If you think the last ransomware attack was the end of the story, you’re wrong. If you think only enterprises are targeted by ransomware, you’re wrong. And if you think you have an operating system that is safe from ransomware, you’re wrong. In other words all of us are vulnerable. In fact, most researchers think that the next targets could be bigger enterprises and more individuals via a vast botnet attack.
However, it remains true that all of these attacks can be subverted by a few simple steps because, when all is said and done, attackers only have a few vectors that they can exploit to get control of your device. Although there are many ransomware varieties that are prowling the internet for victims, the attacks always begin by attacking individuals. If these individuals are working for companies or institutions that depend on quick access to data, so much the better for the attackers. Enterprises have a role to play in all of this, but each person, each employee must know how attackers are trying to trick them into becoming victims. Here are the steps to take to stop that from happening.
1, System Updates and How to Get Them
Windows 10 really gives you no choice but to accept updates. In truth, that’s probably good, at least for critical updates. There are ways to work around the automatic updates but, for safety’s sake, it’s best to make your updates automatic. Go to your settings, then to Updates and Security and here you can check for the latest updates.
The WannaCry Ransomware targeted older operating systems, especially Windows XP and enterprise networks that used these older systems. As the chart below shows, extended support for Windows 7 and above will continue for a few years yet so be sure to keep up with those updates.
Older, unsupported versions of Windows Vista and below, normally have no support. However, due to the seriousness of the latest ransomware attack, Microsoft has created some patches that you can download here.
Quick installation of updates is important because hackers will use the updates to find what holes existed that needed patching. They know that many people won’t update right away so they will search the internet for unpatched computers and networks that they can attack. Big enterprises with big networks take a long time to patch and the hackers know it. These exploits are termed one-day exploits because that’s how long it will take the attackers to begin the attack on networks that do not update fast enough.
There are other steps for advanced users to take and they can be found here. I wouldn’t recommend these to the average user because some of the suggestions deal with tweaking the registry and any mistakes could seriously affect the functionality of your device.
2. Disabling SMB1.0
This may sound daunting but it is not. What you will be doing is protecting your device from being remotely attacked. Basically, if this is not disabled, attackers can work around later updates of the SMB protocol to cause you problems. This is especially true for enterprises with large networks. SMB stands for Server Message Block and is used for sharing files on a network. If you run Windows XP or have an old printer you may still need SMB1.0, otherwise you probably do not. Even with all of its shortcomings, SMB1.0 comes enabled on Windows 10. I have disabled SMB1.0 on my device and will let you know in updates if any functionality problems arise.
So, to disable SMB1.0, go to ‘Search’ (lower left hand corner) and type in “Windows features”. You will be given a control panel for turning off or on various Windows features (see below). You will probably see the area that I highlighted with the box checked. Simply uncheck it and reboot your computer. If you think this is a small thing, think again. As one Microsoft expert on the topic wrote, “stop using SMB1. For your children. For your children’s children. Please. We’re begging you.”
3. How to tell if an email attachment is malicious
There are some good phishing scams out there. They can fool anyone. Some phishing emails may come from your friends or even from people in management. The attachment may have a legitimate name. It could be photos from a party you went to or information your CEO wants you to read. You can’t simply refuse to open any attachment. You could lose friends and even your job. So what do you do?
The first thing to remember is that no attachment is dangerous until you download and open it, thus, releasing its payload. So, before you open it, you can scan it for viruses or malware with your antivirus software. If your file is smaller than 150MB, you can use a good online scanner like VirusTotal.
At the same time that WannaCry Ransomware was bringing down enterprises around the globe, Jaff Ransomware was using a botnet to spread its payload at the rate of 5 million an hour, mostly to individuals. Although researchers are not sure how WannaCry delivered its payload, Jaff was doing so with the help of a PDF attachment. Opening the attachment will give you this.
The file mentioned is a Word document packaged within this PDF file. It will look like this.
If you follow the instructions and enable editing, you will install the ransomware which will begin encrypting all of your files. Eventually, you will be told to pay a ransom in Bitcoins of over $3,000 to get your files back.
This attack needs you to enable macros before it can operate. Until you do this, you are safe. Make sure your macros are disabled. First, you need to find your Word Macro Settings menu. This will either be in Trust Center Settings or Tools/Macros/Security. There, choose the High or Very High option.
According to Kaspersky Labs, the spammed phishing emails come with a subject line similar to “Receipt to print” and will sometimes have a message like, “Print two copies”.
The senders will be generic “John” or “Joan” but with an unusual email address that should give them away. It doesn’t matter to the criminals as long as they can trick even a small percentage of people.
4. Check those links
Similar to attachments, links may also come from friends or management. They may have valid names. Hover over any link with your cursor to see if a valid address appears in the lower left hand corner of your screen. If you’re still not sure, or the URL doesn’t appear, you can push the ‘Reply’ button and you will see the true address of the sender in the “To” field. Don’t send the message. Simply look at that address and see if it looks valid. If you are still unsure of a link, test it by copying it and using VirusTotal to check it. If you are still unsure you can always contact the sender in person or by phone to see if they actually sent that email and link. Yes, it is possible that visiting an infected website alone will be enough to download and install ransomware. This is called a ‘drive-by’ attack and it often employs the Flash Player, Adobe Reader, or Java. Keeping these programs up to date is a good way to thwart such attacks.
5. Enterprise Security
Enterprises need to isolate data on their networks so that it is not easily accessed and then encrypted. Many will use sandboxing to do this. However, the Jaff Ransomware knows this and has been designed to detect and avoid sandboxes. Hardware separation employed on all network endpoints may be the best solution. In this case, even if the normal-use half of an endpoint is breached and encrypted, important data on the hardware-separated network half of the device cannot be accessed by the attacker. All important data is kept safe.
If you’ve taken the steps mentioned above, you should be protected from most ransomware and other malware attacks. That said, back up your files. Malware is always evolving and no malware is evolving faster than ransomware. Researchers are already warning users not to be complacent just because the most recent attack was accidentally thwarted. The attackers will quickly find a new workaround. I personally believe that the attack was bigger than the attackers really wanted it to be. Just as what happened in the San Francisco metro attack, they may have drawn too much attention to themselves. Those hackers had to back off on their ransom demands.
Attackers really just want the money paid and the victims to remain silent. Many enterprises pay the ransom and say nothing so as not to ruin their reputations. That’s why most ransom demands are kept relatively low. The criminals know it is easier for the company to pay than to risk tarnishing their image. Besides, they often need the encrypted data too much to risk losing it. At the beginning of this year, almost every security firm predicted that ransomware would be the big story of 2017. I concurred and I will stand by that prediction.