Detecting and preventing ransomware starts with four key steps
The NCUA provides valuable information about an internet threat. Ransomware is a type of trojan—malware designed to provide unauthorized, remote access to a user’s computer—that was first seen in 1989 and dubbed the AIDS Trojan. The original infection was found on floppy disks that were handed out at a conference. Once the user’s machine was infected, the trojan laid in wait counting the number of times the machine rebooted. Once the machine hit 90 reboots, malware hid the directories and encrypted the names of the files. The ransom demand for a “licensing fee” of $189 was to be paid using the twentieth century, black-box equivalent of bitcoin—by sending money to a Panamanian P.O. Box.
With the proliferation of the internet, ransomware has expanded. However, the method of infection today remains the same as it did in the original AIDS Trojan of the late 1980s. After encrypting files or directories following a phishing attack, the perpetrator seeks a ransom usually in the form of a virtual currency like bitcoin. Increasingly, however, ransomware perpetrators only partially unlock files in an effort to extract an even larger payment, or simply keep the money and never provide the key.
Recent changes to the ransomware model have incorporated a worm that allows the infection to spread through peer-to-peer computer networks, as in the case with the recent WannaCry virus. Here, attackers used exploits exposed by the ShadowBrockers hacker network to infect even larger numbers of machines.
What hasn’t changed though is that it is still possible to detect and prevent an attack using the following methods. Here are four ways you can better protect your credit union from ransomware:
Monitoring—Researchers have found that when ransomware attacks, there is a significant amount of changes to the file system. By monitoring the system-file logs, you can detect the creation, encryption or deletion of files.
Behavior Analytics—Endpoint solutions, like virus protection, can’t block unknown ransomware variants so it is best to move to user behavior analytics. Baseline normal user activity and setting up a tripwire to find variances will enable you to catch the infection in near real time.
Honeypots—Create honeypots. Since it is quicker and, often more cost effective, to encrypt recently accessed files in a ransomware attack, creating a fake file repository will often lure the ransomware into encrypting those files and allow you to enact your security measures. This can also help if you don’t have the resources to monitor file access activity.
Access controls—Getting rid of global access groups from your IT network’s access controls can greatly reduce the ability of the virus to spread. These access groups are known as “open shares,” and open to misuse. Additionally, if you find yourself a victim of ransomware, the first thing is to go to law enforcement. You will often find that you are not alone, and there may be a known decryption system available for the specific ransomware that you are facing. Also, there are many decryption tools on the market, and often these are built into your security software suite or available online for free.
Credit unions can find additional information and resources on NCUA’s Cybersecurity Resource Center to help them be better protected against ransomware and other cyber threats. Go to the NCUA Cybersecurity Resource Center.