Introduction and growth in ransomware
Ransomware is becoming a very popular tool for criminals. Earlier this year, Lincolnshire County Council became one of the highest profile victims of a scam that left local authority computers encrypted and whole systems shut down.
In the US, the Hollywood Presbyterian Medical Center was hit with a cyber-attack, resulting in an internal emergency as staff were unable to access patient files. According to a doctor at the hospital, the system was infected with ransomware. As a result of the attack, staff were not able to access data such as X-rays, patient information and lab work. Some have said the ransom in this case may be up to $3.6 million (around £2.5 million, AU$5 million).
According to IT security company Radware’s annual report on cybersecurity, 25% of firms surveyed said they had been the victim of ransomware.
“It’s a trend that’s grown year-on-year (up from 16% last year) and that’s likely to continue as professional groups become more organised and use Bitcoin,” says Adrian Crawley, regional director for Northern EMEA at Radware.
The defence against such attacks as most security experts will tell you is to keep a current backup of any important data. If the worst should happen, then a quick restore will mitigate against most of the attack. But of course, this doesn’t always happen and in some cases files remain encrypted and the criminals have the upper hand.
“Last year Proton Mail, a small Swiss company, had to call in Radware to help it shore up its defences when the attack it was experiencing from The Armada Collective became significantly worse after it paid a ransom,” says Crawley. “Once hackers know they have your attention then there’s no going back.”
It begs the question, should we ever pay criminals a ransom to get back data? According to Chris Boyd, malware intelligence analyst at Malwarebytes, paying up is not a good idea.
“All too often, people say they’re going to start backing up their files after they’ve already lost them,” he says. “It’s too late by that point, and the malware authors are under no obligation to hand over a key to unlock the data once the ransom has been paid.”
He adds that broken decryption methods and buggy malware files muddy the waters further, and in general by paying the ransom victims are encouraging the attackers to continue foisting their ransomware on other hapless folks.
“We need to de-incentivise them from making their malware, and the best way to do this is cut off their revenue stream,” says Boyd.
Nigel Hawthorn, chief European spokesperson, Skyhigh Networks, says that any company that considers paying even a single pound or dollar to blackmailing hackers needs to have a serious think about its actions.
Hawthorn notes: “There’s no guarantee that hackers won’t continue to deny access to systems, hit them with DDoS or release valuable data. It’s fair to say that if someone is willing to blackmail you, they’re probably not going to keep to their side of any ‘deal’.”
Sian John, chief security strategist EMEA, Norton by Symantec, says that if crime pays, hackers have the financial resources to find new ways to infect your devices. “This will give them the opportunity to target more people for larger amounts of money in the future,” she says.
John adds that instead of negotiating with the hackers holding your files hostage, you can clean up an infected computer at home by using a tool like Norton Power Eraser which is freely available online.
Slim chance of data recovery
Amichai Shulman, CTO and co-founder of Imperva, says that his firm has tracked payments to culprits through Bitcoin and this indicates that people are actually paying in a desperate attempt to get their data back. “However, the chances of getting your data back after paying the ransom are slim,” he warns.
Hawthorn adds that as companies utilise more cloud services, mitigating the risk of ransomware attacks becomes more complex. “They must remain vigilant of the applications in use across the enterprise, ensuring that they have the relevant security features to prevent hackers from getting their hands on sensitive data in the first place,” he says.
As always prevention is better than cure and another way to avoid the threat is through better education of users.
Mark James, security specialist at ESET says that emails are one of the biggest weapons used in cyber-attacks and “ensuring your staff are aware of the latest scam methods or subject definitions will help to keep those to a minimum”.
He adds that having tiered network access could limit the damage of ransomware but is not always practical. “Showing hidden file extensions can help to spot the onset of ransomware and lastly you could consider using one of the crypto-prevent toolkits that are available by third-parties to monitor or block access to the most used locations that ransomware uses,” says James.
The most recent file-encrypting ransomware (CryptoLocker, CryptoWall and TeslaCrypt) are virtually impossible to unencrypt without the key. Steve Nice, chief technologist at Node4, says that one tactic to avoid trouble is to do all your browsing through a virtual machine. “If you do get infected then it’s only the virtual machine that has encrypted files,” he says.
Detecting and stopping ransomware requires an inside-out security approach. Cindy Ng, technical analyst at Varonis, says that IT security must look to block phishing emails or at least educate employees about this threat, restrict access to social media, monitor network connections to known Command and Control (C2) URLs/IP addresses, and watch for malicious processes.
She adds: “But the real key to fighting ransomware is to take a closer look at what the attackers are after – these are the files and emails that employees create and view every day. This unstructured data is the largest data set in most organisations, often the most valuable, and, unfortunately, the least controlled.”
- What small businesses need to know about cybersecurity