October 2021 Safe Computing

PAGE CONTENT

Ransomware

Ransomware has become a trending cyberthreat this year.  Although exfiltrating (stealing) data to sell in the underground still produces revenue for cybercriminals, ransoms and exploitations have become their large moneymakers, especially for organizations that rely on data to function properly.  The Colonial Pipeline attack in May highlighted the devastating effects that such attacks have.

To look inside how ransomware works and why it has been so “successful” to the cyber underground, let’s look at how It works.

Ransomware Principles

For ransomware to work, attackers must withhold access to users’ data until a ransom is paid.  Attackers encrypt the data using the same encryption means that security professionals employ to protect data from unwanted eyes.  Using mathematical techniques, an encryption algorithm converts the users’ content to code or symbols (ciphertext) so that the content can no longer be understood.  To make this encryption unique, a string of numbers called a secret key is used with the encryption algorithm so others can’t see the data without decrypting it using this key.  In ransomware attacks, the attacker exploits the organization to pay for access to the secret key so they can see the data again.

Cybercriminals Gaining Access

For the encryption to work, attackers need to be able to encrypt the data.  This is typically done by planting malware on the computer.  Malware is malicious software that performs some tasks automatically or through remote “command and control” channels. .  Here are the most common ways that unaware users get ransomware installed on their computer.

  1. Phishing.  Clicking on a link or downloading an attachment are the most common ways.  Attackers often spoof individuals or organizations and present an urgent action (account will expire), a chance to solve a problem (unpaid invoice attachment), or a seemingly great opportunity (special deal).
  2. Remote Desktop.  Using a remote desktop solution such as RDP without a Virtual Private Network (VPN) required can result in cybercriminals attacking your system from other sources and planting ransomware.  If you are not using the University Remote Access VPN to connect from home to a desktop or laptop computer via RDP (or Apple Remote Desktop), your work computer is being frequently scanned for weaknesses that could one day result in a ransomware attack on any data the resides on that University computer, and any file shares you regularly connect to from that computer. (Call the IT Service Desk to get help using the Remote Access VPN).
  3. Web browsing.  Attackers can post malicious links on social media sites or blogs/wikis that permit random uploads data with links.  Also infected websites can allow for “drive-by” downloads of malware without clicking on links.
  4. Removable media.  USB thumb drives/pen drives can contain malware — especially when distributed by unknown sources.  Also beware that USBs transferred from one computer to another could pick up malware.
  5. Software.  Downloading software, through sources that aren’t a bona fide download site. Searches for software downloads can provide several options, some with URLs to nefarious sites named similar to a legit download site or the product desired. Those may contain real working versions of the software, but with malware attached.  Always use a trusted download site such as the manufacturer’s site.  Also, beware that using pirated software can increase the risk of ransomware attacks.

Paying Ransoms?

For ransomware to be a moneymaker for criminals, there must be a chance that paying the ransom will result in being provided with a decryption key, otherwise, the exploitation tactics would never work.  While that chance is typically reasonable, the FBI recommends NOT paying a ransom. Not only does paying ransoms feed the cybercriminal world, there really is no guarantee that the cybercriminals will comply.  In some cases, this has resulted in further targeting.  Do not expect the University to pay a ransom.

Protecting Yourself

The first line of defense is to practice good security practices so that you don’t get the ransomware.  Be vigilant for phishing, use caution when browsing or downloading, don’t use USBs that you don’t know where they have been, and only use remote desktop protocols through a VPN.   However, to protect yourself in the event of the potential loss of access to your data, backup your data.  Better yet, store your data on a backed-up server or cloud solution such as OneDrive or Google Drive.  If you have confidential or restricted data, the Information Security Office can help you determine the best place to keep your data.

 

 

The Information Security Office has new information resources available, including a page on remote work and COVID-19 cybersecurity available from the Information Security portal.

Questions? Comments? Contact UMS Information Security at infosecurity@maine.edu.

(Content for this page was provided by John Forker, UMS Chief Information Security Officer)