New Ransomware Threats in 2016

In 2016, ransomware threats have evolved with a series of new strains and aggressive campaigns that have hit high profile organizations in Massachusetts.

Ransomware is an especially crippling form of malware that locks users out of their own systems, and requires payment through an untraceable method like Bitcoin to restore access to critical data.

In the past few months, both the Town of Medfield and the Melrose Police Fepartment have paid hundreds of dollars in Bitcoin after successful attacks. The towns had backup and anti-virus strategies in place that were insufficient protection. In Medfield's case, the virus spread into the backup system. The Melrose infection was on a detective's laptop, which included files that were not captured by the department's backup solution.

Like any virus, malware evolves to circumvent counter measures. Cryptolocker and Cryptowall malware variants traditionally have been installed by opening disguised email attachments or by downloads from infected sites. Some of the 2016 variants, however, are spread using new methods that require extra vigilance. Here are a few:

Locky

The new Locky ransomware campaigns use a JavaScript downloader. That means the malware payload can be installed without even being tricked into opening an executable virus file.

SamSam

Cryptolocker required that an end user click an attachment or download the virus. New ransomware like SamSam, used in recent attacks against hospitals, instead gets directly into the network by exploiting vulnerable, unpatched servers.

Unlike Cryptolocker, SamSam can encrypt files without contacting a command and control server to download an encryption key over the Internet. DNS security solutions that block the malware from "calling home" aren't sufficient to prevent SamSam from beginning this process.

Maktub

Maktub phishing emails have incorporated real personal information like the victim's home address, and appear legitimate. They also use a trick to display an actual document in RTF format to the unsuspecting reader. The user has no idea that malware is being installed. The encryption code also compresses the files, causing damage must faster and reducing the time for intervention. Maktub can also encrypt offline without contacting a command server.

How to protect against 2016 Ransomware Threats

Subscribing to a managed services plan is the best way to make sure you have the latest protection measures and access to experts who stay on top of the newest malware strains.

  • A good managed services plan will protect all devices, including client computers, with enterprise grade anti-virus and regular, automated patches to close vulnerabilities. Terminal's managed service plan also include OpenDNS, a DNS sercurity solution, which blocks most variants from communicating with command servers that deliver the encryption key payload.
     
  • Train staff members to recognize phishing schemes and never open unknown attachments or files from untrusted sites. Put policies in place for mobile and personal devices, to avoid situations like the one where the detective lost files on a laptop.
     
  • Use a backup system that isn't vulnerable to ransomware. Terminal protects clients using Datto, a hybrid cloud backup solution that ensure unencrypted copies remain safe on the Internet, away from the infected local network.

If you worry about ransomware, consider calling Terminal for advice on protecting your systems. A security audit can find vulnerabilities, and Terminal's engineers can improve your security configurations. We're happy to help!