Grundig IT Newsletter: Ransomware and Phishing

Grundig IT Newsletter

Computing News That You Can Use – April 2021

Ransomware and Phishing: How To Deal With These Threats?

Quote of the Month: “The greatest glory in living lies not in never falling, but in rising every time we fall.” – Nelson Mandela

Ransomware has been more common news in IT circles lately, which is both fortunate and unfortunate. We all hope we will be better protected, more alert, and more ready for any new incoming threats, but unfortunately others had to be hit by the malicious cyberattacks for us to have this preparation. I think it’s important for us to use this opportunity to raise our awareness and readiness. Let’s talk about how infection can occur, how we can prepare and how we can react.

Cyber-infection vectors can come in four major varieties: Direct infection, remote access, phishing emails, compromised website attacks. We’ll go over these briefly, but, for the curious, there are a number of good resources about ransomware. Our best sources of information include the Center for Internet Security, and the Cybersecurity & Infrastructure Security Agency. The former is a nonprofit organization focused on cyberdefense; The latter is our government agency dedicated to combating cybercriminals.

Phishing is the most common type of encounter – we’ve talked about it on numerous occasions, and you’ve likely heard of it from other sources as well. Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card numbers, or other sensitive details by impersonating oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing, instant messaging and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI’s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

Direct infection is usually done with USB media and removable drives. Oftentimes USB drives can run startup-scripts when they are plugged in, which will put the infection on your system. Sometimes those same scripts can be set up to infect other drives plugged in, causing a spreading effect if you transfer data to another computer. Don’t plug in strange USB drives to your machines, make sure you trust the source.

Remote access attacks use RDP connections (Remote Desktop Protocol) to gain access to a computer and infect it. Most private users don’t have RDP connections enabled, so this isn’t a concern for them, but a lot of offices and work-from-home sites are vulnerable to this. There are scripts and programs that can scan the internet for vulnerable ports. Once the hackers know there’s an access port, its only a matter of time and brute force for them to gain admin access to your computer. If you have RDP access set up for one of your computers or servers, make sure you have a good access-limiting firewall to keep it safe.

Compromised websites give rise to ‘Drive By Download’ attacks. Compromised websites can be surprisingly numerous, and surprisingly high-profile. The BBC, NFL, and NYT sites have in the past been targeted. The hackers who find access to those websites can implant bad codes into the advertisements and scripts that run on that website – oftentimes in the background. These types of infections are hard to detect, and are the biggest risk to even the most careful of users. The surest defense against these types of attacks is having a good backup program you can tap into to restore your data.

Let’s take a moment away from the doom and gloom, and talk about the solutions. Take as many precautions as you can, but you should also have a recovery plan. There are numerous ways an infection can slip past even the most careful of users. If ransomware gets into your data, the best thing to have is a clean backup. We’ve talked about backup solutions already, so I won’t repeat myself here on which to choose. More than one is a common suggestion, in fact. Another possibility is the site NoMoreRansom! which is maintained by Netherlands Police and Europol, which maintains some unlocking keys for older ransomware attacks, but I wouldn’t rely on them to have the right key if you get ransomed. The best thing you can do is have your own backups and be on the alert to not have to use them.

Tom Grundig – 925.528.9081