Down the Rabbit-HoleThe crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.
Hornetsecurity recognizes the malware and protects with URL rewritingThe URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.
Our recommendationsNevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.
Ransomware attacks: which costs arise from an infection with a Cryptotrojan?Experts estimate the average downtime caused by a Cryptotrojan attack lasts between 9 to 16 hours (see “Second Annual State of Ransomware Report”). For big enterprises like A.P. Møller Maersk, such outage times can quickly sum up to several million Euros of damage, but also smaller companies can suffer immensely from those consequences. All in all, several cost factors play a role for restoring the operational systems and removing the Cryptotrojan. First of all, it is the loss of data arising if the affected company did not carry out regular backups in the past or made no backups at all. Editors of the study “Cost of Data Breach” estimated an average amount of 325 Euros for each data record getting lost by a ransomware attack. Thinking about thousands of lost records one can easily imagine the possible cost level for such a huge data loss. In addition there are costs for analyzing the dimension of the attack. Above all, it has to be examined which units and data had been encrypted by which type of Cryptotrojan. Companies often consult teams of IT experts for an extensive research that may last some days. The costs for this external service can easily shoot up to five-digit amounts. Additional costs may arise e.g. for lawyers and courts, public relation work and data recovering. Penalties shall be paid to regularity authorities as well as hours of overtime for the employees. Experts have determined an approximate benchmark for hospitals which had also been targeted by a Cryptotrojan. Only within the first week of the attack, the estimated cost level for the damage could amount to values between 630,000 Euros and 1.3 million. Of course, the exact damage sum will just depend on the hospital’s size and the availability of backups.
One-fifth of all enterprises declare insolvency after a Cryptotrojan attackA ransomware attack may lead to a variety of possible effects for the companies concerned. Although most firms follow the experts’ advice not to pay the ransom demanded by hackers, there will be a number of negative consequences – no matter which decision might have been made. According to an article on the IT platform “Gulli” 20 percent of the companies being targeted by a Cryptotrojan had to stop all operations temporarily. Further 15 % suffered considerable loss of sales. Also 25 % of the companies were not able to identify the gateway. Therefore, the bug could easily spread over the complete network.
Only correct prevention can avoid troubleIf bugs like a Cryptotrojan have once entered the company’s network, it would both be expensive and costly to restore the contaminated systems. The negative effects of a ransomware attack can only be avoided by adequate preventive measures. That’s why Hornetsecurity Advanced Threat Protection provides a whole bundle of safety mechanisms to protect against all types of selected attacks as well as malware.
Valid argument or indispensable shield? There are effective alternatives for protecting yourself.Installing antivirus programs on your PC does not offer protection; on the contrary, they open up superfluous vulnerabilities in the protective shield! This is what Robert O’Callahan argues. As a former developer of the Firefox web browser, he has called upon users to uninstall their AV software. Justin Schuh, a developer of the competitor browser Chrome, concurs: AV programs are not equipped with important and appropriate mechanisms such as sandboxing. Rather, some of them have significant quality problems, particularly with respect to their own security. The high-level system rights that most AV programs are granted enable attackers to exploit these vulnerabilities and cause direct damage on the end devices.
Virus software fails to identify virusesTo make matters worse, there is a problem that various previous studies have already shown: namely that the mechanisms used to identify viruses are not as effective as they were a few years ago. Back in 2014, Lastline Labs tested the quality of various AV programs. One of the sobering results of the tests: Only 61% of all programs identified new viruses within two weeks of their emergence. At the same time, the updates must be installed much faster, because the duration of virus attacks are becoming shorter all the time. In other words, many attacks last just a few minutes or hours. What’s more, today’s malware is often a polymorphic phenomenon, transforming in manifold ways during an attack. Both create major problems for signature-based scanners. So what’s to be done? Robert O’Callahan recommends that Windows users trust the already very reliable Defender module that is part of Windows 10. This makes sense, particularly considering that Defender is already an integral part of the operating system. While this doesn’t improve recognition, it at least prevents the opening of new security gaps. Additionally, it cannot be stressed enough that users should keep all programs up-to-date and always install the latest security patches. Nevertheless, the question remains as to whether protection on local devices is still at all useful or whether protecting computers and networks should take place somewhere entirely different. It obviously makes sense to examine more closely how malicious software finds its way onto a computer in the first place.
Spam filter + web filter > antivirus protectionThe two main gateways for malware are email and web traffic. Attacks via other routes such as infected external disks or active attacks by hackers, on the other hand, occur much less often. However, file attachments with malicious code or links to hidden downloads are frequently found in emails. Preventing these from ever landing in a recipient’s inbox in the first place is an effective way to protect against unwanted intruders. Cloud solutions in particular offer a protective wall that is located far upstream from one’s own IT infrastructure. In addition to this, by bundling the data traffic of very large numbers of users, undesired data can be noticed quickly – so all users benefit quickly from the results of the analysis. Professional cloud providers also offer additional security mechanisms such as sandboxing or the revising of links found in emails in order to increase the level of protection offered by filter systems. Web filter systems, on the other hand, check whether users are surfing on websites containing malware and block the opening of the destination page if needed, thereby blocking this attack route. Of course, none of these measures offer 100% protection either, but they do greatly increase the likelihood of stopping data theft, extortion attempts, and imposter schemes.
A central promise of our Managed Spam Filter Services is to protect our customers from malicious mails. Especially the automatic detection of spam and malicious software has rapidly gained importance in recent months – Locky, Tesla, Petya and co. send their regards! The Content Filter is an additional, customizable protection. Customers can use it to independently control the handling of attachments contained in incoming and outgoing emails. The maximum file size for attachments can thus be set – although the Content Filter’s ability to detect certain types of file extensions is much more important. This allows administrators to define specific file extensions, thus preventing the delivery of an email with the relevant attachment.Specifically, this means: If an IT manager wants to prevent their email users from receiving attachments with the .exe extension, they need only enable the Content Filter (if not already activated) and enter .exe into the open field. As a special service and for ease of use, we have set up several group extensions to provide improved protection in all the default settings: .executable, .mediafile, .xlsmacro and .docmacro. If, for example, “.executable” is specified, the Content Filter automatically blocks 58 extensions of executable files. This group extension is continuously maintained and kept up to date in order to always ensure the highest possible protection. The extension .mediafile, for example, can be used to filter out files with the extensions .wav, .mp3, .mid. mpg and several others. The two other collective terms are specifically designed to retain macros in Excel and Word files, which often transmit links to blackmailer viruses. The Content Filter can incidentally be configured for the entire domain as well as for specific groups within a domain. If not already enabled, we thus urgently advise all customers and partners of Hornetsecurity to activate the Content Filter free of charge and add the file extension “.executable” to their list of files to be blocked. They can ramp up their protection another notch by doing so. The screenshot shows how this is done. Note: This blog post was first published in April 2015 and has now been updated and adapted to the new ransomware threats.