With Facebook now counting over 1.7 billion monthly users and LinkedIn another 467 million, it was only a matter of time until criminal hackers turned their attention to exploiting social media as an attack vector. The current attack is being waged to introduce ransomware into these environments. Dubbed “Imagegate”, it’s a clever way of sneaking malware into your environment.
It typically runs this way: While on Facebook, a user sees an Instant Message. It appears as if an image with an .svg extension is attached to the image, and the user clicks on it. The user is re-directed to a web site that looks like YouTube and asked to download a piece of software in order to view the video. However, what the user actually downloads is ransomware, or a backdoor or a similar Trojan giving the attacker access to the user’s computer.
The attack is both wickedly elegant and devastating. Here’s how to protect yourself and your data from it:
1. Educate users on the dangers of social media. Corporations should ensure that their employees are receiving at least annual security awareness training, including the latest threats.
2. Take a proactive stance against malware attacks. Are you scanning your network, searching for threats, backdoors and malware? Is your security team keeping up to date on attacks and then examining their network for this kind of activity?
This includes back-ups of your data. These back-ups should occur at least daily and include all sensitive and important data on your network. This allows you the opportunity to recover from a ransomware attack almost immediately. It also provides you with the ability to not pay the ransom, which most law enforcement agencies would advise against. Many times companies have paid the ransom only to find that they still couldn’t recover their data or that once they paid the attackers extorted even more money from them.
3. Consider minimizing access to social media within your corporate network. While this is controversial, it will definitely help protect your data. Some companies set up a network for social media and segment their corporate network from it, creating a DMZ of sorts and protecting sensitive corporate data. It’s not a popular choice but it is practical.
4. Since many variants of ransomware run their executable from AppData/LocalAppData, create rules to disallow this behavior and stop ransomware from starting. Many intrusion prevention software offerings provide this functionality and Windows also allows administrators to create these types of rules. If there is legitimate software that is set to run from the App Data area then it can easily be excluded.
5. Ensure your incident response plan and team are ready to provide remediation and recovery during a ransomware incident. Many companies neglect this aspect of their security program until an incident occurs, leading to massive failure. If you don’t have an incident response plan, write one; if you haven’t tested it, test it and make sure your personnel are prepared. Incident response shouldn’t be the last line of defense, but it often is and as such it should be as strong as possible.
6. Investigate as part of the incident response process. Many companies who experience a ransomware outbreak simply restore from their back-ups with no follow-up. The right course of action is to initiate a full investigation to determine how the ransomware entered the network, what type of ransomware it was and what indicators of compromise are available. That information should then be used to strengthen the overall security posture. Without doing all you can to protect yourself, you are doomed to fail.