44,000 blackmail incidents by encrypting files in 114 countries - How can we prevent such attacks?
Created#More Posted time:Mar 9, 2017 13:35 PM
According to the “Annual Hotspots: Report on Blackmail by Encrypting Files” released by Kaspersky in December 2016, there had been 114 countries subject to the influence of blackmail by encrypting files by 2016, and over 44,000 ransomware samples had been found.
A study report released by AsiaInfor Security on ransomware risk also shows that the quantity of ransomware spreading over the world in recent ten months has increased by 15 times, and that in China has increased by over 67 times.
As shown in the figure above, if an enterprise is blackmailed, it will be demanded to make a ransom; or otherwise the encrypted files will no longer be unlocked. Foreign researchers also found that some ransomware targeted at Linux servers, and some new ransomware had integrated DDoS function.
Since ransomware started to spread, the Alibaba Cloud Security Team has advised security reinforcement and emergency to cloud-based users, researched and developed ransomware virus checking and killing features, involved white hats to “give suggestions and solutions” and joined hands with the white hats to prevent occurrence of such blackmail and protect business security.
As a corporate information manager or security or technological operation officer, have you ever been blackmailed? How can we effectively prevent occurrence of such blackmail?
This topic is presented for us to air our views on what and how enterprises may do to enhance the security and guarantee the security and stability of cloud-based businesses.
• Have you or any of your friends ever been blackmailed?
• Do you think there is no alternative but to pay ransoms?
• What preventive measures have you ever taken and how about the effect?
• You may share your experience, give suggestions or propose resort for common discussion.
1st Reply#Posted time:Mar 17, 2017 9:58 AM
The company has two servers. Both were ever attacked by hackers, and experienced a violent cracking. As cloud-based servers are becoming more popularly used, security problems are also emerging. Problems occurring in the company may be well solved by using Alibaba Cloud. The specific methods will not be exhausted here. Anyhow, it is critical that server users shall secure their own use; or otherwise willing server operators will be unable to render assistance. Besides, users shall download and use software such as Putty from corresponding official websites. Still another point is the security consciousness of outsider leaders who may turn a deaf ear to suggestions.
Personal opinion 1
Deployment of a fault-tolerant architecture by combining container technology and distributed architecture may indirectly improve the overall robustness of a server by exposing points other than surface to attacks.
Personal opinion 2
Faults exist everywhere, and maintenance of servers is not an exception. Therefore, it is also a protection of security by preparing contingency plans and conduct self repairing.
2nd Reply#Posted time:Mar 16, 2017 9:46 AM
I ever paid an eye on Cerber virus when it was the 3rd version (now it may have evolved to the nth (n>=3) version), and one of corporate leaders also had his computer attacked by the virus of the version. A method available online for cracking this virus was to find the encrypted file and decrypt it. It was said that the process was long, and a ransom of one Bitcoin (about 3,000 yuan) was claimed for the decryption key. For general users, they may not even know how to use a Bitcoin.
I have the habit of make backups. Even if my computer were attacked by the virus and I had no backup, the virus maker would not have gotten any ransom from me, as I do not want to be a financial source of such virus makers! If I compromise, there might be more people exposed to attack by the virus.
My computer often runs without any anti-virus software. Though it has ever been attacked by minor viruses for several times, that is not a big deal. I do not install anti-virus software in my computer because I am conscious about protection against viruses on one hand, and on the other hand, running anti-virus software will occupy some system resource in my computer, causing low performance. Nevertheless, that does not mean I suggest everyone do that same as I do!
For protection against viruses, I often use the following methods:
1. Enable the UAC of the system. Though frequent popups may be boring, this will be more useful if the computer becomes subject to any malware or virus.
2. Do not click any unknown link, particularly links prompted by the browser as unsafe, unless you know what the link directs to.
3. Crack software shall be tested on a virtual machine or a sandbox as far as possible before being installed in your computer; when testing on a virtual machine, do not install vmtools, as many viruses will detect the running environment.
4. For users of low security consciousness, it is advisable to install anti-virus software. As to which type of anti-virus software to use, you may choose as you like.
3rd Reply#Posted time:Mar 15, 2017 9:10 AM
Ransomware often attacks computers whose users are of low security consciousness. For own servers, it is necessary to learn how to attack and invade a computer, so as to be better at protection in this aspect. Cloud services have largely promoted the security factor. Products such as the security shield of Alibaba Cloud may resist an absolute majority of invasion.
Attack and defense are just opposite to each other. Before learning how to defend, one shall first learn how to attack. Learning about attack is for better defense other than causing damage.
4Floor#Posted time:Mar 14, 2017 10:11 AM
As the saying goes: any occurrence must have a cause, the most important is the awareness of network security. I still remember a foreign hacker who had invaded computers in multiple embassies ever said in an interview that he would just do some simple injections. I think his words quite told the truth, and attacks are nothing more than injections, cross-site attacking, blasting and loophole utilization. Take a server for example. No matter how fairly strong WAF it has, the use of a weak password for a protocol will provide an easy access for hackers. For protection of personal computers, there might be different views from different people. Use of a virtualized machine to have snapshots of several key nodes and putting important files on a read-only encrypted disk will serve as protection to some extent, but unavoidable artificial behavior or negligence may also subject the computers to attacks. In addition, running non-trusted executable files and documents in a sandbox is also a good method. In short, for security, we shall never be bothered to take any trouble. For protection with respect to servers, it cannot be exhaustively described in a few words, but it will be wise to use service from large service providers (such as Alibaba Cloud); otherwise, the best efforts in security of your server may result in nothing once the IDC is hacked. Using strong CMS, turning off unnecessary external ports and avoiding use of any weak password are dispensable for enhancement of server security. If you keep an eye on loophole reports, respond the first time to loopholes and analyze the impact of such loopholes on your server environment, you may become quite an expert of network security even though you are not a security engineer after your QQ account is stolen or your server is hacked. As the saying goes, “one may be harmed in a dangerous environment”. What is the most important is to have security consciousness rather than relying on external protection.
5Floor#Posted time:Mar 13, 2017 9:23 AM
To pay ransoms or not has become a dilemma for many blackmailed users. Commonly, security experts will suggest users not make the payments, as such payments may further such crimes and make virus writers more rampant.
In fact, when an enterprise becomes subject to ransomware and finds that many key files are encrypted by the ransomware, if there is no other way more effective than paying an acceptable amount of ransom to retrieve the files, it will probably make the payment.
However, payment of ransom does not necessarily secure provision of the decryption key by the virus writer. This is particularly common in China. A while ago, there was an iPhone user in a QQ group had his device locked by a hacker, and he paid a ransom amounting to 500 yuan for unlocking the phone. But after the payment, the hacker demanded further amount for another reason.
So if you have no other way than pay a ransom to a virus writer for the decryption key, but after the payment you do not get the key and the writer demands further payment, no further payment shall be paid in any way.
Extortion is a violation of criminal law. However, a cyber extortion is commonly done across borders, which, plus payment by using virtual currency, is hard to be tracked down.
So I suggest users be more conscious about network security. Without security consciousness, protection with anti-virus software will not be so effective.
6Floor#Posted time:Mar 10, 2017 9:12 AM
Several days ago, I encountered a security problem. It was a server with Redis. I started the server directly with the root account for testing, and did not think too much about what would occur to the side of users; however, I forgot to turn the server off after testing, and the most unfortunate was that I had not set any password. Sadly the root permission was obtained by others, but lucky for me this was found early.
I have taken the following remedial measures
1. Set a password for access to the Redis service.
2. Switch to an uncommonly used port to avoid scans by automated tools.
3. Add a firewall to prevent access to the Redis port from any other IP address other than my server IP address.
4. It occurs to me that Alibaba Cloud provides separate server service from bandwidth service, which may prevent the risk of invasion from the internet.
5. I think services at the server end shall be considered when a project is under development, just like Alibaba. This will be the most effective way to prevent security problems and reduce pressure of the operation staff.