Homeland Security Issues Ransomware Alert for Networked Systems
DHS issued a ransomware alert in conjunction with the Canadian Cyber Incident Response Centre to warn individuals and organizations.
The US Department of Homeland Security issued a ransomware alert through the US Computer Emergency Readiness Team (US-CERT) to organizations that use networked systems, warning them of the potential dangers stemming from this type of malware.
In conjunction with the Canadian Cyber Incident Response Centre (CCIRC), DHS explained that the alert is designed “to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”
“Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading,” the alert states. “Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.”
US-CERT adds that ransomware attacks can target individuals or businesses. Moreover, paying the requested ransom “does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.”
If data was encrypted through the ransomware, paying the ransom to decrypt the data also does not guarantee that the malware itself was actually removed.
Along with phishing attacks, ransomware can infiltrate a system through vulnerable Web servers, according to the alert. A weakened entry point can be exploited, giving attackers a way to gain access to an organization’s system.
Not only can ransomware attacks create temporary or permanent loss of critical data, they can also disrupt regular business operations and create financial losses. This could happen when it comes time to restore system files.
Finally, an organization’s reputation could be severely damaged through such attacks, and through the recovery process.
However, US-CERT did recommend several steps for ensuring an easier recovery should a ransomware attack take place. For example, organizations should ensure that they have a data backup and recovery plan for all critical information.
Additionally, application whitelisting can help prevent malicious software and unapproved programs from running. By only allowing specific programs to run, it could help block malware.
The following recommendations were also listed:
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
- Do not follow unsolicited Web links in emails.
A final key takeaway in the alert is that organizations are discouraged from paying the ransom. As previously mentioned, this does not guarantee that the files will be released, according to US-CERT.
By Elizabeth Snell