[SingCERT] Updated Advisory on Ransomware

Published on 13 Oct 2018

Updated on 23 Oct 2019

Overview

Ransomware is a prevalent cyber threat to businesses and individuals. This advisory provides updated information on ransomware and additional measures organisations, businesses and members of public can take to prevent and recover from this threat.


What is Ransomware?

Ransomware is a type of malware that holds a victim’s files, computer system or mobile device ransom, restricting access until a ransom is paid. Some ransomware variants are also known to traverse across the network and encrypt all files stored in shared and/or network drives. By encrypting these files with a strong encryption, these files are rendered irrecoverable unless a decryption key is obtained.

Once the files in an infected computer have been encrypted, a ransom note will usually be generated to detail the ransom amount and steps that need to be taken to decrypt the files. By holding important data ransom, cyber criminals instil fear and panic into their victims and pressure them to pay the ransom by threatening to destroy the decryption key.


How Is Ransomware Spread?

One common method is through phishing emails that contain malicious attachments or links. Unsuspecting users can be infected with ransomware if they open these attachments or links, which typically download the ransomware from an external server and execute it.

The infection vector for ransomware may also come through malicious advertisements that exploit vulnerabilities in the user’s browser to serve and install ransomware (commonly known as drive-by downloads). Such advertisements may be found on malicious websites, and—to a much lesser extent—even legitimate websites, if the advertisement service has been compromised.

Another way that a user can be infected is through some ransomware variants’ ability to traverse across the network. This is done using vulnerabilities in background services, for instance the Server Message Block (SMB) protocol which was exploited by the WannaCry ransomware.


Symptoms of Ransomware Infection

A key sign of a ransomware infection is the inability of a victim to access his or her files or computer systems. These files would be replaced with encrypted ones, with a file extension unique to the ransomware. A ransom note will also be generated for the victim to state the ransom amount and payment instructions.

Some ransomware will set deadlines for the victim to pay the ransom. Failing to meet these deadlines may result in an increase in the ransom, or deletion of the decryption key, which would result in the victim losing his or her files; or access to the computer permanently.


Impact of Ransomware

Ransomware is indiscriminate in nature; it targets both home and business users. Personal, sensitive, and proprietary information may be lost if there is no backup of this data. Business operations may also be disrupted if employees are unable to access their files. Furthermore, there may be financial costs incurred to restore systems back to their original state.

Currently, recovery of any data encrypted by ransomware is extremely difficult, with decryptors being the only way of recovering encrypted data. However, decryptors are specific to the ransomware, and newer variants may not have decryptors available.


Recommendations

Prevention is key to avoid falling victim to ransomware. It is also essential to formulate a backup and recovery plan for critical data, and to perform data backups regularly.

SingCERT recommends that users take the following preventive measures to better protect themselves against ransomware:

Perform File Backups Regularly

Having reliable and regular data backups circumvent this and limit the impact of a ransomware attack. As ransomware is able to infect connected storage devices, ensure that your backups are stored offline or physically disconnected when not in use.

Update Software Regularly

Some types of ransomware rely on software vulnerabilities to infect a system. Keep your operating system and all software updated with the latest security patches to prevent such exploits.

Install an antivirus/anti-malware software and keep it updated. Perform a scan of your entire computer at least once a week, and scan all files you receive or removable storage devices that you connect.


Additional Preventive Measures to Consider

The following are additional preventive measures you should consider to further safeguard against ransomware attacks.

Install an ad-blocker and/or script blocker extension/add-on to your web browser

This enables you to selectively allow scripts or advertisements to run on your web browser, and you should only allow trusted content to be run.

Encrypt sensitive data

Some variants of ransomware may affect only commonly-used file types, such as images and documents. Consider encrypting all your sensitive data, which may prevent such variants of ransomware from detecting these files, as the file type will be changed when it is encrypted.

Enable Microsoft Office macros only when required

One key delivery mechanism of ransomware is the abuse of Microsoft Office macros to infect a computer with ransomware. This comes in the form of malicious Office documents that trick victims into enabling macros in order to view its contents. Users are advised to be cautious and enable macros only when the document is from a trusted source, and the use of macros is required.

Install Application Control

Consider installing application control software that provides application and/or directory whitelisting. Whitelisting allows only approved programs to run while restricting all others, and is one of the best security practices to protect a computer system.

Disable Unnecessary Services

Some advanced variants of ransomware may take advantage of vulnerabilities in background services to spread to other computers in the network. The Remote Desktop Protocol (RDP) is one such example. Consider disabling such services if you do not use them, so as to prevent malware from taking advantage of these services.


How to Remove Ransomware?

In the event that a machine is infected with ransomware, SingCERT recommends taking the following measures:

1.    Disconnect the infected computer immediately from your network. Doing so isolates the infected system and prevents the ransomware from spreading to other computers.

2.    Scan and disinfect the computer with an antivirus or anti-malware application. Most types of ransomware create some form of persistence in the infected computer, and may re-encrypt data subsequently if not properly removed.

3.    Go to https://www.nomoreransom.org/ or https://id-ransomware.malwarehunterteam.com/ to identify which variant of ransomware has infected your computer.

4.    Perform data restoration from the backup sources. If possible, do so on a clean installation to ensure that the system is completely free of malware.


If you are a victim of ransomware, you can contact SingCERT at singcert@csa.gov.sg or the hotline at 63235052 for assistance. All information provided will be kept strictly confidential.

For a full list of recommended best practices for safe Internet browsing, visit https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/protect-your-computer-from-cyber-threats


References

https://www.nomoreransom.org/
https://www.us-cert.gov/ncas/alerts/TA16-091A