Ransomware goes open source causing havoc and what you can do about it

Learn what you can do to tackle ransomware and protect your business from this threat.  A recent story about an open source ransomware kit illustrates the reach of malware.  Here I cover the 'Magic' crime kit and tips on how you can protect your business from this menance.

Ransomware is everywhere, not only hurting consumers but businesses are getting hit hard as well. In the UK according to a recent report, ransomware is responsible for 42% of UK security breaches in 2015. This isn't that surprising, businesses aren’t immune to these threats.

The level of sophistication with ransomware varies with CryptoWall, TeslaCrypt, some of the big hitters in the ‘business’.  Then you have more homemade solutions, reusing code or kits, from wherever they can be obtained.

Ransomware kit released for research purposes goes horrible wrong 

Utku Sen, a Turkish security researcher, released an open source ransomware kit, EDA2, on GitHub. He was hoping it would be “suitable for education and attack simulation for companies” and used for good.

However this wasn’t just a few lines of code, EDA2 came with actual code including instructions on how to customize it.  Also included was an admin panel to set up a command and control server (C&C).  This is where all the encryption keys were sent, making it a complete crime kit.

What was meant as an educational tool became known as ‘Magic’ ransomware.  This was used by criminals, infecting PCs and holding data for ransom. Ultimately Utku Sen withdraw EDA2, acknowledging it’s failure and apologising.  This wasn’t going to help the people with infected computers already.

EDA2 MAGIC Ransomware

The plot thickened when Utku Sen himself was blackmailed, if he withdrew his other ransomware education project, hidden-tear also on Github, the ransomware operator would provide the Magic encryption keys, so victims could get their data back for free

“After further discussions, the blackmail attempt turned into full-on negotiations, but Utku Sen and the ransomware operator have come to an agreement. Utku will take down the Hidden Tear repository in three days while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.”

So a happy ending of sorts but one that illustrates the toxicity of this threat and how pernicious these attacks are.

How to combat ransomware in your business

If as a business you haven’t been attacked, well done.  More than likely though, most business will get hit sooner or later. As an IT Pro, there are certain steps you can take to help mitigate ransomware, which I have outlined below:

  • User education – inform your staff with tail-tale signs to look out for, with web drive by downloads and email attachments being the main distributors.​
  • Patch everything – ransomware can come in via Exploit Kits which will take advantage of any vulnerable software, think Java, Adobe Flash Player or Reader, as well as Office, Windows etc.
  • Remote access – don’t ignore remote workers! Anyone beyond the protection of the corporate network is at risk. Using cloud file syncing like OneDrive for Business is a risk.  For example, files can be encrypted from staff members infected home PC.  Then these get synched up the cloud, destroying work documents in the process (you can disable off domain syncing to avoid this threat).
  • Supplement security with tools like Microsoft Enhanced Mitigation Experience Toolkit (EMET).  Also keep an eye on emerging tools like Malwarebytes Anti-Ransomware along with any perimeter security that might help.
  • Early detection systems  - there are some systems that will help you detect as certain files types get written to file servers.   Picking up known extensions that could signify the start of a ransomware attack.  This would then send out an alert. This won't always help, for example when filenames and extensions are randomly used. File Server Resource Manager in Windows Server is one option for this.
  • Read those AV notifications and reports – There are clues even in the threats that are intercepted & removed that may reveal certain patterns like staff opening attachments they shouldn't be.
  • Backups - these are you last line of defence from ransomware, so ​they should be treated with the respect they deserve.  Tested, off-site, disconnected from your day to day systems.
  • Protect admin accounts - If one of your admin accounts is compromised, it could cause a lot more havoc, with all the rights the account has.  'Just in time administration' allows you to have the rights you need when you need them but not all the time.  Azure AD Privileged Identity Management is one option that can help with this.
  • Harden where executable content can run from - Software restriction policies can be used to make it harder for ransomware to launch.  See here this article for gudiance on this - How to protect from CryptoWall.

Ransomware is a menace and evolving rapidly, you can reduce the likelihood of the damage they can inflict on a business by following some of the steps I have outlined above.