There are a lot of 2015 prognostications and predictions, but instead of also going down that path I want to find and discuss our biggest cybersecurity challenge.
Today’s car bomb explosion in front of a synagogue in Sarcelles (near Paris, France) gives a reminder of sudden attacks by physical problems in our world. Fortunately these types of bomb attacks do not happen daily. So we accept a certain level of violence.
In the cybersecurity world we also become desensitized to stories of “others” other companies or people having various problems. What are the worst problems in IT?
1. Losing data, all your files destroyed
a. hardware failures can be recovered, and backups or cloud infrastructure mitigate this
b. But viruses called ransomware are the scourge of the IT departments, since they sometimes are on backups or cloud infrastructure.
Once ransomware runs then the unthinkable happens:
All data encrypted is lost. Unless you pay off the ransom, and even then sometimes the data does not decrypt (assuming it is even possible to pay them)
Or the ransomware returns from files still infected somewhere in your infrastructure.
cryptowall2.0 is one such ransomware:
(We have had to help a customer with this problem) Data was lost, as backups were not 100% effective.
These
Threatpost discussed the latest news from the ransomware analysis by Cisco:
http://threatpost.com/inside-cryptowall-2-0-ransomware/110228
The post discusses the latest analysis of Cisco’s Talos Group:
http://blogs.cisco.com/security/talos/cryptowall-2
“Cryptowall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660,”
But thats not all Talos Group details several methods of the malware using TOR as Command & Control with SSL connections. So in essence the communications of the malware are encrypted themselves.
Needless to say, the ransomware is sophisticated and has been built into what it is today, the early versions were either not very good or did not get a lot of people to pay depending on the circumstances. For a while IT consultants were saying to not pay the ransom as it feeds the “beast” and it does not work anyway – your data will still be lost.
But I am increasingly hearing stories from my colleagues that clients are willing to pay this version of ransomware (Cryptowall 2.0 or better).
In fact there is a story saying that there has been at least $1.1 mil paid out in 6 months of last year. http://threatpost.com/cryptowalls-haul-1m-in-six-months/107978 (Dell SecureWorks’ Counter threat unit report)
One can see that with $1.1mil this is a large operation that is trying to get larger. But that is not the only potential problem in your network.
The time and resources spent on fixing a Cryptowall problem should make all of us cognizant of our backup and defensive infrastructure.
The bad guys are winning because they can always redo their attacks faster than the defenders can redo the definition files. It takes time to analyze malware, and then decide how to modify your IPS, NGFW and and anti-virus software. Implementing the new software to protect against also takes time, in the meantime… yes you guessed it: the Criminal hackers have modified their software-ransomware and now nothing is stopping them.
This is why Symantec issued a statement that 50% of viruses will not be caught by their software.
So what do we do?
1. It will not happen to me – not concerned.
2. Other thoughts end result: we do not want to spend money now.
The right thing to do is to http://www.fixvirus.com/philotimodo-the-right-thing-your-network/ create the best possible IT infrastructure, use proper policies and educating users to reduce the chance of a possible ransomware infestation.
Backups and proper IT infrastructure is very important.
One aspect of this world we live in is that if there are random anonymous connections to Tor on your network I would be worried.
From the Cisco Talos Group analysis:
“Initially Cryptowall 2.0 attempts to idenitfy the outside address for the network the system is operating on using the “GetExternalIpAddr” function. It accomplishes this by communicating with one of the following addresses:
- http://wtfismyip.com/text—do not follow
- http://ip-addr.es—do not follow
- http://myexternalip.com/raw—do not follow
- http://curlmyip.com—do not follow
(do not follow those links above – I have added dashes — to reduce that chance)
Contact Us to help you devise new strategies cybersecurity world we live in