Shulou(Shulou.com)06/01 Report--

Although recent attacks have decreased, ransomware still poses a major threat to businesses, especially when ransomware writers realize that backups are an effective defense and are modifying their malware to track and eliminate backups.

Blackmail software attacks have declined, but have not disappeared

McAfee reports that the number of malware and samples declined last year. According to the latest report, the number of ransomware samples in the third quarter of 2018 was less than half of its peak at the end of 2017, when it peaked at about 2.3 million. In the past year, 765000 Kaspersky users have been attacked by malware that encrypts files, compared with more than 5 million by password crackers, according to Kaspersky Lab data.

Bogdan Botezatu, head of threat research at Bitdefender, says the main reason for the decline in ransomware attacks is that security companies are becoming more defensive. "there will always be new versions of ransomware, some of which will be more complex and harder to capture than others, but we don't expect a large increase in the proportion of ransomware, at least not more than last year," he said. "

Adam Kujawa, director of malware intelligence at Malwarebytes, said: "ransomware has been the biggest threat for several years, but now it has declined significantly." However, he says extortion software is constantly evolving. For example, malware writers are exploiting the latest vulnerabilities, such as those leaked by the National Security Agency (NSA). "We see these viruses in many malware families," he said. "when you use this attack, if you are infected with a system, you can move horizontally by using these attacks. you have created a bigger target-a trend that we are sure to see."

Blackmail software for backup

Kujawa says ransomware will now delete any backups it encounters in the process. A common strategy for blackmail software, for example, is to delete automatic copies of files created by Windows. "so if you do a system restore, you will find that you cannot restore the backup," he said. "We also see them using shared network drives."

Two recent examples are SamSam and Ryuk. In November, the U.S. Department of Justice charged two Iranians with using SamSam malware to extort more than $30 million from more than 200 victims, including hospitals. The indictment said the attacker launched an attack outside normal business hours and "encrypted the backup of the victim's computer" to maximize the loss.

Recently, Ryuk has hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. According to security researchers at Check Point, Ryuk contains a script to delete shadow volumes and backup files. "while this particular variant of malware is not specific to backup, it provides a simpler backup solution-the risks that cause data to reside on file shares," said Brian Downey from Continuum.

Mounir Hahad, head of threat research at Juniper Networks, says the most common way to do this is through a feature of Microsoft Windows called Previous Versions. It allows users to restore previous versions of files. "most ransomware variants delete shadow copy snapshots," he said. " He added that most ransomware attacks also attack backups on mapped network drives.

Blackmail software attack backup is not targeted.

However, this does not mean that all backups are now fragile. David Lavinder, chief technical expert at consulting firm Booz Allen Hamilton, says that when blackmail software does track backups, it is usually random rather than deliberate. Depending on the blackmail software, it usually uses a crawler system to find specific file types. "if it encounters a backup file extension, it will certainly encrypt it," he said.

He also says ransomware is also trying to spread and infect as many other systems as possible. Like WannaCry, this peristaltic ability is where he hopes to see more activity in the future. "We do not want to see any deliberate attacks on backups, but we do want to see efforts to focus more on horizontal transfer," he said. "

By taking some basic precautions, you can protect your backup and system from these new blackmail software strategies.

Supplement Windows backups with additional copies and third-party tools

To prevent blackmail software from deleting or encrypting local backups of files, Kujawa recommends using other backup or third-party tools or other Windows configuration tools that are not part of the default. "if it doesn't do things the same way, the malware won't know where to delete the backup," he said. "if your employees are infected with a virus, they can clean it up and restore it from the backup."

Isolated backup

The more barriers there are between an infected system and its backup, the more difficult it is for the blackmail software to access it. Landon Lewis, chief executive of Pondurance, an Indianapolis-based cyber security service, says a common mistake is that users use the same authentication method they use in backup as they do elsewhere. "if your user account is attacked, the first thing an attacker wants to do is upgrade their privileges," he said. "if the backup system uses the same authentication, they can take over."

Independent authentication systems with different passwords make this step more difficult.

Save multiple copies in multiple locations

Lewis recommends that companies use at least two different backup methods to keep three different copies of important documents, at least one of which needs to be placed in a different location. He says cloud-based backup provides an easy-to-use offline backup option. "Block storage on the Internet is very cheap. It's hard to explain why some people don't use it as an additional backup method. If you use a different authentication system, so much the better.

In addition, many backup vendors offer rollback options, or multiple versions of the same file. If the ransomware attacks and encrypts the files, the backup utility automatically backs up the encrypted version and overwrites the version, so the ransomware doesn't even need to back up. Therefore, rollback is becoming a standard feature, and companies should check before determining the backup strategy. "I will definitely add that to my standards," Lewis said. "

Test, test, test

Many companies find that their backups are not used or that they are too cumbersome to recover only after the attack. "if you haven't done some kind of recovery exercise, and it's not on the record and no one is familiar with it, we still see a lot of customers considering paying, in some cases, actually," he said. because it's actually cheaper to pay an attacker. "

Bob Antia, chief technology officer of Kaseya, a technology company that provides backup solutions, also recommends checking backup vendors to see if they can detect ransomware attacks, especially newer, more covert attacks. Some ransomware is now deliberately slow or dormant before encryption, he said. "these two technologies mean it's hard to know when to recover from a backup," he said. "I expect ransomware to continue to look for trickier ways to hide itself, making recovery more difficult."

"We haven't seen large-scale global attacks like WannaCry and Petya recently," Antia said. But when that happens, he says, it could do a lot of damage. "We have seen individual organizations suffer millions of dollars in losses as a result of recent attacks."

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.