Analyzing the Trends of Encryption Ransomware Attacks
Encryption Ransomware Attacks Continues to Spread
In the second half of 2016, ransomware became a serious and widespread threat to enterprise security. According to the article “Annual Hotspots: Report on Blackmail by Encrypting Files” released by Kaspersky in December 2016, 114 countries had fallen victim to blackmail by encryption files by 2016, and over 44,000 samples of ransomware had been found. A study report released by AsiaInfo Security on ransomware risks also shows that the quantity of ransomware spreading world-wide over the last ten months has increased by 15 times, and has increased in China by over 67 times.
If a company is blackmailed, it will be required to pay a ransom; otherwise the encrypted files will not be unlocked. Ransomware fraud involves a huge amount of money and is difficult to prevent. The money gained from the ransomware is often then used to develop the next generation of ransomware. Foreign researchers also recently discovered that some ransomware targets Linux servers, and some new ransomware has integrated DDoS functionality. It’s reasonable to expect that encryption ransomware will only continue to develop and spread.
Source：KASPERSKY SECURITY BULLETIN 2016.
The Alibaba Cloud Security Team Thoroughly Analyzes the Causes of Ransomware
The Alibaba Cloud Security team informs users of the spread of ransomware trends early and provides users with emergency reinforcement solutions. At the same time, to ensure users’ security on the cloud, the team develops tools for killing encryption ransomware starting with the behavior of the ransomware. Learn how to protect yourself against ransomware with this guide.
Alibaba Cloud Security has found two common characteristics between victims of ransomware invasion through the analysis of data related to current blackmail events:
1. Key accounts with weak passwords or does not have proper authentication mechanisms
• Key accounts (root, administrator) on the servers had simple passwords or no passwords at all.
• Databases (Redis, MongoDB, MySQL, SQL Server) and other important business services could be logged on to without passwords.
2. Affected applications do not have access control policies, meaning applications are open to the internet without any protection
• The higher-risk services, such as RDP, SSH, Redis, MongoDB, MySQL and SQL Server, were directly accessible by the Internet without any protection.
These two types of problems are used by hackers to execute attacks at a low cost. Hackers can attack these services without the need to obtain the username and password. At present, most ransomware attacks are made through malicious code contained in Windows executables, and new attack methods can evolve as ransomware continues to “mutate”.
How the Cloud Helps Companies Reduce the Risk of Being Blackmailed
Threat intelligence, basic security features, security products and expert teams provided by the cloud computing platform can help companies significantly reduce risk. Options for security protection and management tools on the cloud are more diverse than those on closed environments for self-built IDC, meaning that companies can customize their own defense strategies and find the most appropriate preventative measures for their own business conditions.
Cloud platforms provide necessary security tools (like snapshots) as well as powerful disaster tolerance and data recovery capability. Experienced security experts have formulated corresponding reinforcement measures to deal with the latest types of attacks.
Alibaba Cloud recommends the following protective measures to help companies respond to the threat of ransomware attacks:
1.Regularly back up data
Good backup measures and strategies are the last line of defense when your business is at risk.
On Alibaba Cloud, users are recommended to enable the ECS snapshot function and set up an appropriate backup strategy (full backup + incremental backup) according to the company’s business conditions. Backup is performed daily, and more than three versions are saved. This way you can quickly rewind business data to the day before when faced with a ransomware attack.
2.Only open necessary service ports to the external network to limit access to the server
You can set the open access ports on the firewall at the VPC gateway or on the Alibaba Cloud Security Group firewall. Only open the necessary ports to reduce attack vulnerability and ensure server security.
At the same time, prohibit servers from making active access requests using the Alibaba Cloud Security Group firewall to prevent the infected server from attempting to connect to normal servers.
3.Perform proper security domain planning for the server
You are recommended to use the Alibaba Cloud VPC service to isolate business applications for different users. At the same time, servers with different security levels should be divided into different security domains in order to avoid infected servers in low security domains from further infecting other business servers.
4.Manage service passwords and remote access permissions
The server password should be at least 8 characters long, contain complex characters, and be changed regularly.
Remote access permissions for the server should not be exposed to the outside. For remote O&M, it is recommended to use IPsecVPN or SSLVPN remote access solutions in Alibaba Cloud Marketplace. Companies are recommended to deploy professional firewall image systems, available from the Alibaba Cloud Marketplace, on the VPC gateway. They support both VPN remote access and access control of VPC traffic in the north-south direction.
5.Configure OS-level security and vulnerability protection
You are recommended to use Alibaba Cloud Security Server Guard to detect attempts by hackers to crack your login passwords. This prevents hackers from cracking your password through repeated guesses. Webshells can also be cleared in one click to maintain a pure server environment and repair high-risk vulnerabilities in batch.
Server Guard also provides vulnerability detection and recovery solutions for server applications, which helps users to fix vulnerabilities and improve server security.
6.Web application vulnerability protection
We recommend Alibaba Cloud Security WAF to protect against common OWASP vulnerabilities including Web SQL injection, XSS, Webshell uploading, backdoor isolation, command injection, illegal HTTP protocol requests, common Web server vulnerability attacks, unauthorized access to core files, path traversing, and scan protection, etc. Furthermore, users should pay close attention to zero day patches for application service software (like Apache, Tomcat, and Nginx) and install updates as soon as possible to ensure business security.
Global External Threat and Intelligence Awareness Capabilities
Security is an ever-changing battlefront, and it is of utmost importance to stay ahead of potential attacks and stay aware of existing vulnerabilities. As IT management professionals, we need to shift from the impossible task of preventing intrusion to a series of tasks designed to prevent and mitigate loss. While preventative measures are essential, quick response to early warnings is equally critical. To implement quick, precise early warning systems, we need to be constantly aware of the external environment instead of only looking inwards. Therefore, the establishment of an effective monitoring and detection system is not only crucial to security management control, but is also the foundation of a secure system policy.