Ransomware Snafu Is More Bad News for EC-Council

Last week it was widely reported that professional organization EC-Council, curator of the popular Certified Ethical Hacker (CEH) credential, had been unwittingly infecting visitor to its web site with ransomware. For several days, the organization was, rather ironically, the victim of a hack that perpetrated a drive-by ransomware attack.

Watchdog blog Fox IT was the first to break the news to EC-Council, having discovered the infection on Monday, March 21. Fox IT claims that EC-Council ignored their reports and, rather than wait, went public with its findings in this blog post.

This particular ransomware vector used a sporadic attack pattern, meaning that the chances of infection werelower than normal. Only users who got to the infected EC-Council site via Google or Internet Explorer, and who originate their searches in certain locations were targeted. That doesn't make the infection less terrible, or the $622 (U.S) demanded of victims in exchange for unlocking their files less painful.

Adding intrigue to the story, this isn't the first time EC-Council's web site has been hacked. They've been in the news before, when a devious trickster posted Ed Snowden's passport on their web site's main page. EC-Council has has enough problems that CBT Nuggets' training material for the CEH certification makes special mention of recent hacks of EC-Council web sites.

For those poor souls (myself included) who have spent countless hours gaining a CEH certification, the negative press reflects poorly both on the credential and its sponsor. Put recent developments together with EC-Council's abrupt, unplanned change from version 8 to version 9 of the CEH certification, as well as numerous reported spelling errors on EC-Council tests, and a portrait of incompetence starts to take shape.

This latest hack, perhaps even perpetrated by someone testing out their CEH training materials, was skillful enough to avoid detection by a group that, after all, proudly hands out hacking certifications. The fact that they seemingly didn't detect the hack in the first place, and also appear to have ignored reports of its existence, speaks volumes of EC-Council's management and attention to detail. Are they understaffed or incompetent?

They can't afford to be either, since many a newbie armed with a rundown of popular internet exploits is bound to want to test his or her hacking chops by taking down a high-profile target.

Ransomware is an especially pernicious form of spyware. It infects computers, encrypts the user's files and demands a payment (reported demands from past attacks have been anywhere from $300 to $17,000) in exchange for the crypto-key needed to unlock user data.

Paying the ransom, which current FBI protocol actually recommends victims do, may not even result in an affected user's getting their key. Victims, after all, are not dealing with a reputable company and their money, along with their encrypted files may be lost for good.

Beat the heat

While ransomware is possibly the nastiest strain of spyware infection one can get, it parallels physical infections where a simple hand-washing can often prevent the spread of even the worst of diseases. There are simple forms of prevention that are the equivalent, in IT terms, of "washing your hands."

For the home user, "cyberhygiene" starts with the buddy system. If you don't know how to be safe, get a friend or an acquaintance to help you protect your PC from online exploits. If no IT-savvy friend can be found, then take a class, read a book, or get a certification.

Next, change your browser. Microsoft Internet Explorer has one of the worst reputations out there, and for good reason. Their zero-day vulnerabilities number in the hundreds every month. Consider using Chrome or Firefox, with auto-updates enabled.

A couple of equally easy options are adjusting your browser's security settings so that it will not execute any commands without your approval, and splurging for a high quality, easily updatable virus/spyware program.

The last and perhaps most important option is to always back up your files. If I were ever forced to choose between paying a few hundred dollars and restoring my system using yesterday's backup, I know what choice I would make.

In a corporate environment, server side systems and software like Websense and Group Policy make it easy for the user to browse anything — anything that the administrator sees fit. Corporate systems are set up to prevent good people from doing bad things. Software, such as Websense, analyzes the data stream and prevents the actual virus from coming down to the user's workstation.

Smart surfing, like typing in the address of the web site you want and bookmarking it, disabling restore points on your workstation, and regularly scanning your PC with the virus software you purchased, round out the list of things you can do to help prevent exposure to ransomware.

The future of ransomware

The FBI's recommendation for infected users to comply with ransomware demands doesn't bode well for users, and points to a future in which thieves could potentially reap millions of dollars per year. The cryptography method used in ransomware is a "one-time pad." It can only be unencrypted with the key the thieves may or may not send you.

While consulting in St. Louis last year, I ran into a large, nasty case of ransomware. The particulars of the story are common: The administrator didn't update the network's virus definitions, the user was Google-ing low-cost shoes from overseas sellers, and the user's workstation had access to the entire network's file share.

The network had 100 PCs, with around 15 of them infected, including the company's entire file share. We unplugged every PC on the network, then formatted and reloaded all but 10, for which we paid a ransom of $500 each.

We then formatted and restored the file server's backup from a week before. All told, with consulting fees, the company was out $20,000. That may not sound like a lot to some, but a small business or a home user could be devastated by bills of this caliber.

Oftentimes the weakest link in any security system is people. Humans, with all of our fallibility, are the most vulnerable to scams, redirected links, fake deals, alluring pornography and a host of other phishing attempts.

If you can train yourself, your users and your friends to only visit sites they KNOW are safe, then you have a shot at bolstering the strength of this weak link. Network administrators, in particular, should consider user training and knowledge a cornerstone of any security system or program.

It appears 2016 is shaping up to be the year of ransomware, and the speed of government legislation, internet laws and police policy are not helping the victims of this scourge. With evolving technology and the ever-increasing availability of hacking tools, the scourge of ransomware is likely to spread.

EC-Council's unfortunate misadventure makes me think of a preteen drug dealer in a school yard. They were an unwitting accomplice, but that doesn't excuse them from their due diligence. Other organizations should learn from that example: EC-Council wasn't the first site to be sucked into the ransomware whirlwind, and it won't be the last.