Ransomware: Poised to Cause More Disturbance, Losses in 2017

March 8, 2017

TLP: WHITE | The NJCCIC assesses with high confidence that ransomware extortion incidents will likely result in greater operational disruptions, permanent data loss, and higher financial payouts in 2017, as profit-motivated cybercriminals increasingly seek higher profile targets—with more critical data and time-sensitive operations—raising the likelihood of larger ransom payments. While all organizations will remain at risk of opportunistic attacks, we assess the following are at high risk of targeted extortion incidents with costly ransom demands: healthcare providers, law firms, investment firms, police departments, higher education institutions, and critical infrastructure operators such as electric and water utilities, transportation systems, and manufacturing plants. Organizations can drastically reduce this risk by implementing cybersecurity best practices and conducting training and awareness briefings for all employees.

• The cybersecurity firm Carbon Black reported a 50 percent increase in ransomware attacks in 2016 compared to 2015, with manufacturing companies, electric utilities, and technology companies accounting for the highest percentages of victims. Likewise, MalwareBytes, the makers of antimalware software, reported a 267 percent increase in ransomware detections between January and November 2016. Whereas the most prevalent forms of ransomware in 2016—Locky, Cerber, and TeslaCrypt—were opportunistic in nature, less common variants such as Samsam and Spora demonstrate advanced capabilities that will likely be utilized in targeted attacks in 2017.
• Thus far in 2017, 64 percent of the ransomware incidents reported to the NJCCIC involved the CrySiS variant, which appends .wallet to the names of encrypted files. In addition to phishing emails, the hackers behind CrySiS are increasingly infecting victims by compromising remote desktop protocol (RDP) connections and manually installing the malware onto a targeted system. There is no publicly available decryption solution for the current version; therefore, victims who cannot restore their data from backups must accept the loss or pay the ransom.
• In February, researchers from the George Institute of Technology published their findings from a simulated ransomware attack against programmable logic controllers (PLCs), industrial control system devices commonly used by critical infrastructure. Their ransomware prototype was able to manipulate the PLC of a simulated water treatment plant to shut valves, increase the amount of chlorine added to water, and display false readings.

The NJCCIC recommends all organizations implement a robust data backup process that safeguards any data considered valuable or critical to the organization. Data backups must be stored offline—disconnected from the network—and tested regularly to confirm their integrity. Additionally, organizations should strongly consider procuring a reputable email gateway product to decrease the likelihood of phishing emails reaching end users. Enterprises should restrict or disable unnecessary remote access pathways such as RDP, and implement two-factor authentication to prevent brute force attempts against login credentials. Lastly, all software must be patched when security updates are available.

How to limit the impact of ransomware infections:

1. All employees should be instructed to immediately unplug the Ethernet network cable or disable Wi-Fi on the system if they suspect a ransomware infection has initiated. This will prevent the ransomware from spreading to other devices on the network or infecting backups that are stored on the network or in a cloud environment.
2. Alternatively, instruct employees to turn off the power or unplug the power cord from the system. Although doing so inhibits complete forensic analysis of the infected device, it stops the encryption process and may limit data loss.

How to recover after a ransomware infection has occurred:

1. Are there complete backups for the affected data or system that predate the infection (to avoid restoring an infected instance)? If so, restore from backups and take steps to prevent future infections.
2. If not, is there a publicly available decryption tool or remediation method? Refer to the NJCCIC’s Ransomware Threat Profile for a comprehensive list of ransomware variants and those with known decryption tools.
3. If no decryption tool is available, the only remaining options are to accept the loss or pay the ransom. The NJCCIC discourages paying ransoms of any kind, as this perpetuates the crime and does not guarantee recovery of data.

Traffic Light Protocol: WHITE information may be distributed without restriction.