We are only three months into 2016, and it is already looking like a ransomware year. Malicious actors, like savvy investors, are diversifying their portfolio. The long-standing belief that Microsoft Windows was the stock of stocks that paid out dividends by the truckload is still a trusted, viable option - but there are new, better, and more prolific arenas, full of ripe, unsuspecting users. Fresh meat for the cybercrime grinder.
Being part of a generation that becomes more accustomed and - dare I say it - dependent on technology with each passing moment, ransomware has ventured into nearly every aspect of our digital lives. Mobile phones and tablets are a high-value target, and to some are probably more valuable than their computer. Windows is now just another option in list of potential targets. The Apple OS X operating system, for a long time, was touted as virus free until more and more malware authors started targeting this platform. Lastly, the Grand Poohbah of them all, Linux fell into the ranks along with the others. This once thought untouchable environment has quietly had its fair share of security problems over the years.
Some of you may be thinking, “What’s the point already? I know this. Be mindful of downloaded apps and applications, keep backups of my stuff, backups of the backups, check permissions, check sources, yada yada yada. Heard it all before, been there, done that, living that.” If you are doing this – great! If you are not, I suggest you read any one of the articles written by my colleagues on the subject of ransomware. It should help put the “why” into perspective.
Once a computer or device is held for ransom, it is natural to be focused on the immediate threat at hand. As a victim of ransomware, who wouldn’t have the reaction of, “All of my stuff is encrypted and someone is demanding money! I have to click on this link for payment instructions! I don’t have time to think of someone else! MY STUFF IS ENCRYPTED! Are you not listening? Do you not understand the words coming out of my mouth? It’s gone, all gone!!!”
Sound familiar? How many of you have muttered these words, or something similar, possibly using language not suitable for TV? But consider the link that conveniently gives you instructions to make payments or allow decryption of a few files as proof-of-life. More than likely the instructional information or remote decryption process is hosted on a compromised server.
These are what I like to call the “Second Victim.” The Second Victim - as a whole - are the indirect, unknown, and unsuspecting contributors to a malevolent undertaking.
The administrators of such servers are probably unaware that their server is compromised, let alone being used as a cog in a ransomware machine. They are an intended consequence in the grand scheme, and when their run comes to end, those admins are usually the first stop in the investigative process. The admins lack the necessary information to track the true perpetrator because it was deleted, forged, or modified to point them in the wrong direction. The lack of information at best delays the process of answering critical questions and, at worst, stalls it completely. The bad guys know this and continue to hope your desire to not patch your systems will continue to work in their favor. Unpatched servers are nothing new in the information security industry. It is something security professionals mention in meeting after meeting. Servers need to be patched or else very bad things will happen. Some listen, but often action is not taken until the very bad thing does happen.
With the introduction, and tremendous popularity, of virtual hosting and cloud providers, organizations are able to expand their infrastructure globally and exponentially. This creates a misconceived opportunity for patch management to become a lesser priority, since the equipment is located offsite and is maintained by another entity. True, it is up to the provider to make sure the equipment is running and is accessible, but it is the administrator’s responsibility to ensure it is secure and up-to-date.
Many cloud and virtual systems are built as turn-key, ready-to-go, out of the box and need no additional configuration. Just push a button and, presto! Instant LAMP server. Your site can literally be up and running in minutes. Meanwhile, your server could be running severely outdated versions of PHP and/or Apache, depending on the Linux distribution and version. The next time you think about skipping those critical updates, or assume no one will notice that PHP 4.0.1 is running, try to remember this statement: Malicious actors and malware authors know this about your systems and use it to their advantage, procuring your misconfigured, forgotten, and dilapidated equipment for their malicious profit and gain, all at your expense. Enjoy.