Ransomware attacks have been in the news in the last few years, but those of us in the iSeries world have by and large been spared from these attacks directly on the iSeries. IBM has now seen that the iSeries can be affected by Ransomware. In this article, I will explain the vulnerabilities of the iSeries to Ransomware and give you some tips to protect your box.
Encrypting Malware
Let me start by explaining what Ransomware is. Ransomware is basically malware that encrypts files so that they are no longer usable. The instigators of a Ransomware attack will offer to unencrypt your files if you agree to pay them a literal ransom. Ransomware is often introduced to computer systems via a seemingly friendly e-mail that is opened by an unsuspecting user, who then makes the mistake of clicking on a URL or Attachment to the e-mail. This releases the Ransomware malware onto their computer, where it can then affect the associated Network. It is typically very expensive to pay off the cybercriminals that are spreading this malware, and even if you pay, they may not restore your system.
Network Entry
The key to understanding how Ransomware can find its way onto an iSeries box lies with the realization that it is part of your Network. This malware process starts with an infected e-mail opened by a user. The malware can then find its way onto the iSeries via an associated Network element, such as a NetServer Pre-start Job. NetServer serves file and print functions via ‘My Network Places’ (previously known as ‘Windows Network Neighborhood’), and it is used by many companies. This scenario is a good example of how malware can spread through a system, by looking at the user’s local disk drive to identify Drive Mappings and File Shares to servers or other PCs.
NetServer to IFS
If the malware infects NetServer, then it can make its way into the iSeries’ IFS (Integrated File System) at the Root and start encrypting any files that are available via an unsecured File Share. Take the /QSYS.LIB folder, for example. The /QSYS.LIB folder in the IFS corresponds with the QSYS Library on the iSeries. Not only is /QSYS.LIB a high-level folder, meaning that it contains many, many sub-folders and files, but it also effectively contains a list of all Libraries on the iSeries. If the malware can access /QSYS.LIB via an unsecured high-level File Share, then it can corrupt everything that is part of /QSYS.LIB, including DB2 files, that are not secured. Note that the malware is not specifically looking for DB2 files. It isn’t that smart. It just looks for any file that it can encrypt.
If a Partition on your iSeries box is corrupted by Ransomware, there is no way to fix the problem other than to delete the Partition and recreate it from a Back-up. It is likely that you will lose data, time, and money, even with the best Back-up plan.
Here are some suggestions to help you protect your iSeries from Ransomware.
1. Educate your users so that they recognize a phishing e-mail, and make sure they know not to click any URL or Attachment on an e-mail that seems suspicious. Cybercriminals have gotten very good at stealing a user’s e-mail addresses and associated Contacts, so even if the e-mail appears to be from a known sender, it could be a phishing e-mail.
2. Do not establish a File Share at the Root of the IFS or on a high-level folder such as /QSYS.LIB. Allow access at the lowest folder level where it is needed, and only provide read-only access whenever possible.
3. Back up your iSeries daily, so you can restore very recent data in the event of an attack.
4. Have a plan for the restoration of your iSeries as well as the various elements of your Network, so that you will know exactly what to do to recover from a Ransomware attack.
5. If you discover that you are a victim of a Ransomware attack, remove the iSeries or affected Partition from your Network immediately. Review your entire Network for other elements that may have been affected by the attack. Delete these elements and either recreate them or restore them from your Back-up.
6. Reach out for professional assistance to help restore your system. If your iSeries is compromised, you may want to reach out to IBM for help. An added benefit of contacting IBM is that it will help them improve any vulnerabilities on the iSeries against such attacks.
I truly hope that your company is never the victim of a Ransomware attack, as it is very expensive in time, money, and lost data to fix. If you follow the suggestions above, you will be doing your company a great service in protecting your iSeries by preventing, or at least minimizing, the damage from a Ransomware attack and having a quick recovery plan in place.
Sharon Foster
Senior Programmer/Analyst with Information Systems Engineering, Inc.
Early detection and neutralization are key to minimizing damage from a ransomware attack. The longer the malicious code is left to wander through the network, the more files it can encrypt.