If you follow the blog, you probably saw Jonas Spieckermann’s post about the Locky Ransomware, which attackers are distributing on a massive scale via spam email attachments. Another Ransomware variant named Samas or SamSam is also making its rounds, and recently forced a Maryland-area healthcare provider to partially bring down their network for several days. Its creators use more targeted attack methods, such as compromising web servers to load the malicious payload.
Late last week, the United Stated Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) issued a joint alert on the Ransomware threat, mentioning the Locky and Samas variants. The alert discusses the history of Ransomware from early Scareware that threatened users into downloading fake antivirus software or paying a fine for alleged “illegal activity”, to the more destructive encrypting Ransomware variants that prevents a user’s access to their files until they pay a ransom for the decryption key.
US-CERT recommends victims not pay any ransom, stating that paying only guarantees that the malicious actors receive the victim’s money, not that the encrypted files will actually be released. I fully agree with this recommendation. Paying a ransom both encourages and directly funds more malware from these criminals. Instead of resorting to a ransom payment, US-CERT recommends that administrators take steps to both help prevent an infection and reduce the impact in the event of an infection:
- Perform and test regular offline backups to limit the impact and expedite the recovery process in the event of an infection.
- Use application whitelisting to only allow specified programs to run on networked systems, preventing the malicious software from even being run.
- Keep all operating systems and software patched with the latest security fixes to reduce the number of potential attack vectors for the malware.
- Scan all downloaded software before executing with up-to-date antivirus software
- If at all possible, disable macros in documents received from untrusted sources. Microsoft Office 2016 now makes this possible via Group Policy
- And finally, watch out for phishing attempts and do not follow unsolicited web links in emails.
If you own a WatchGuard Firebox, it offers several features that help protect against Ransomware like Locky and Samas. Attackers primarily distribute Locky via email spam, so configuring the Firebox’s SMTP proxy with spamBlocker, Gateway AntiVirus, and APT Blocker helps prevent malicious messages and attachments from reaching your users. Criminals typically distribute Samas via malicious or compromised websites, so a pair of properly configured HTTP and HTTPS proxies with Gateway AntiVirus, APT Blocker, Application Control, and WebBlocker to scan downloads and prevent access to known malicious web sites can help prevent an infection.
We cover a lot of these Firebox ransomware tips in a Knowledgebase Article. If you want more detail on how the Firebox helps, I echo Jonas’ recommendation of reading, “How to prevent ransomware and other malicious malware with your Firebox” — Marc Laliberte
- US-CERT Alert TA16-091A – US-CERT
- MedStar Health suspected ransomware attack – PC World
- Blocking macros in Office 2016 – Microsoft
- How Samas differs from other ransomware – Microsoft