CERT mailing list archives

Previous By Date Next
Previous By Thread Next

ST19-001: Protecting Against Ransomware

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Thu, 11 Apr 2019 13:18:45 -0500
Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



ST19-001: Protecting Against Ransomware [ https://www.us-cert.gov/ncas/tips/ST19-001 ] 04/11/2019 12:09 PM EDT 
Original release date: April 11, 2019

 

What is ransomware?

Ransomware is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is 
paid. (See Protecting Against Malicious Code [ https://www.us-cert.gov/ncas/tips/ST18-271 ] for more information on 
malware.) After the initial infection, ransomware will attempt to spread to connected systems, including shared storage 
drives and other accessible computers.

If the threat actors ransom demands are not met (i.e., if the victim does not pay the ransom), the files or encrypted 
data will usually remain encrypted and unavailable to the victim. Even after a ransom has been paid to unlock encrypted 
files, threat actors will sometimes demand additional payments, delete a victims data, refuse to decrypt the data, or 
decline to provide a working decryption key to restore the victims access. The Federal Government does not support 
paying ransomware demands. (See the FBIs ransomware article [ 
https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise ].)

How does ransomware work?

Ransomware identifies the drives on an infected system and begins to encrypt the files within each drive. Ransomware 
generally adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, 
.cryptolocker, .vault, or .petya, to show that the files have been encryptedthe file extension used is unique to the 
ransomware type.

Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on 
how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that 
the victim can use to unlock the files, making them accessible.

How is ransomware delivered?

Ransomware is commonly delivered through phishing emails or via drive-by downloads. Phishing emails often appear as 
though they have been sent from a legitimate organization or someone known to the victim and entice the user to click 
on a malicious link or open a malicious attachment. A drive-by download is a program that is automatically downloaded 
from the internet without the users consent or often without their knowledge. It is possible the malicious code may run 
after download, without user interaction. After the malicious code has been run, the computer becomes infected with 
ransomware.

What can I do to protect my data and networks?

  * *Back up your computer.* Perform frequent backups of your system and other important files, and verify your backups 
regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using 
your backups.  
  * *Store your backups separately.* Best practice is to store your backups on a separate device that cannot be 
accessed from a network, such as on an external hard drive. Once the backup is completed, make sure to disconnect the 
external hard drive, or separate device from the network or computer. (See the Software Engineering Institutes page on 
Ransomware [ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html 
]). 
  * *Train your organization.* Organizations should ensure that they provide cybersecurity awareness training to their 
personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure 
their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce 
awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails. 

What can I do to prevent ransomware infections?

  * *Update and patch your computer.* Ensure your applications and operating systems (OSs) have been updated with the 
latest patches. Vulnerable applications and OSs are the target of most ransomware attacks. (See Understanding Patches 
and Software Updates [ https://www.us-cert.gov/ncas/tips/ST04-006 ].) 
  * *Use caution with links and when entering website addresses. *Be careful when clicking directly on links in emails, 
even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact 
your organization's helpdesk, search the internet for the sender organizations website or the topic mentioned in the 
email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website 
addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different 
domain (e.g., .com instead of .net). (See Using Caution with Email Attachments [ 
https://www.us-cert.gov/ncas/tips/ST04-010 ].) 
  * *Open email attachments with caution.* Be wary of opening email attachments, even from senders you think you know, 
particularly when attachments are compressed files or ZIP files. 
  * *Keep your personal information safe.* Check a websites security to ensure the information you submit is encrypted 
before you provide it. (See Protecting Your Privacy [ https://www.us-cert.gov/ncas/tips/ST04-013 ].) 
  * *Verify email senders.* If you are unsure whether or not an email is legitimate, try to verify the emails 
legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous 
(legitimate) email to ensure the contact information you have for the sender is authentic before you contact them. 
  * *Inform yourself.* Keep yourself informed about recent cybersecurity threats and up to date on ransomware 
techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website [ 
https://www.antiphishing.org/ ]. You may also want to sign up for CISA product notifications [ 
https://www.us-cert.gov/mailing-lists-and-feeds ], which will alert you when a new Alert, Analysis Report, Bulletin, 
Current Activity, or Tip has been published. 
  * *Use and maintain preventative software programs.* Install antivirus software, firewalls, and email filtersand keep 
them updatedto reduce malicious network traffic. (See Understanding Firewalls for Home and Small Office Use [ 
https://www.us-cert.gov/ncas/tips/ST04-004 ].) 

How do I respond to a ransomware infection?

  * *Isolate the infected system.* Remove the infected system from all networks, and disable the computers wireless, 
Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected 
whether wired or wireless.  
  * *Turn off other computers and devices.* Power-off and segregate (i.e., remove from the network) the infected 
computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) 
that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected 
computers and devices in a central location, making sure to clearly label any computers that have been encrypted. 
Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the 
recovery of partially encrypted files by specialists. (See Before You Connect a New Computer to the Internet [ 
http://www.us-cert.gov/ncas/tips/ST15-003 ] for tips on how to make a computer more secure before you reconnect it to a 
network.) 
  * *Secure your backups.* Ensure that your backup data is offline and secure. If possible, scan your backup data with 
an antivirus program to check that it is free of malware. 

What do I do if my computer is infected with ransomware?

  * *Home users:* immediately contact your local FBI office [ https://www.fbi.gov/contact-us/field-offices ] or local 
U.S. Secret Service office [ https://www.secretservice.gov/contact/field-offices/ ] to request assistance. 
  * *Organizations:* immediately report ransomware incidents to your IT helpdesk or security office. 
  * *All users:* change all system passwords once the ransomware has been removed. You can submit ransomware files to 
CISA for analysis via https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf. (See Choosing and 
Protecting and Passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ] and Supplementing Passwords [ 
https://www.us-cert.gov/ncas/tips/ST05-012 ].) 

References

  * CISA Ransomware page [ http://www.us-cert.gov/Ransomware ] 
  * CISA Malware Analysis Submission page [ https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf ] 
  * CISA Mailing Lists and Feeds page [ https://www.us-cert.gov/mailing-lists-and-feeds ] 
  * Protecting Against Malicious Code [ https://www.us-cert.gov/ncas/tips/ST18-271 ] 
  * Protecting Your Privacy [ https://www.us-cert.gov/ncas/tips/ST04-013 ] 
  * Understanding Firewalls for Home and Small Office Use [ https://www.us-cert.gov/ncas/tips/ST04-004 ] 
  * Understanding Patches and Software Updates [ https://www.us-cert.gov/ncas/tips/ST04-006 ] 
  * Using Caution with Email Attachments [ https://www.us-cert.gov/ncas/tips/ST04-010 ] 
  * Handling Destructive Malware [ https://www.us-cert.gov/ncas/tips/ST13-003 ] 
  * Choosing and Protecting Passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ] 
  * Supplementing Passwords [ https://www.us-cert.gov/ncas/tips/ST05-012 ] 
  * Anti-Phishing Working Groups website [ https://www.antiphishing.org/ ] 
  * Carnegie Mellon Software Engineering Institute blog post: Ransomware: Best Practices for Prevention and Response [ 
https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html ] 
  * FBI article: Incidents of Ransomware on the Rise [ 
https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise ] 
  * FBI Tech Tuesday: Building a Digital Defense Against Ransomware at Home [ 
https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-tech-tuesday-building-a-digital-defense-against-ransomware-at-home
 ] 
________________________________________________________________________

Author: CISA________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: