27th June 2016
Protecting Yourself From Ransomware
On or around the 13th June security researchers going by the handles JamesWT_MHT and benkow_ discovered an email containing an attachment with a Javascript file which, if ran will lock and encrypt personal files on a users computer and display a ransom note demanding around £200 for its release. This is ransomware and while it’s nothing new, the use of Javascript is.
First things first, what is ransomware?
Ransomware is an offshoot of malware with one specific difference – ransom. While the purpose of malware (or malicious software) is to gain access to computers to disrupt their functions or gather data and sensitive information, ransomware encrypts your files until you pay a ransom.
What is JavaScript and how does it matter to ransomware?
JavaScript is a programming language usually used for browser based software but can also be used for applications that aren’t web-based, such as pdf documents and desktop widgets. It matters to ransomware because JavaScript attachments only take one or two clicks to start executing, making them particularly dangerous as malicious Office attachments generally require two or more clicks before they start running. This means there is a bigger chance that JavaScript attachments will be activated.
June 13th ransomware incident
A detailed breakdown of what the code does can be found here: RAA – An entirely new JS ransomware delivering Pony malware. The JavaScript file looks for available drives on a machine (meaning portable hard drives plugged in could be at risk) then targets 16 of the most common files extensions (including .jpg and .doc – so personal documents and photos are vulnerable). Ransomware ignores folders that Windows relies on to run (the intention is not to disable your machine) and moves these files into a folder which is then locked and encrypted. It then attempts to disable or delete the backup service, so you can’t perform a system restore.
Finally, it creates a Wordpad document, composed entirely in Russian, demanding 0.39 bitcoins (roughly £185) to be sent to an email address, in return you get a program and key to (supposedly) return your machine to its original state. And you have a week to do this. The researchers found that the JavaScript file was being served from a hacked website (which they reported and has since been brought down) digging around the hacked website they found a counter, so the hacker could monitor how many times the code had executed.
While attacks like this are common, the reason this attack in particular has generated so much attention is that it looks to be the first attack composed entirely in JavaScript. While many email providers/programs like Outlook block Javascript attachments, several, including Gmail don’t.
How is malware/ransomware transferred to a computer?
As said before, while unsolicited email attachments are the most well known way for a computer to come down with malware/ransomware, it can also be spread by infected websites and USB devices. Much like in real life, anything that is third party should be treated cautiously. Though it’s been said many times before, if it seems to good to be true, it probably is.
Who is at risk?
Everyone who uses the internet. However, large businesses with sensitive data tend to be most at risk. It can even happen at facilities you would expect to be secure. One of the most recent prolific incidents of ransomware happened at Hollywood Presbyterian Hospital. The hospital ended up paying the hackers $17,000 (USD) to get their data back.
What can you do to protect yourself from ransomware?
Plan in advance
Make sure you have a security plan that is regularly updated. This can be achieved by working with your IT provider to ensure that the appropriate measures are taken with the right antivirus software and firewalls are set up to protect you. Use a reputable agency that will answer your questions to your satisfaction.
Take regular backups of your files
As ransomware encrypts your files, if you have a copy of your files that has been recently backed up on an external device, it will allow you to still use these files on another device while you get your computer sorted. This helps minimise downtime and disruption to work.
Make staff aware of the dangers and get them to be vigilant
Educate staff on the dangers of opening attachments from unknown sources. Lots of current spam emails are being made to look legitimate but ask employees to keep an eye out for small things such as spelling errors in the emails, the emails not being personalised (Dear Valued Customer), and inconsistencies in the logos and email signatures. If it is unlikely that an employee would be receiving an attachment from someone, don’t open it. While most people are aware of malware, they may not know about ransomware and a reminder is always helpful. With a little effort, you’ll be able to keep your business safe from hackers and limit the damage they can do.
Sources
The new RAA Ransomware is created entirely using Javascript
RAA-SEP (.locked) Ransomware Help & Support Topic
RAA Ransomware Is 100 Percent JavaScript
New ransomware strain coded entirely in Javascript
