Angler exploit kit targets up to 156 million UK Mail Online readers – expert comments

The Angler exploit kit has compromised the Daily Mail’s online domain, potentially exposing up to 156 million readers a month to malicious advertising. The security firm Malwarebytes discovered the Mail Online attack, wherein the malware ads sent people to the Angler exploit kit. The Angler exploit kit infects computers with ransomware, which locks your computer until you pay a fee.

@DFMag has received several comments from a wide range of industry experts on this topic which are as follows;

Tony Berning, senior manager, OPSWAT;

“To protect against ransomware, users must back up their data regularly. In addition to this, an important defence against ransomware is the use of multiple anti-virus engines to scan for threats. With over 450,000 new threats emerging daily, anti-malware engines need to detect new threats continuously, and will inevitably address different threats at different times. A single engine will not be able to detect 100% of threats. However, by using multiple anti-malware engines, companies can benefit from several detection algorithms and heuristics to significantly increase the malware detection rates, as well as their protection against new threats. With multi-scanning, only one engine needs to detect the threat in order for a company to be protected.”

Richard Cassidy, technical director EMEA, Alert Logic;

“Recovering from these types of malware campaigns will rely largely on whether you employ a good backup policy for your data and preferably entire system backups (as opposed to specific folders or files). Failing that, then it’s a case of either accepting your data loss, paying the bitcoin ransom (and then hoping that your data is de-encrypted) or have a go at breaking the encryption algorithm and hope for the best!

Users need to be vigilant in their online activities and in receipt of attachments from untrusted and unverified sources. Unfortunately ransomware can be one of the most debilitating attacks, especially where data is not back-up regularly to another secure destination.”

Simon Crosby, co-founder and CTO, Bromium;

“Ransomware variations have been doubling every year for the past two years, and continue to pose a significant threat to individuals and organisations. Crypto-ransomware families are in a rapid ‘growth’ phase, with BitCoin as the desired currency for ransom and TOR as the desired channel to communicate – making them increasingly hard to detect or trace. They commonly employ real-world cryptography using either WinCrypto or statically linked OpenSSL which makes it impossible to decrypt without a key. Many variants also attempt to delete shadow copies and backups; and sometimes kernel exploits (such as CVE-2013-3660) are used to gain administrator privileges. Some of the more advanced families use encrypted communication such as HTTPS or relaying their C&C protocol over TOR; and include the ability to infect removable media and network shares. All this leads to the conclusion that the only meaningful way to prevent these attacks is to isolate them. You can simply make them irrelevant through microvirtualization. If the ransomware detonates in an isolation container it can encrypt whatever it likes, because it’s not encrypting anything you care about; just a tiny VM that was created for it. Don’t play a game when the other team is infinitely better equipped than you. Change the game so that they can no longer play.”

Rahul Kashyup, chief security architect, Bromium;

“Ransomware is a particularly nasty form of malware because, once you are hit with its encryption, your files are toast. Anti-virus can’t do anything to bring those encrypted files back to you. I only expect this trend to continue because it is so effective.

 This increase in ransomware highlights the importance of best practices, such as endpoint protection and external data back-ups. Many times, when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work – not to mention the danger of providing your credit card number to these attackers. The ransomware trend will only continue if those infected continue to pay the ransom. We cannot encourage this behaviour, so we suggest these ransoms are not paid.”

Fraser Kyne, principal systems engineer, Bromium;

“Ransomware will continue to cause significant problems for many organisations, simply because their IT security mechanisms fail to protect them. Modern threats need modern and innovative solutions. It not enough to go through a continual ‘pay-up or wipe’ loop as these attacks become ever more popular. We also need to ask ourselves this question:

“If we have ransomware that is TELLING us we’ve been hit because it wants our money, what does that reveal about our vulnerability to more convert attacks too?”

Gavin Reid, VP of threat intelligence, Lancope;

“If the recent high profile attacks on organisations have shown us anything, it is that many organisations have critically under spent in security preparedness. Even attacks easier to defend against have been successful. Organisations need to invest in security maturity in basics like patching, security controls and incident detection and response. Recovery from ransomware is made much easier if the organisation has robust backup and restore programs.“

TK Keanini, CTO, Lancope;

“Ransomware will continue until folks stop paying.  The exchange of money needs to stop before this activity stops.  Every time someone pays the ransom, they fund this cybercrime business!  Stop paying, and they will need to find another way to make their money. As I have said before, Backups are not a big deal anymore with Cloud backup services.  Install client, stay connected, and it just happens.  The fact of the matter is that this yearly fee is cheaper than a single ransomware incident and we should be doing everything we can to not make it profitable for attackers.

Back up back up back up.  We are dealing with information so they when steal it, you still have it.  By that same token, in the case of ransom, they are holding your working data set ransom but you should have a backup copy always at the ready.  This is business continuity and even for personal computing, this is personal continuity.”

David Gibson, VP of strategy and market development, Varonis;

“It’s very difficult to prevent all types of malware from entering into the network, and organisations should expect that some will penetrate external defences. Ransomware is very problematic for organisations because most aren’t watching or analysing user or data activity on file shares or in SharePoint. This means that it’s difficult to spot and stop an attack/infection while it’s in progress and very difficult to recover from. Without a record of activity, it’s difficult to know which files were encrypted and when. Tracking and analyzing file activity with User Behaviour Analytics can help detect and stop the spread of malware, and make recovery much more straight-forward.”