Vin Ransomware Blog02

 

Ransomware has become the most important news in the computer security space in recent times. No day passes without a story about a latest ransomware. As per one of the recent survey one in fifty people are affected by ransomware [1].

Modern ransomware is continuously evolving. It is not only just encrypting, locking the computer or locking system files, but also disabling the very security software that is meant to protect the system from these malwares. Our ransomware intelligence team (within the Threat Intelligence group of Paramount) always keeps an eye on new ransomwares. We recently found the new version of Cerber ransomware which is the Cerber v4.

The prime movers of Cerber Ransomware are very devious and have elevated the ransomware through numerous upgrades.

The evolution of Cerber ransomware:

blog2 1

According to security researcher Kafiene[2], the Cerber v4 was initially sighted during the first week of October and was seen being sold through RaaS (Ransomware as a service). Some of the key capabilities that we could observe for the cerber v4 ransomware are illustrated below.

blog2 2

Figure 1 - The capabilities or the new additions in the Cerver_v4

Security researchers claims the exploit kits are already being leveraged in certain countries such as US, Germany, Spain, Taiwan, Singapore, China, Hong Kong and Korea. The campaigns (Exploit kits) usually carry out a fake casino-themed advertisement such as below.

 

blog
Figure 2 - The malicious advertisement that is used to spread the ransomware

 

Recommended mitigation procedures

To protect data and the computer from a ransomware attack, it is recommended to follow these guidelines [3]:

Educate:

From business people to common man, everyone seems to be falling victims to ransomware due to their negligence. When something is to be under control, it is very important to spread awareness. Educate people by spreading knowledge about what, why, How and where of ransomware.

Patch:

Update all software regularly including operating systems, network devices, mobile phones, anti-virus, anti-spyware products and other software’s on computers which avoids malicious intrusions.

Access Controls:

Access controls to resources are to be designed in a way that no third party other than the actual could read or write files and resources. This mitigation helps to avoid infections or data breach.

Privileges:

Applications are to be designed to run with privilege based access features. It is recommended to provide Minimal Privilege that is required to conduct their activities to all users.

Backup:

A proper backup mechanism should be establish and made mandatory for all users. This should be taken at regular intervals. Also backups should be stored at a different location and should be isolated from the production network, so that any infection within the working network could be prevented from spreading to the backup. Backups should be periodically checked for any damage to make sure they are working fine and be prepared for any adverse situations.

Restoration Plans:

Systems can be checked for restoring options that helps to get back to the previous functional state of the system. For those who can’t afford expensive and powerful backups or those who do not trust the backups usage can opt for restoration plans.

File Recovery Software:

Similar to system restorations, file recovery also should be considered. Since many encryption techniques are attached with the ransomware.

Best Practices:

• Use live, active anti-virus which are regularly updated that detects and cleans malwares.

• Organizations with RDP, VPN, proxies and servers are to be provided with better IT Security standards.

• Standard security baseline configurations should be done for all Firewalls.

• Understand that data synchronization and back-up are different processes. Back-up is to maintain a separate copy of your data in different hardware whereas data sync is to get the current stage of any application online in any other device or browser. If one synced data is corrupted the entire data in different devices is lost or made inaccessible.

• Be cautious in clicking any hyperlink, check whether the mails are from legitimate source.

• Use separate browser for surfing and critical works such as transactions in separate browsers

• Bookmark every pages that are used frequently so as to avoid phished websites.

• Enable pop-up blocker on all browsers to prevent URL redirection attacks where the page or website would contain malicious crafted contents.

• Spam filtering of emails must be implemented

• In-addition to links and mails, attachments from unexpected recipients can be strictly avoided, which could run or infect your system.

• Usage of pirated software for, downloading files from unauthorized websites should be avoided. Use legitimate software.


References:

[1] http://www.idigitaltimes.com/new-locky-ransomware-virus-spreading-alarming-rate-can-malware-be-removed-and-files-512956

[2] http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

[3] http://vinransomware.com/home/index.php/ransomware/mitigation