Ransomware: Caught, shackled and NO WAY BACK (Don’t become a statistic).
What is Ransomware?
Ransomware is unique. Your machine is not hacked in the traditional sense and it’s not infected just because it can be. It doesn’t look to take your data or gain access to your bank accounts. It has a very simple end objective, which is to extract as much money from victims as quickly as possible.
- Ransomware is malicious software that takes control of someone else’s machine or infects the data and files held on that machine and then attempts to extort money from the owner.
- Ransomware will typically restrict normal usage of the machine and can encrypt files in order to prevent access to essential data.
- Ransomware is commonly targeted at Microsoft Windows, however attacks on other operating systems is becoming more prevalent.
- Ransomware that encrypts uses an AES-256, randomly generated unique key, which makes it almost impossible to decrypt manually and creates an individual encryption key for each individual file.
There are thousands of variants of similar ransomware circulating, however there are only really three types that these variants stem from.
Master Boot Record Ransomware
This malware attacks the part of your computer that allows it to boot into windows. Therefore denying you access to the computer entirely and presenting you with a boot up ransom demand. (petya)
This malware encrypts the files and folders you are likely to use every day, such as documents, pictures and spreadsheets and even traverses your mapped drives for files to encypt. Therefore preventing access to your data and normally placing a ransom demand in each folder. (wannacry)
This malware allows you into windows but prevents access to any window on your system, instead showing you just a fullscreen ransom demand that blocks anything else from displaying.
How do machines get infected with Ransomware?
These malicious pieces of software can get onto your system in a number of ways. It’s important to understand that being vigilant when browsing the web is only one step you should take to protect your data.
Ransomware plays on our human emotions of curiosity, excitement, fear and embarrassment and works really well. It’s simply the digital version of extortion. Cyber-criminals know how much value we place on the data we store on our machines, and use modern day techniques to take your data to ransom.
- Malicious content executing from a website, that’s been hacked and taken over, or has been created to push ransomware to your device.
- Malicious content being delivered via email links or attachments designed with content that makes you curious to access it.
- Malicious content embedded on removable media like flash pens, or hard drives that you connect to your machine.
You could be unknowingly sent to a malicious website by a popup that just after a few seconds starts installing ransomware on your machine.
You could receive an email apparently from a trusted colleague with a malicious file attached that you would not suspect as malicious.
You could find a flash drive loaded with malicious software left on your doorstep, and just out of curiosity want to see what confidential information maybe on there.
One of your colleagues could have been infected and the infection has spread organically.
In 2016, ransomware attacks on businesses ranged from a low of
1 Attack every 2 minutes
to a peak of
1 Attack every 40 seconds
SOURCE: Kaspersky Lab Security Network
Contacting IT before opening an email, browsing a website or plugging in a flash pen are all extremely unlikely scenarios and expecting an employee to keep their own machine secure is normally outside of their skillset.
Due to its digital nature, ransomware origins are extremely difficult to root out, making the cybercriminals chances of being caught dramatically reduced.
With our ever increasing reliance on technology, holding our invaluable data to ransom is becoming more and more popular with digital criminals. Sitting thousands of miles away attacks can be initiated with total anonymity.
In the digital world, data is king, and by attacking the very files, folders and systems that host our personal and business data the cybercriminals knows they have something very valuable to us under their control.
By imposing a time limit on ransom demands victims are blackmailed into making a decision quickly and having their hand forced.
Using fear, embarrassment and the likely business and personal losses that would come from losing this data, victims are prepared to pay the ransom. So much so that it’s a very successful and lucrative opportunity for criminals across the world.
In 2015, victims paid in excess of
2,452 reported ransomware attacks
SOURCE: SOURCE: FBI INTERNET CRIME COMPLAINT CENTRE
By accepting ransoms in the form of bitcoins (digital currency) criminals can accept payment without ever having it traced back to them. Payments range from hundreds to tens of thousands dependant on the type of victim targeted.
Businesses take a more concerted and intelligent effort to infect, but the rewards are far greater.
Cybercriminals don’t necessarily target predefined victims that may yield a greater return. They really don’t care who they attack. They stretch their net as far as they can, in order to reap the maximum reward from as many victims as possible, no matter their size.
By using high level encryption with long encryption keys gaining access to your files by attempting to decrypt is pretty much impossible in your lifetime.
With its low execution cost, its proven ability to work, its speed of results and the fact it’s exceptionally hard to trace make it a crime that’s as close to perfect as we’ve ever seen.
If you are one of the thousands of ransomware victims across the world, you’ll be in that difficult position of deciding whether you should pay or not… but first.
• Disconnect the network cable to prevent spreading.
• Try to identify the type of ransomware by the message. Some older ransomware variants have had their decryption and cleaning steps published.
• Contact your IT team to make sure they stop the spread on their side too.
We really don’t recommend paying the ransom:
Paying the ransom is no guarantee that you will be sent the decryption key to unlock your data. With so many variants of the malware available across the world, many criminals don’t even have the decryption keys themselves and they never intended to provide you the decryption key in the first place. They’ve already illegally accessed your systems and taken your files hostage, what makes you believe they are going to give you your files back?
Paying the ransom makes criminals more active. There’s a reason we have a no negotiation strategy. It just perpetuates the cycle and increases threats for the future. You’ll be funding their next criminal escapade no doubt too.
Paying the ransom doesn’t fix the bigger issues. You may get your data back, but you clearly have major security problems and no viable disaster solution plan. That needs to be addressed first and foremost. You should be concerned that if the infection isn’t cleared up fully, the same infection could hold your files to ransom again. You should be planning for disaster better and ensure you are protected from future attacks.
It’s now not a case of “if” your data will be targeted, it’s a case of “how soon”.
Is all your data backed up?
Are there copies of Data stored externally?
How far back do your backups go?
Are your backups successful and tested for file restore?
Do you have a tried and tested disaster recovery or contingency plan?
Are your systems all adequately protected, latest updates, antivirus, web filtering, restricted access, limited permissions and prevention of external devices?
Are your employees adequately informed of how to protect themselves?
Do you have secure access to your systems by way of suitable firewalls and remote access?
Ensure you have the basic protection in place by:
STAYING UP TO DATE
Microsoft and other reputable software providers will release critical security updates from time to time. Microsoft has a weekly patches released.
Keep on top of installing these updates to remain as protected as possible.
Ensure all devices have an up-to-date version of antivirus in place with auto updates and regular scanning configured.
Make sure your devices have firewall protection enabled and configured to only provide access to necessary protocols.
TRAIN YOUR TEAM
Email and website spoofing is becoming more common.
Don’t open attachments from unknown senders and be careful when opening unexpected emails from known senders. Don’t click on links that are unknown.
Ensure you have backup, ensure its successful and make sure you have at least one copy of your data located offsite and disconnected from your network at all times. The more you have the better.
Giving everyone access to everything is normally the most headache free way to deal with user complaints. However giving users only what they need is far more secure. Employ a policy of “most restrictive” at all times.
To discuss how XC360 can provide audit, recommendations and solutions that protect your business data, reputation and success call or email: