FBI: Beware of Full Network Ransomware

FBI Mules
The FBI warned about ransomware that is attempting to encrypt entire networks. But what’s new here?

In-brief: the FBI has issued an alert warning of ransomware attacks that attempt to encrypt an organization’s entire network. But has anything changed? 

The FBI has issued an alert warning of ransomware attacks that attempt to encrypt an organization’s entire network, using persistence to delete file backups and other resources that may be used to recover from infections.

The alert, which can be viewed here, was released on February 18 and highlights an aggressive campaign involving ransomware with names like “Samas,” “Kazy,” or “RDN/Ransom” that initially target vulnerable JBOSS applications, the FBI said.

The FBI said it was distributing the threat indicators to “enable network defense activities and reduce the risk of similar attacks in the future.”

According to the alert, the malware spiders network shares on infected hosts and encrypts any files it finds using the RSA-2048 algorithm. In addition, the FBI said, “the actor(s) attempt to manually locate and delete network backups.”

That’s not so different from other malware variants, however, and it is unclear why the Bureau issued an alert for this malware, specifically. The Bureau recommended that organizations take standard precautions to protect against malware infections, including ensuring anti-virus software is up-to-date, implementing data back ups to secure and (logically) separate locations, regular patching and using caution when clicking on links or attachments in email messages.

The Bureau caught flak for comments by a Special Agent in October at a Boston conference that – failing working backups and other means – ransomware victims are sometimes advised to pay the ransom if they need to get their data restored.

Ransomware infections are on the rise, as the tools needed to operate ransomware scams have been democratized and as Bitcoin adoption has given criminals an easy and risk-free way to get paid by victims.

In a podcast published this week, Thomas Fischer of Digital Guardian notes that simple hygiene such as patching, user training and “user least privilege” – limiting administrative permissions – can remove much of the threat posed by malware.