Our computer systems are under attack! The sky is falling! Why do these phrases sound the same to so many of us? Have we become desensitized to the number of threats and the frequency of the attacks? When Charlie Russell said he’d like to have me cover
Although the amount of spam is dropping and the protection from spam filters is increasing, the effectiveness of firewalls and anti-virus is decreasing. Further, the aggressiveness of the attackers are becoming much greater. In addition, with the United States being the second largest source of attacks according to an eWeek article, the threat is just as much from people around us as it is from overseas. My conclusion is fairly simple in this area, though: the bad guys are following the money.
One of the tools these bad guys are using is CryptoWall. CryptoWall is the latest variant of Cryptolocker, the virus that infests your system, encrypts your files and demands a ransom. As we see it, users continue to make errors in judgment, opening attachments without thinking about the source of the files. Users need training, and we provide an outline for this training below. In most cases that we know of so far, when the ransom is paid, an unlock key is delivered, and the locked files are made accessible again. However, it is our opinion that systems need rebuilt from backup, and if you have adequate backup, you may not have to pay the ransom whatsoever.
Another concern may be that breach reporting is needed in the case of a CryptoWall infection. However, if desktop encryption is in place, security breach reporting is probably not mandatory. The current guidance on CryptoWall does not indicate that data is transferred from infected systems. Risks like CryptoWall do continue to raise the question about the need for cyber insurance, and the costs of getting a virus infection.
You might ask why anti-virus products are not catching these threats. The publishers of these products have a real fight on their hands with the rapid iteration and evolution of the attacking viruses. Further, vendors can set their products to be more thorough, but increased anti-virus thoroughness may slow down normal
You may want to give
- http://time.com/2972317/world-war-zero-how-hackers-fight-to-steal-your-secrets/
- http://www.economist.com/news/special-report/21606416-companies-markets-and-countries-are-increasingly-under-attack-cyber-criminals?zid=291&ah=906e69ad01d2ee51960100b7fa502595
- http://time.com/2972060/report-chinese-hackers-target-information-of-federal-employees/
As a system administrator or IT manager, we suggest that you:
- Review your anti-virus signature and setup weekly
- Hold extra training for employees
- Make a plan for what to do if infected. This includes warning your users to plan on outages of 24-72 hours and that if they attempt to work again too soon that they are likely to re-infect their systems.
A few other technical considerations are in order. CryptoWall payloads are typically delivered through an email message with an attachment. Completely updated software (firewall, spam, anti-virus) do not keep these types of intrusions out. The bad guys are changing their attacks so frequently that immediate detection by software has been impossible for about 18 months. Smart technical people are trying to find new ways to protect systems. My favorite quote is from Brian Dye, senior vice-president for information security at Symantec, who told the Wall Street Journal that antivirus software “is dead.” To this alarming statement, Dye added, “We don’t think of antivirus as a moneymaker in any way.” Further, he estimates “traditional antivirus detects a mere 45 percent of all attacks” according to a report from PC World on May 5, 2014.
Cleaning up infected systems is not simple either. Running AV from multiple vendors typically does not work. We recommend the following clean-up methodology for Cryptowall:
- Run Malwarebytes in safe mode
- Run your AV’s rescue product (for example, Vipre Rescue) in safe mode
- If you are not 100% sure of the source of the infection, you have to run the clean-up on all machines and servers (which can’t be run in safe mode). Depending on the variant, there may be secondary infections.
Another concern is that data is compromised and you would have security breach reporting incident. While I’m not an attorney and unable to render legal advice, if all workstations are protected with disk encryption, and the server drives are by default encrypted with your virtualization software, under most security breach statutes, your firm should be exempt from reporting. In other words, since you have encryption active at the desktop and a level of protection at the server, you don’t have a reportable incident. With currently known variances of CryptoWall, there is no transfer of data, so there would be no reporting needed. However, secondary infections could transfer data, and these infections could be a reportable breach incident. The scan log of Malwarebytes should show the infections found. Each of these infections should be investigated, and if transfers of data are characteristic, then you need to do the reporting. The key is scan log review for secondary infections. It is rare that the secondary infections are reportable, but you need to do your own due diligence.
User training and awareness as described above should be completed to help minimize future infections. I have a complete training outline at http://www.nmgi.com/tag/security/. What we normally tell our clients is to teach your people this: if you are not expecting it, question it. If the email is not of the normal format, question it. For example, many of these CryptoWall infections are spoofed messages from American Express. If you are not expecting a message from American Express, why would you open it? If you receive a message with an attached PDF, question it, or simply send a message to the sender asking if the message is legitimate. Better yet, routinely use a portal.
Threats will continue to increase, but we can help ourselves with good setup, preparation, maintenance and