It is 6 a.m. and you’re drinking your favorite cup of coffee as you sit down at your computer to check your daily emails. You get a message from UPS with an attachment that says “track your shipment”. “Hmm…” you wonder to yourself, “I don’t remember ordering anything. Maybe someone sent me gift or something?” You then proceed to click on the attachment to track your package. Suddenly your computer screen blinks and starts acting weird, a window pops up with a warning…
You sit there in shock as you slowly come to realize you have just gotten infected with some kind of a virus. You start to panic as you start checking your various files on your computer and are finding out that you cannot open them up as they are encrypted. “Oh no…” you whisper to yourself, “How could this have happened? All the photos of my kids growing up over the years, all my scanned banking statements, PDF copies of my Tax returns, my resume, my entire music library that I have spent the last 6 months ripping my music CD collection to…. All encrypted! I don’t have any backup copies anywhere!” you scream to yourself in horror.
That scenario could have very well happened to you. More and more people and businesses these days are falling victim to “ransomware”. Ransomware is a malicious code that locks up computer files and cybercriminals demand a ransom to free them. “Ransomware” may have many various names and variants, but they all have one goal in mind. To hold every digital file you own on your computer as well as across your network, hostage until you pay their ransom fee, typically by paying an online currency, such as Bitcoin. Once paid, you might get a “key” and be able to unlock your files. However there have been several cases of this not happening at all, after a ransom is paid and files have been permanently lost.
Some of the more recent and known ransomware code names are “Petya”, “ Jigsaw”, “Crypto-locker”, “CryptoWall”, “Rokku”, “KimcilWare”, “Coverton”, etc… Usually ransomware will have you go buy a green dot money card from your local Walgreens or Walmart, and load up the specific dollar amount they are asking for. They will have you follow instructions to convert that amount into Bitcoin (which is currently untraceable) and send it to them over the “Dark-web” using a Tor browser or something similar.
Most ransomware is delivered via email. The typical overall themes are usually shipping notices from delivery companies or purchase orders. In the past year, we have seen the content of these emails being both near-perfect in local languages and also looking much more legitimate than previously. While the majority of ransomware attacks still happen opportunistically, you will often see them being ‘localized’ so they fit their targeted countries. Also, many attacks are being delivered by mass random emails. The intention is to infect as many as possible to maximize the chances of getting a result. Ransomware is also delivered via drive-by-download attacks on compromised websites. Although the problem is well known, avoiding infection is a bigger problem, as well as what to do when you are infected.
Because ransomware is able to encrypt files on mapped network drives, disconnect the mapping where possible if you are not using the drive. Organizations must make sure backups are not accessible from endpoints through disk mounts; otherwise those will be encrypted as well. Once the backups are done and stored securely, we recommend checking that the backups are working and that you can recover from them.
The best way to recover from an attack by ransomware relies largely on if a good backup policy is employed for your data and its entire system backups. Regular backups are the most reliable method for recovering infected systems, which makes it all the more important to prevent the initial infection. Rather than a simple backup, in order to be effective, a backup must be “dated”, with older versions of files available in case newer versions have been corrupted or encrypted. Also get into the habit of storing backups in an offline environment, because many ransomware variants will try to encrypt data on all connected network shared and removable drives. It’s imperative to always have known good and up-to-date backups that are as close to real time as possible. One thing to consider is making sure you don’t overwrite your backups with the compromised data, so that when you go to restore, you are able to. If backups are not an option, you may be able to use Windows’ own shadow copies to restore files, if the ransomware has not disabled its use.
Having a layered approach to security is one of the clichés of modern infrastructure, but for repelling ransomware, it should be taken very seriously. The best way to protect against a virus is to have defenses set up to ensure you never receive any viruses in the first place. Deploying a layered approach, utilizing technologies such as anti-virus, web filtering and firewalls will help prevent this from happening to you. More modern consumer security software now contains personal firewalls and web filtering alongside the more traditional anti-malware.
Current ransomware will typically run an executable from the App Data or Local App Data folders, so it is best to restrict this ability either through user policy, Windows or by third-party prevention kits that are designed for this purpose. As well as adopting a layered approach, getting software patches installed and being up-to-date remain the best form of security.
The final piece of advice to protect against malware is to ensure your user privileges are locked down. Most organizations or people sharing a home computer are not watching or analyzing all their users’ activities. Cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams. Most malware will execute with the same privileges as the victim executing the payload. If the person getting compromised has local or global administrative privileges, the malicious code will have access to the same resources. In the instance of ransomware, this also means ransomware will have the capacity to encrypt data across network drives, shares and removable media.
Infection by ransomware does happen. There are free tools that exist from companies such as Kaspersky and Cisco that may work in removing them. There are websites such as www.bleepingcomputer.com and www.thehackernews.com that have great tutorials on how to remove some of the more popular ones. The worst thing about a restore is the time it takes, but this is obviously less expensive than paying a ransom.
Of course, the biggest problem with paying ransoms is that you are dealing with criminals, and there is no guarantee that the victim will get their data back, or that the attacker will not leave other forms of malware running on the system. Like other scammers, cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams.
If you are a victim, then consider the sensitivity of your data, your profile and the sophistication of the attacker before you pay, because low sophistication in communication could mean low quality of encryption.
This is a modern problem in malware, combining both sophisticated and basic tactics, and people are still getting caught, despite the fact that there are fairly straightforward methods to avoid becoming a victim.
As ransomware gets more and more advanced, you will start hearing about it on the news more often. You can almost guarantee that a lot of companies have been affected by it as well, but have elected to keep it under wraps. If word got out that their confidential data was affected, it could potentially ruin a business.
Here are a few recent news articles of events of ransomware that had happened…