Posted by Justin Knight - 04 August 2016
Ransomware has become so lucrative and widespread that cyber criminals have set up sophisticated businesses with dedicated call centres and sales and marketing functions.
"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today." - symantec.com
They have a professional looking interface to take your money and even allow you to test unlocking some sample files to reassure you before parting you with your money.
The locking and encryption of data has also improved and industry experts now suggest paying the ransom over trying alternative methods to get your files back.
Ransomware has recently been taken a step further where they resell their product to lower level criminals as a service dubbed RaaS (Ransomware as a Service). They then market these services to other "bad guys" on the dark web.
Ransomware attack levels are increasing and showing no signs of going away. If you have been watching the IT news you may have noticed reports of both; new Ransomware variants such as Zepto, Teslacrypt and Locky; and more frequent Ransomware phishing attacks, targeting customers of well known companies.
What is Ransomware?
The most common Ransomware is a form of malware that encrypts the victim's files, preventing access to the data or system, and requests a ransom payment in return for the decryption key to recover the encrypted files.
Ransomware is on the rise
"93% of phishing emails are now ransomware" - phishme.com
The earliest record of Ransomware was from 1989 but extortionate ransomware didn’t become prominent until 2005. Encrypting ransomware become more widely known in 2013 with the infamous Cryptolocker. Although Cryptolocker operators were taken down in 2014, new variants were released and it continued to grow. “2015 also saw a doubling of the number of cryptolocker attacks [compared to 2014], with Kaspersky Lab detecting cryptolockers on more than 50 thousand corporate machines”. Ransomware attacks are continuing to rise and Kaspersky Lab recently detected that in Q1, 2016 “the number of attacked users increased by 30 percent compared to Q4, 2015”.
As long as the business of Ransomware continues to be profitable this number is likely to keep rising. Ransomware continues to diversify, attacking mobile devices (iOS and Android) and the ever growing number of connected devices such as smart TVs. According to Symantec research, “hundreds of millions of internet-connected TVs are potentially vulnerable to click fraud, botnets, data theft, and even ransomware”. These devices may have greater risk of infection as they are less likely to have malware protection or to be behind a firewall.
"In Q1 2016, attacked users increased by 30%"
Furthermore, some ransomware now also threaten to publish the victim’s files online unless they pay. Unfortunately backups, the usual last line of defense, can’t protect your data from this threat. As a recent example, a blackmail trojan called Chimera threatened to publish photos and other personal information.
As well as disruption to business and loss of data, businesses risk damaging their reputation.
There can be significant disruption to business as, depending on the type of data affected, critical business functions may no longer be able to operate. The disruption can be lengthy while trying to determine the scale of the infection and the best options for recovering data. Factors to consider include:
- what data was locked
- if local backups were also locked
- options and costs to pay the ransom
- what data was successfully backed up
- time elapsed since the last backup and the infection
- estimated restore time particularly if from tape or remote site
"Hundreds of millions of internet-connected TVs are potentially vulnerable"
If your data is not backed up frequently you risk losing critical company data permanently as not all Ransomware operators return your data even after the ransom is paid or the cost may be prohibitive. Also, depending on when data was encrypted, your most recent backups may be useless and contain locked files forcing data to be restored from an older point in time (assuming you have multiple restore points).
These security breaches can really hurt a company's reputation particularly if it includes their customer's private information. Customers lose trust and no longer feel their data is safe. Also, many customers may have been impacted by the disruption, further impacting your reputation.
As it is almost impossible to unlock your data without paying a substantial ransom the best solution is prevention and preparation. This requires a multi-pronged approach:
- Perimeter Protection - ensure mail filters, web filters and managed firewalls are enabled and configured as per the vendor’s recommendation.
- AntiVirus - should be installed on all devices on the company network that users interact with and on all machines that hold company data. Keep definition files updated.
- Security Updates - must be kept up to date, not only for Windows but for all operating systems and applications.
- Education - staff education is critical as new attacks are always finding ways to bypass the above protection. A key message to get across is, think twice before you click:
- Only open attachments and links from sources you trust.
- Even if you know the source, question if the content looks suspicious.
- Double check the domain of a link and the extension of an attachment.
- Backups - frequent backups of all important data, with multiple restore points, ensure that even if you get infected your data is safe. Also, ensure that laptops are considered in your backup strategy as mobile users often have data that has not been saved to the cloud or company network and therefore not backed up.
Ransomware is the top cyber security threat facing businesses today. As it continues to evolve and diversify we need to stay vigilant and ensure we are aware of the risks and the best ways to be prepared and protect our data.