Every\u00a0month, it seems, we have to talk about ransomware. It\u2019s barely surprising, given that new strains arrive in troves. Businesses of all kinds are targeted, and SMBs are threatened in particular because they may already have financial resources attracting the criminals, yet still tend to save on security and IT staff for various reasons.<\/p>\n
The once dreaded Cryptolocker and Teslacrypt may no longer make headlines, but they are still around and as dangerous as before. There are some surprising newcomers, such as Locky and Petya.<\/p>\n
#Ransomware: surprising champions #locky #petya<\/p>Tweet<\/a><\/blockquote>\n
God of no-jokes<\/strong><\/p>\n
\u201cLocky\u201d (Trojan-Ransom.Win32.Locky) is a nasty ransomware that inflicts a lot of damage worldwide. It\u2019s not much different from other ransomware families in regards to internal arrangement or its principles of operation, but it uses strong encryption algorithms and is very active and widespread: Kaspersky Lab\u2019s products have blocked its attacks in over 100 countries around the world. No other ransomware Trojan has attacked so many countries at once \u2013 successfully attacked, by the way.<\/p>\n
Its success is, in fact, a very weird thing. Locky\u2019s main attack vectors are nothing new. Successful infections in most cases are the result of victims\u2019 mistakes and basic cybersecurity rules violations.<\/p>\n
Shouldn\u2019t be that way<\/p><\/div>\n
\u2026Of thing that should not be<\/strong><\/p>\n
Locky gets around via spam. Perhaps, it\u2019s the exact reason for its success: it\u2019s being seeded around vehemently. Its attack is two-staged: a malicious letter with downloader, then the Trojan itself.<\/p>\n
In\u00a0the early stages (i.e. around February this year) the Trojan downloader was delivered in a .doc file with a macro which downloaded the Trojan. And that\u2019s where it becomes somewhat ridiculous: Microsoft has long deactivated the automatic execution of macros in Microsoft Office for security reasons. But users often enable the macros manually, including for files arriving from unknown\u00a0sources.<\/p>\n
Now, attackers have changed tactics. Instead of mass-mailing .doc files they now serve .zip archives containing .js scripts.<\/p>\n
Not ridiculous in fact<\/strong><\/p>\n
For experienced users a .doc file from an unknown source which \u201crequires\u201d macros to be enabled is an immediate red flag. A javascript file with a \u201crun me\u201d label is a red flag as well. But, again, it takes an employee to know what files have .js extension, and why macros can be dangerous.<\/p>\n
Then imagine there\u2019s a small company where at least some employees (accountants, for instance) have little to no passion about all of that computer stuff, and no interest in cybersecurity whatsoever. They might have heard something about how macros shouldn\u2019t be enabled. Or they might not. Anyway, .js extension is only familiar to advanced PC users. For the rest, it only takes a smartly crafted letter to fall into a criminal\u2019s trap.<\/p>\n
Most likely, this was the Locky author\u2019s primary idea: technically-advanced PC users would delete suspicious letters on sight, whether they have .doc, .zip or .js attachments. But when you are targeting users with little knowledge about file types and substandard cybersecurity awareness, it makes little difference in what form the malicious payload is delivered.<\/p>\n
Un-saint Petya<\/strong><\/p>\n
Another dreaded spawn of ransomware pandemonium caused a lot of trouble in Germany earlier this year. Codenamed Petya, this one encrypted not specific files, but the very master file table on compromised machines, and then demanded $400 in Bitcoin.<\/p>\n
It was also spammed out \u2013 mostly to human resources organizations across Germany. The emails contained a link to a Dropbox file that, if clicked, loads a dropper which installs Petya. Dropbox has long since removed the link and several others that were associated with the same malware.<\/p>\n
In a sense, Petya (a pet form of Russian name \u201cPyotr\u201d, a counterpart to Western \u201cPeter\u201d), is a bit more technically advanced\u00a0than Locky (and its authors are definitely more inventive).<\/p>\n
Again, it would only inflict damage if a victim cooperates, and does that in a hardcore way. Have you ever heard of an applicant CV in the form of an executable file which demands administrator privileges?<\/p>\n
https:\/\/cdn.securelist.com\/files\/2016\/04\/petya_eng_1.jpg<\/p>\n
Petya\u2019s dropper would only go on if the users click \u201cYes\u201d on a UAC pop-up window.<\/p>\n
And this is in fact possible if the user isn\u2019t experienced enough\u2026 or too tired to pay attention to pesky UAC warnings.<\/p>\n
With HR workers who have to sift through literally hundreds of unexciting CVs per day, this is a very possible scenario \u2013 especially on Friday at 5:50 pm\u2026<\/p>\n
Still Petya isn\u2019t as terrible as it is painted: its encryption algorithms proved to be vulnerable to decryption (unlike those of Locky). We\u2019ve covered this recently<\/a>.<\/p>\n
If you can\u2019t beat it, prevent it<\/strong><\/p>\n
As with many other threats, preventing ransomware from getting in is the way to go for businesses of all kinds. Ransomware\u2019s damage is extremely hard to fix, unless you\u2019re willing to have a budget for a \u201crainy day\u201d when the only remaining option for retrieving files is paying the ransom.<\/p>\n
Even quite dumb ransomware can be very successful. But it shouldn\u2019t necessary be so. #locky<\/p>Tweet<\/a><\/blockquote>\n
There are a number of safety preventive measures to be taken against ransomware.<\/p>\n
First and foremost, educate employees about social engineering, kinds of threats, the perils of infected websites, types of files, etc. They must know that .exe and .js are by no means document files, and that even .doc files coming from uncertain sources aren\u2019t to be launched without a thorough check-up.<\/p>\n
Second, it is useful to limit the possibility of launching anything at the endpoints. Unless a given employee knows exactly what he or she is doing, administrative privileges shouldn\u2019t be accessible.<\/p>\n
And of course there should be a full-range security solution that is capable of stopping ransomware attacks before the encryption happens; this would include anti-spam and modern security tools for both workstations and file servers capable of proactive defense against known and unknown threats. Check out Kaspersky Lab\u2019s offerings for small<\/a> and small-to-medium<\/a> businesses, as well for the larger entities<\/a>.<\/p>\n
More details about Locky are available here<\/a><\/p>\n
![\"Shouldn't](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/05\/06020526\/main-1.jpg\")