Ransomware in India – Time to Take Action

[ Editors Note:

This is  a cross post of the Authors Blog ]

Ransomware has come to India in force, but India is yet to wake fully up to the problem. India is among the top five countries in the world to be affected by ransomware and the Third most attacked in Asia. How prevalent it is and is the Indian government and India ready to face this new cyber threat. It better do so soon, as cyber criminals are now targeting the Indian Government servers, small businesses, the Indian banking sector – and even individuals. 

In India, while 11,674 users were attacked by TeslaCrypt Ransomware during March-May 2016,  564 users were attacked by Locky Ransomware during the same period.

Locky is a Windows ransomware infection that was released in the middle of February 2016. This ransomware infection affects all versions of Windows. TeslaCrypt ransomware is now defunct. Its master key was released by the developers and a free decryption tool is now available on the internet.An Android ransomware named Lockdroid is also making its presence felt in the Android OS smartphone segment. Samas too has hit India.

According to statistics released by Symantec, the main targets other than the India government servers are entities based on Internet of Things and the ones using Android smartphones. Along with Lockdroid, FLocker, a mobile lock-screen ransomware is also threatening Android-powered Smart TVs, says Trend Micro. Wearable could well be the next category to be targeted.

As per data Kaspersky Labs, State-wise, Karnataka tops the list of ransomware infections, and the other percentages are as follows:

  • Karnataka – 36.58 %
  • Tamil Nadu – 16.72 %
  • Maharashtra – 10.86 %
  • Delhi – 10.00 %
  • West Bengal  -6.70 %
  • Uttar Pradesh – 5.33 %
  • Telangana – 4.54 %
  • Kerala – 3.87 %
  • Gujarat – 2.35 %
  • Haryana – 1.96 %

The Internet population in India as of June 2016 end is around 462 million people. With such a large user base that does not even take Online Privacy, let alone Ransomware seriously, it is all gold for the cybercriminal.

In January 2016, several IT admins received an email. Four of them – three of them working in different banks and one working in a pharmaceutical company took the bait and infected their systems and encrypted their files using Lechiffre Ransomware. Once this happened, the four received an email, demanding that they hand over 1 BitCoin(INR 33,000 or USD 450 approximately) for each PC, if they wanted to unlock their company data.

In May 2016, two large Indian houses were reported to have paid around $5 million, after they found that their systems were compromised. The Ransomware, said to be operating from the Middle East, threatened to leak information to the Indian government if the ransom wasn’t delivered. Both paid up.

The Revenue Department of the Govt. of Maharashtra – one of the biggest states in India – was attacked in May 2016. The attack crippled more than 150 computers. It was found that the Locky ransomware struck the main server, propagated to others computers on the network and was asking payments in virtual online currencies like Bitcoins.

Two of the flag ship projects in India i.e. E-governance and  Smart Cities implementation are in full swing. E-governance means servers and mirrors running round the clock. Online complaints, online registrations and even online direct debits for people. Cyber-criminals won’t think twice before encrypting the data of such people. As the government wants them to benefit, if their IDs and bank details etc. are destroyed, it could be a huge mess – completely derailing the system.

Smart Cities concepts are based completely on the Internet of Things. All things in a smart city are connected to each other and also to a central point that connects them to other smart cities. However, the irony is that computers still are running the outdated Windows XP in government offices! In such cases, it would be easy for a cybercriminal to take control of an entire city.

If we look at the whole picture, the threat of ransomware in India is high, partly because of ostrich mentality and partly because institutions don’t want to invest more in cybersecurity. People are still using outdated operating systems and are not very alert when it comes to clicking on web links and do not even take the basic precautions while opening email attachments.

As per the recent "Ransomware: Actionable Advisory" (http://www.confidis.co/ransomware-actionable-security-advisory/) released on July 25 by Confidis (http://www.confidis.co), individuals and organizations can take the proactive steps to counter the threat.

How can I avoid getting hit by Ransomware?

 The best way to protect yourself and prevent Ransomware attacks is to regularly back up your data to a different location, use a good anti-ransomware tool, a fully updated modern operating system, ensure that all your installed software, especially your security software & browser are updated to the latest version, and exercise caution while clicking on any web link or opening email attachments.

 Like every other cyber threat, while you can never totally eliminate the threat, you can significantly reduce the chances of getting affected by following some simple steps:
 
Action to be Taken by Computer Users

  • Be wary and sceptical of unsolicited email that demands immediate action even from well-known and reputable companies or government agencies, including well-designed but counterfeit invoices and failed courier delivery notices or claims of illegal activity.
  • Don’t click on links or attachments in email from unfamiliar sources or that seem suspicious—call the source to confirm authenticity.
  • Maintain up-to-date Security (Anti-Virus) software.
  • Practice safe online behaviour.
  • Avoid visit porn sites, pirate sites, downloading pirated software and other media.

Action to be taken by CIO/

  • Awareness: Ransomware, along with most other solutions, rely heavily on the average end-user’s lack of technical knowledge to facilitate their infiltration and execution. Arming personnel with critical knowledge, as well as implementing corporate policy governing web-surfing and email procedures may reduce the chances of a phishing scam or drive-by download being successful. Be sure to provide basic end-user awareness training regarding typical phishing e-mail campaigns and the “do’s and don’ts” of general web-surfing and corporate email.
  • Backup, verify: All important documents and files must be backed up on a regular, ongoing basis. Don’t just backup, verify your backups to ensure that they can indeed be restored when required. Ensure backups are not connected to the computers and networks they are backing up. Remember that replication of your data to a remote system or the cloud is not the same as taking offline backups. There have been cases where ransomware has managed to infect both the primary and secondary servers. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.
  • Email filtering: Be vigilant and aggressive in blocking file extensions via email. While blocking *.js, *.wsf, or scanning the contents of *.zip files may be in place as basic filtering functions, there remain further avenues to explore. Consider screening and filtering *.zip files outright if there is no requirement to allow them.
  • Segmentation: Categorize data based on organisational value and implement physical/logical separation of networks and data for different organisation units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organisation's e-mail environment.
  • Additional authentication for risky websites: Require user interaction for end user applications communicating with websites un-categorised by the network proxy or firewall. Examples include requiring users to type information or enter a password when their system communicates with a website un-categorised by the proxy or firewall.
  • Workstation Protection
    • Install ad-blockers and script-blockers as standard programs for all workstations. Drive-by malware is increasing exponentially and is extremely prominent in today’s ecosystem. Blocker solutions help to cut off this vector of infection.
    • Implement application white-listing. Only allow systems to execute programs known and permitted by security policy.
    • Use virtualisation environments to execute operating system environments or specific programs.
    • Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralised patch management system.
    • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
    • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; and they should operate with standard user accounts at all other times
    • Implement least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Configure access controls with least privilege in mind.
    • Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
    • Implement Software Restriction Policies (SRP) or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

India is on the road to economic progress and as a result, the ferocity and frequency of ransomware attacks are expected to increase exponentially. It will take a couple of harsh attacks before organisations and the government realise the gravity of the situation and move towards safeguarding their digital assets.

Leave a Reply