One of the best strategies to defeat ransomware is to patch systems as soon as possible, a senior official at a security vendor has warned the telecom industry.
Attackers often reverse engineer a recently-patched software vulnerability and use it quickly as an exploit, betting organizations and consumers haven’t updated their systems, Nathan Shuchami, head of advanced threat protection at Check Point Software, told the annual Canadian Telecom Summit.
“Therefore one of the best practices is to patch as soon as you can,” he said.
The three-day conference in Toronto, which started Monday, attracts officials from carriers, Internet service providers and vendors from across the country.
His pre-lunch keynote, which outlined the devastating effects ransomware has by encrypting hard drives after unsuspecting employees click on an attachment or link, appeared to dim the appetite of some attendees who were awed by the simple mechanics of an attack.
One of the more recent variants Check Point has been tracking struck close to home: Called CTB Locker, it pretends to be an PDF invoice from a wireless carrier, which when opened encrypts a hard drive. The victim is then given four days to pay two Bitcoins for the decryption key.
Shuchami noted the ransom threat is well-prepared: The English instructions can easily be read Given four days to pay 2 Bitcoins (about $1,500). To increase the level of confidence that if payment is made files will be decrypted, the victim is given the chance to unlock several files immediately.
Included are instructions on how the victim should to turn off their firewall and use TOR to communicate with the attacker’s server. pay the ransom and download the decryption keys
Ransomware has been increasingly adopted by attackers in the past year for one reason, Shuchami said: It’s easily spread without spear phishing and is a great way to generate money for criminals. “The attacker doesn’t need to tailor it to a specific industry or bank account or specific bank, it can be sent to millions of victims across industries. And we also see attackers are investing significant energy in A/B testing to identify the best language (for the threat message), the optimal amount of money to be demanded –it shouldn’t be too high, otherwise people won’t pay – and the look and feel of the message.”
Usually the ransom isn’t a lot but collectively over a regional or global campaign it adds up, he added.
In an interview Shuchami agreed employee awareness training is vital to fight ransomware. “But you cannot only rely on education because attackers are investing a lot more today in language, in look and feel to make email look as legit as possible.” And because of employee churn there will be staff who aren’t trained, he added. That’s why he recommends organizations use a second-generation sandbox that can detect malware evasion and obfuscation techniques.
The best awareness training he’s seen involves staff regularly – at least three times a year – having to pass an online phishing test, plus regular professional penetration testing.
But he also said that in addition to training and rapid patching there other simple and effective defensive strategies CISOs can employ, including establishing document handling policies (never accept executable files from outside the office) and regular backups.
These could foil to 95 per cent of ransomware, he said.