Q&A: JavaScript-based ransomware targets schools, local agencies

December 13th, 2016

By Byron V. Acohido

As 2016 draws to a close, ransomware continues to pose a pervasive threat to consumers and companies.

Ransomware purveyors have become stunningly efficient at encrypting computer files, and then demanding an extortion payment to deliver a decryption key. For all too many victims, paying off these cyber extortionists has become a viable resolution.

Related infographic: How ‘malvertising’ spreads ransomware

Security analysts at messaging security vendor Proofpoint have kept a close watch on ransomware campaigns leveraging the Locky, CryptFile2, and MarsJoke families of ransomware.

One key finding: small and midsize organizations, such as local government agencies and schools, remain particularly vulnerable.

ThirdCertainty asked Patrick Wheeler, Proofpoint’s director of threat intelligence, to discuss evolving attack patterns. This text has been edited for clarity and length.

3C: At the start of this year, ransomware was distributed mainly via drive-by downloads or malvertising. Email is now the attack vector of choice. Can you explain what happened?

Patrick Wheeler, Proofpoint director of threat intelligence

Patrick Wheeler, Proofpoint director of threat intelligence

Wheeler: Web and exploit kit-based campaigns peaked in January 2016 and fell 96 percent over the course of the following months at the same time that Locky email campaigns were exploding in volume. By June, email attacks stabilized at a level that held through September.

This shift probably was due to a combination of factors: the difficulty and expense of acquiring new, effective exploits; improved patching by organizations; and browser improvements such as decreasing the use of Flash and JavaScript. Heightened interest in evading researchers and law enforcement appear to have been factors, and email’s greater ease of incorporating social engineering also was a likely factor.

Taking a different tack

3C: CyrptFile2 really embodied this shift in tactics.

Wheeler. Yes. The initial iteration of CryptFile2 appeared last March, delivered by Nuclear and Neutrino exploit kits. That was followed in August by the first campaigns to distribute CryptFile2 widely by email. In a slightly unusual twist at the time, rather than use a document attachment, these email messages used a URL that linked to a hosted malicious Word document.

The CryptFile2 gang then began targeting individuals at local government and schools. And instead of using viral attachments, they embedded malicious web links in email messages purporting to offer discounts and awards from American Airlines.

3C: Can you tell us about MarsJoke?

Wheeler: The MarsJoke gang followed up in late September also delivering ransomware via a malicious web link. However, they used a slightly different ruse, luring victims to click on package tracking information.

Both MarsJoke and the later variants of CryptFile2 relied on embedded links to malicious files, used transportation-related lures to entice users to click on the links, and targeted local government and educational institutions in the U.S. Both appeared to be experimenting to increase the payoffs.

Quick triage

3C: What’s it like for an organization to get hit abruptly by a ransomware attack?

Wheeler: You have short-term problems to resolve like getting computers, phones and networks back online, and dealing with ransom demands. A necessary first step is to notify the proper authorities, call the FBI. If an employee is confronted with ransomware or notices something odd, they should disconnect from the network and take the infected machine to the IT department. Only the IT security team should attempt a reboot, and even that will only work in the event it is fake scareware or rudimentary mobile malware.

Next, security teams need to determine the scope of the problem. A company’s response—including whether to pay the ransom—hinges on several factors: the type of attack, who in your network is compromised, and what network permissions have been compromised. A big part of your response is deciding whether to pay the ransom. The answer can be complicated, and may require you to consult law enforcement and your legal counsel. Paying may be unavoidable.

Forewarned is forearmed

3C: What should organizations be prepared to do about ransomware in 2017?

Wheeler: The best ransomware strategy is to avoid it in the first place by investing in advanced email security solutions that protect against malicious attachments, documents and URLs in emails that lead to ransomware. Also invest in mobile attack protection products to stop malicious mobile applications from compromising your environment.

The most important part of any ransomware security strategy is regular data backups. Surprisingly few organizations run backup and restore drills. Both halves are important; restore drills are the only way to know ahead of time whether your backup plan is working.

3C: Should we expect ransomware to continue at the same level in 2017?

 Wheeler: Ransomware is the golden egg-laying goose for cyber criminals: it is relatively easy to create, easy to distribute, and can be rapidly monetized without relying on bank transfers, money mules, and other third parties or partners. While there are some signs that the 2016 success of ransomware might be starting to kill that goose, so to speak, the ability of threat actors to innovate in delivery, evasion and infection makes it likely that ransomware campaigns will continue to capitalize on ‘the human factor’ for some time.

More stories related to ransomware:
Understanding ransomware helps organizations devise solutions
With rise of ransomware, keeping intruders out of network is crucial
Your money or your data: Ransomware attacks leave everyone vulnerable

This article originally appeared on ThirdCertainty.com