• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

US-CERT Alert on Ransomware

April 6, 2016 By Marc Laliberte

If you follow the blog, you probably saw Jonas Spieckermann’s post about the Locky Ransomware, which attackers are distributing on a massive scale via spam email attachments. Another Ransomware variant named Samas or SamSam is also making its rounds, and recently forced a Maryland-area healthcare provider to partially bring down their network for several days. Its creators use more targeted attack methods, such as compromising web servers to load the malicious payload.

Late last week, the United Stated Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) issued a joint alert on the Ransomware threat, mentioning the Locky and Samas variants. The alert discusses the history of Ransomware from early Scareware that threatened users into downloading fake antivirus software or paying a fine for alleged “illegal activity”, to the more destructive encrypting Ransomware variants that prevents a user’s access to their files until they pay a ransom for the decryption key.

US-CERT recommends victims not pay any ransom, stating that paying only guarantees that the malicious actors receive the victim’s money, not that the encrypted files will actually be released. I fully agree with this recommendation. Paying a ransom both encourages and directly funds more malware from these criminals.  Instead of resorting to a ransom payment, US-CERT recommends that administrators take steps to both help prevent an infection and reduce the impact in the event of an infection:

  • Perform and test regular offline backups to limit the impact and expedite the recovery process in the event of an infection.
  • Use application whitelisting to only allow specified programs to run on networked systems, preventing the malicious software from even being run.
  • Keep all operating systems and software patched with the latest security fixes to reduce the number of potential attack vectors for the malware.
  • Scan all downloaded software before executing with up-to-date antivirus software
  • If at all possible, disable macros in documents received from untrusted sources. Microsoft Office 2016 now makes this possible via Group Policy
  • And finally, watch out for phishing attempts and do not follow unsolicited web links in emails.

If you own a WatchGuard Firebox, it offers several features that help protect against Ransomware like Locky and Samas. Attackers primarily distribute Locky via email spam, so configuring the Firebox’s SMTP proxy with spamBlocker, Gateway AntiVirus, and APT Blocker helps prevent malicious messages and attachments from reaching your users. Criminals typically distribute Samas via malicious or compromised websites, so a pair of properly configured HTTP and HTTPS proxies with Gateway AntiVirus, APT Blocker, Application Control, and WebBlocker to scan downloads and prevent access to known malicious web sites can help prevent an infection.

We cover a lot of these Firebox ransomware tips in a Knowledgebase Article. If you want more detail on how the Firebox helps, I echo Jonas’ recommendation of reading, “How to prevent ransomware and other malicious malware with your Firebox” — Marc Laliberte

Reference Section:

  • US-CERT Alert TA16-091A – US-CERT
  • MedStar Health suspected ransomware attack – PC World
  • Blocking macros in Office 2016 – Microsoft
  • How Samas differs from other ransomware – Microsoft

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use