mobile phone, THE NETWORK. We often save our data on NAS system, and it’s ok, but it is important to disconnect it from the network after the backup!
Dessert – Tasting of Cyber Hygiene
This dessert is a composition of smaller sweets that are very effective in the fight against ransomware.
Profusion of Password
It’s important to keep passwords safe to prevent cyber criminals from entering our system and getting hold of data, files, send SPAM email, access programs and even install software and ransomware.
- Passwords should be LONG: don’t be afraid to use 16-20-character passwords, you can remember them easily, if you choose for instance: a poetry verse, a song refrain, a proverb. It is sufficient to put at least a capital letters, numbers and special characters to remember it and making it difficult enough to guess. Or you can choose to keep only the first letter of the words of a verse or a proverb, the most important thing it is that they are long!
- Passwords should be different for every service: never use the same password for different services, and most of all, never use the same password for the services you use at work and the ones you use for personal/fun activities.
- Passwords should be changed: the more a password is active, the more is possible to guess it, so make sure to change them regularly. Never reuse a password, with so much culture and many poems, songs and books… so many new passwords to choose!
- Passwords should be safely stored: don’t share your passwords with anybody, if you think you can’t remember all of them, you could use a “password manager”. Never use the “save password” function, or if you want to use it, remember that if someone steals or compromises your device, they can be able to use it too, so make sure it is not so important to lose/share them. Of course, don’t use this function for the passwords at work.
- Passwords should be multiple: when possible, use the 2fa, 2-factor authentication, adding a second step of authentication after inserting the correct password. This is very useful and can be done with a smartphone and a dedicated app, or an OTP device. Use the “personal” second factor authentication device separate from your “work” second factor authentication device.
Phishing in strawberry cream
You won the lottery! Hurry up and sign in! You are getting over your mail quota! Hurry up before I delete all your mail! Your bank account has a problem! Click here to fix it!
These are common phishing messages to force users to click somewhere or to install unknown software. Phishing is getting more sophisticated every day. Here some recipes to be more aware and more secure.
- The perfect ingredient is: never trust anyone.
- Never trust emails for technical stuff or bank problems or money. Never reply to strange emails.
- STOP, THINK, CONNECT ™: before clicking or installing, take your time; it’s not going to destroy the universe, count up to 10, think, count again, re-think, connect the dots, click only if you are 100% sure after waiting and thinking.
- If unsure: ask and check. Call the mail sender by phone, your bank, call your IT colleagues, call your manager, or the finance department. It is important to check for confirmation with a “trusted method”. Please, don’t call the Nigerian king, who would like to give you millions of Euros, on the phone number included in the email!
- Report every strange mails or facts to the IT department, it could be very important for them and help them to find out about possible campaigns against the organisation.
- On social media:
- Never trust any strangers, never add them to your “friend list”.
- In general, even towards friends: never give too much information: no information about your work, of course, but also not too much information about your life
- Use separate accounts for social-life and social-work
Ice cream of mobile devices
An organisation’s mobile devices, laptops or smartphones are the door to intranet services from anywhere. It is very important to keep them safe.
- Configure a PIN for the boot menu, a user password to enter the operating system, block passwords for the most sensitive application: VPN, browsers
- Disconnect anything when the work is finished, or stopped or paused: remember that if you get a ransom on the devices it tries to find any network attached device to encrypt!
- Don’t save any password
- Don’t connect any unknown or untrusted media (CD, USB keys, Flash memory or external hard disk) to your device… It could be full of viruses, spyware, keyloggers, ransomware
Now the wine: What if…
This wine is very special: What if I still get ransomware?
You get the red screen saying: your device is encrypted! Pay us XXX bitcoin to get your data back!
- Don’t panic, keep calm and think
- “Cut off” the network: unplug the network cable or disable wireless
- Call immediately IT
- It depends on your IT company policy: in some case the safest reaction is to power off the device
- But in other cases, IT might want to study the ransomware in action so you don’t have to power off, just hibernate the device, if possible
- In any case don’t pay for the ransom, no one will grant you the return of your data, nor its disclosure!
I hope that you will come to the gala dinner, and enjoy the meal, and keep in mind that every single one of us can play even a small part in the fight against ransomware!
Simona Venuti (@Simo_GARRCERT on Twitter) is security manager at the Consortium GARR, the Italian research and education network. Since 2007 she has been working at the GARR-CERT (Computer Emergency Response Team) of the Consortium GARR.
Her task is to develop automation systems in the reporting and management of cyber incidents and to carry out research in the field of new cyber threats, cyber security, monitoring, defence and containment systems. A fundamental part of her work is to establish a network of relationships with national CERTs of the European and non-European Union, security experts, company CERTs and Italian and foreign providers, to share experiences, studies, solutions, and above all to establish relationships of mutual trust in the eventuality of joint management of IT incidents involving several CERTs.
Simona also deals with the dissemination of information and training for systems engineers and security officers by holding courses, tutorials and talks at conferences.