Last month we decided to take a bunch of the older computers and in a controlled environment we infected them with Ransomware. We usually replace an employee’s computer every two years. At any time we have 5 to 10 old computers sitting in our admin room that we’re never going to use. In the past we’ve given these away to schools, friends, and employees who are looking for machines for their kids. Some of them are so old that nobody wants them and eventually they get recycled.
If you’re lucky enough to have your own stash of old computers then we strongly suggest you do the same. As odd as it sounds there is no better learning tool for how to stop a Ransomware attack than having to save a computer nobody wants.
If your first encounter with Ransomware is during an attack then it’s probably going to be too late and you may as well admit defeat and sign up for a bitcoin account to pay the hackers.
WHAT IS RANSOMWARE
There isn’t just one type of Ransomware that you need to protect yourself against there are many different types or flavors and they behave differently. But they typically encryprt your files and then demand a ransom in bitcoin so it can’t be easily traced. Some of examples are Locky, Cryptowall, CryptXXX, Jigsaw and TeslaCrypt. To date according to Kaspersky Labs Ransomware is a very small fraction of the malware attacks that it encounters. But it can be one of the more expensive viruses if you get hit and you have no backups so it pays to plan ahead. This is our attempt at getting ahead of the game and we hope you can learn something too.
Each of the machines we tested was first wiped and then Windows 7 was reinstalled. Ransomware needs to talk base to base so you’re going to need an internet connection. To minimize the risk of infection use a dedicated wifi hotspot or a burner phone. In our case we used a cheap Android test phone with a Ting sim card and a data plan.
You can find many of the different flavors of Ransomware that have been collected in the wild at https://github.com/ytisf/theZoo
Download the files by using the git clone command. Choose which flavor of Ransomware you want to begin with from the binaries folder and then run the executable. The password to unzip the file should be in the same folder. Warning: do not do this on a machine you ever want to use again and make sure it is not connected to your wifi.
For our first test we infected a PC with the Jigsaw virus which you can find in the Ransomware.jigaw folder. Figure 1 shows the desktop before it’s infected. It has a number of text docs and images saved on the desktop.
Figure 1: Orginal Desktop
Install Jigsaw. The ransomware doesn’t start the encryption process right away. It’s triggered when a user opens a text file when you’re notified that the file doesn’t exist and then Jigsaw opens its own window asking for payment. Figure 2 shows the Jigsaw screen demanding a bitcoin payment of $150.
Figure 2: Jigsaw Ransomware Nag Screen
Figure 3 shows the desktop after the files have been encrypted.
Figure 3: Encrypted Desktop
Not every flavor of ransomware has a corresponding tool that will decrypt the files. However Jigsaw has been around for a while and thankfully someone has figured out how to fix it. Download the tool from https://www.bleepingcomputer.com/download/jigsaw-decrypter/dl/321/ and run it on the infected computer.
Point the tool at the directory you want to decrypt. Figure 4 shows the Bleeping tool in action.
Figure 4: Bleeping decrypter
Once it is finished, copy everything off the desktop you want onto a USB. The PC is still infected so reinstall Windows 7 using a bootable CD or USB before you try another type of ransomware.
Ransomware is usually introduced into your network by someone clicking on a link or email attachment. It just takes one employee to click on a link and the Ransomware can begin to take hold. A good way of train your users is to send them a practice phishing email and see who clicks on the link. There are several websites that will do that for free and then upsell you other services such as https://www.knowbe4.com/phishing-security-test-offer Using one of these free trials is a great way to begin to see where the cracks are in your organization.
Our Ransomware computer lab is just one attempt at getting ahead of a ransomware attack. Here’s our top 10 recommendations for a Ransomware Preparation plan that you should implement.
1. Last Friday was National Backup Day. Take the hint, backup your data and keep a copy offsite.
2. Disconnect from all cloud backup services such as Dropbox. Sync each day if you must but don’t keep it permanently connected, otherwise it’ll get infected during an attack.
3. Use Antivirus, Firewalls and Email scanners.
4. Update your OS when a new patch appears.
5. Make sure you’re using Microsoft’s shadow drives (VSS) or Mac’s Time Machine.
6. Uninstall Flash.
7. Remove or restrict Admin access.
8. Disconnect any shared drives.
9. Train your staff, send them test phishing emails
10. Use a test lab and see if you can recover from a simulated attack.
BEFORE YOU GO
If you want to see more results than feel free to join us at our Tech Takeover at Automation Alley where we show what happened with the other strains of Ransomware. Click here to sign up https://www.automationalley.com/Events/Calendar/Event-Detail.aspx?uniqueid=28276