A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday. Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected. That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.

Such “wiper” malware has been used in the past, notably against South Korean targets in 2013 and against Sony Pictures Entertainment last year, an attack attributed to North Korea by the U.S. government. The last check Rombertik does is the most dangerous one. It computes a 32-bit hash of a resource in memory, and if either that resource or the compile time had been changed, Rombertik triggers self-destruct.

It first aims for the Master Boot Record (MBR), the first sector of a PC’s hard drive that the computer looks to before loading the operating system. If Rombertik doesn’t have access to the MBR, it effectively destroys all of the files in a user’s home folder by encrypting each with a random RC4 key.

Once either the MBR or the home folder has been encrypted, the computer restarts. The MBR enters an infinite loop that stops from the computer from rebooting. The screen reads “Carbon crack attempt, failed.”When it first gets installed on a computer, it unpacks itself. Around 97 percent of the content of the unpacked file is designed to make it look legitimate and is composed of 75 images and 8,000 decoy functions that are never used.“This packer attempts to overwhelm analysts by making it impossible to look at every function,” Talos wrote.

It also tries to avoid sandboxing, or the practice of isolating code for a while until it has checked out. Some malware tries to wait out the period it is in a sandbox, hoping the sandbox period will time out and it can wake up. Rombertik stays awake, however, and writes one byte of data to memory 960 million times, which complicates analysis for application tracing tools.

“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” Talos wrote.

It first aims for the Master Boot Record (MBR), the first sector of a PC’s hard drive that the computer looks to before loading the operating system. If Rombertik doesn’t have access to the MBR, it effectively destroys all of the files in a user’s home folder by encrypting each with a random RC4 key.

Once either the MBR or the home folder has been encrypted, the computer restarts. The MBR enters an infinite loop that stops from the computer from rebooting. The screen reads “Carbon crack attempt, failed.”

When it first gets installed on a computer, it unpacks itself. Around 97 percent of the content of the unpacked file is designed to make it look legitimate and is composed of 75 images and 8,000 decoy functions that are never used.“This packer attempts to overwhelm analysts by making it impossible to look at every function,” Talos wrote.

It also tries to avoid sandboxing, or the practice of isolating code for a while until it has checked out. Some malware tries to wait out the period it is in a sandbox, hoping the sandbox period will time out and it can wake up. Rombertik stays awake, however, and writes one byte of data to memory 960 million times, which complicates analysis for application tracing tools.

“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” Talos wrote.

HOW TO PREVENT?

1. Backup Your Systems, Locally & In The Cloud

  • The first step to take is to always back up your system. Locally, and offsite.
  • This is essential. First, it will keep your information backed up in a safe area that hackers cannot easily access. Secondly, it will make it easier for you to wipe your old system and repair it with backup files in case of an attack.
  • Failure to back up your system can cause irreparable damage.
  • Use a cloud backup solution to protect your data. By protecting your data in the cloud, you keep it safe from infection by ransomware. Cloud backups introduce redundancy and add an extra layer of protection.
  • Have multiple backups just in case the last back up got overwritten with encrypted ransomware files.

2. Segment Network Access

  • Limit the data an attacker can access. With dynamic control access, you help ensure that your entire network security is not compromised in a single attack. Segregate your network into distinct zones each requiring different credentials.

3. Early Threat Detection Systems

  • You can install ransomware protection software that will help identify potential attacks. Early unified threat management programs can find intrusions as they happen and prevent them. These programs often offer gateway antivirus software as well.
  • Use a traditional firewall that will block unauthorized access to your computer or network. Couple this with a program that filters web content specifically focused on sites that may introduce malware. Also, use email security best practices and spam filtering to keep unwanted attachments from showing up in your email inbox.
  • Windows offers a function called Group Policy that allows you to define how a group of users can use your system. It can block the execution of files from your local folders. Such folders include temporary folders and the downloads folder. This stops attacks that begin by placing malware in a local folder that then opens and infects the computer system.
  • Make sure to download and install any software updates or patches for systems you use. These updates improve how well your computers work, and they also repair vulnerable spots in security. This can help you keep out attackers who might want to exploit software vulnerabilities.
  • You can even use software designed to detect attacks after they have begun so the user can take measures to stop it. This can include removing the computer from the network, initiating a scan, and notifying the IT department.

4. Install Anti Malware / Ransomware Software

  • Don’t assume you have the latest antivirus to protect against ransomware. Your security software should consist of antivirus, anti-malware, and anti-ransomware protection.
  • It is also crucial to regularly update your virus definitions.

5. Run Frequent Scheduled Security Scans

  • All the security software on your system does no good if you aren’t running scans on your computers and mobile devices regularly.
  • These scans are your second layer of defense in the security software. They detect threats that your real-time checker may not be able to find.

6. Create Restore & Recovery Points

  • If using windows, go to the control panel and enter in System Restore into the search function. Once you’re in System Restore, you can turn on system protection and create regular restore points. You should also create restore points.
  • In the event you are locked out, you may be able to use a restore point to recover your system.

7. Train Your Employees and Educate Yourself

  • Often, a ransomware attack can be traced back to poor employee cyber security practices.
  • Companies and individuals often fall victim to ransomware because of a lack of training and education.
  • Ransomware preys on a user’s inattentiveness, expecting an anti-ransomware program to do their jobs for them. Nothing protects a system like human vigilance.
  • Employees should recognize the signs of a phishing attack. Keep yourself and your employees up-to-date on the latest cyber-attacks and ransomware. Make sure they know not to click on executable files or unknown links.
  • Regular employee security awareness training will remind your staff of their roles in preventing ransomware attacks from getting through to your systems.
  • Stress the importance of examining links and attachments to make sure they are from a reliable source. Warn staff about the dangers of giving out the company or personal information in response to an email, letter, or phone call.
  • For employees who work remotely, make it clear that they should never use public Wi-Fi because hackers can easily break in through this kind of connection.
  • Also, make it clear that anyone reporting suspicious activity does not have to be sure a problem exists. Waiting until an attack is happening can mean responding too late. Have an open door and encourage employees to express concerns.

8. Enforce Strong Password Security

  • Utilize a password management strategy that incorporates an enterprise password manager and best practices of password security.
  • According to background check service Instant Checkmate, 3 out of 4 people use the same password for multiple sites. More staggering is that one-third use a significantly weak password (like abc1234 or 123456. Use multiple strong passwords, especially for sensitive information.

9. Think Before Clicking

  • If you receive an email with the attachments .exe, .vbs, or .scr, even from a “trusted” source, don’t open.
  • These are executable files that are most likely not from the source you think it’s from. Chances are the executables are ransomware or a virus. Likewise, be especially vigilant with links supposedly sent by “friends,” who may have their addresses spoofed. When sent a link, be sure the sending is someone you know and trust before clicking on it. Otherwise, it may be a link to a web page that may download ransomware onto your machine.

10. Set Up Viewable File Extensions

  • Windows allows you to set up your computers to show the file extensions when you look at a file. The file extension is the dot followed by three or four letters, indicating the type of file.
  • So, .pdf is a PDF file, .docx is a Window’s Word document, etc. This will allow you to see if the file is an executable, such as a .exe, VBS, or .scr. This will reduce the chance of accidentally opening a dangerous file and executing ransomware.
  • computer system and data that was not protected from ransomware

11. Block Unknown Email Addresses and Attachments On Your Mail Server

  • Start filtering out and rejecting incoming mail with executable attachments. Also, set up your mail server to reject the addresses of known spammers and malware.
  • If you don’t have a mail server in-house, be sure that your security services can at least filter incoming mail.

12. Add Virus Control At The Email Server Level

  • Most attacks start with a suspicious email that a victim is fooled into the opening. After opening it or clicking on a link, the virus is unleashed and can do its dirty work.
  • Installing anti-virus and malware software on your email server can act as a safeguard.

13. Apply Software and OS patches ASAP

  • Malware often takes advantage of security loopholes and bugs within operating systems or software. This is why it is essential to install the latest updates and patches on your computers and mobile devices.
  • Staying with archaic versions is a guaranteed way of making your systems and their data a target. For example, the ransomware worm, WannaCry, took advantage of a security breach in older versions of Windows, making computers that had not been patched vulnerable. WannaCry spread through the Internet, infecting computers without a patch — and without user interaction. Had the companies that were attacked by WannaCry kept their computer operating systems up to date, there would’ve been no outbreak. A costly lesson for users and companies.

14. Block Vulnerable Plug-Ins

  • There are many types of web plug-ins that hackers use to infect your computers. Two of the most common are Java and Flash. These programs are standard on a lot of sites and may be easy to attack. As a result, it is important to update them regularly to ensure they don’t get infected by viruses.
  • You may even want to go the extra step of completely blocking these programs.

15. Limit Internet Connectivity

  • If you have genuinely critical data, your next step may be keeping your network private and away from the Internet entirely.
  • After all, if you don’t bring anything into your network, your computers are unlikely to have ransomware downloaded to them. This may be impractical seeing that many companies rely on the Internet and email to do their business, but keeping Internet access away from critical servers may be a way to combat ransomware and viruses.