With more than a billion dollars paid to attackers in 2016, ransomware is only going to get worse for Canadian business. Small and medium-sized businesses are perfect targets for ransomware – without a dedicated I.T. Security expert on staff, smaller organizations are more likely to fall prey to this all-too-common problem.
All is not lost, however – knowing how ransomware works, and what to look for when you encounter it, can save you time and money. In this article, Graycon I.T.’s Security Team will take a closer look at some the key characteristics of a typical ransomware infection and provide some simple ways to mitigate it.
How you get infected
Sage 2.0 is the latest in a string of typical – though particularly nasty - ransomware, with the cost of unlocking your files running around $3,000 CAD. Sage gets on your computer via spam email, usually masking itself as a bank statement or credit card notification. This technique – called social engineering – is designed to trick people into opening the accompanying attachment.
Cleverly, the attachment is usually a .zip file. The archiving file format is ubiquitous and is also able to hide the malicious file inside, hiding it from virus scanning software. The file saved inside looks just like a normal Microsoft Word doc, but runs a small automated program called a macro that downloads the ransomware to your PC.
How the infection spreads
What makes ransomware so difficult to stop is its method of infection. Sage 2.0 uses several techniques designed to keep it executing on your system even as you try and stop it:
- Dead man’s switch - To prevent its infection process from getting stopped by either an automated virus scanner or the user stopping the program, Sage 2.0 runs two processes of itself, each constantly watching the other. If the user closes the one process, the other notices and immediately launches a new process, keeping it going.
- Running on startup – If you immediately shut your computer down to try and prevent infection, tough luck – Sage 2.0 creates a shortcut file in the startup folder and adds a scheduled task to run itself during startup, so as soon as you reboot, the infection kicks in.
- Annoying you to death – Most Windows 7 or newer machines use Windows’ built-in User Account Control (UAC), the window that pops up every time you want to install a program or make changes to your computer. Because the UAC system stops the spread of Sage 2.0, the malware will constantly pop open another UAC window until the user clicks “Yes”. This effectively renders your computer useless until you hit yes - and then Sage 2.0 has full access to your system.
Locking down – and locking you out
Like all ransomware, Sage 2.0 scours your system, looking for files with common extensions like
.doc, .xls, .jpg and .pdf. The goal is to collect all the files on your system that you might value – and then encrypt them. Sage 2.0 generates a 20-number long master key that is run through an algorithm that effectively makes decryption impossible, then applies that key to each file on your computer.
Since the key is generated locally, this particular malware can encrypt the system without an internet connection, as it doesn’t need to find a key that is stored online by the malware programmers – a weakness of early ransomware.
The ransom note arrives
After your files are encrypted, Sage 2.0 leaves an HTML file in every file folder where it’s found a file to infect and changes your desktop wallpaper to a message threatening you with the loss of all of your data along with instructions on how the payment can be made.
If the user doesn’t have backups of the files, they have little choice but to pay the ransom to get their files back. Just like that, you’re $3,000 lighter – if you want to keep your business going.
What you can do to protect yourself
While Sage 2.0 is a typical form of malware, it’s hardly the most malignant. Because security experts have can isolate it and understand how it works, we’ve also found ways to help protect your systems from getting infected in the first place or mitigate the damage if they do:
- Back things up. This is simply not optional. There are several inexpensive and extremely reliable options to back up your system and prevent the loss of files if you get infected. Backup as-a-service options can keep things automated and are scalable as your business grows.
- Be suspicious of attachments. An email from an unfamiliar source, or with a strange file type are good signs of malicious intent.
- Disable macros. Microsoft Office macros are one of the major distributors of malware. If you don’t use macros in Office, you can disable them in the Windows Trust Centre.
Article created using source material from the Fortinet Security Research Blog