Ransomware has been a prominent threat to individuals, enterprises, as well as small and middle businesses alike since the mid-2000s. According to the FBI, the Internet Crime Complaint Center (IC3) received 1,783 complaints in 2017 with a total cost of over $2.3 million. However, these complaints only represent attacks reported to the IC3.
The actual number of attacks and their costs are much higher, with many organizations choosing to handle things internally to avoid any public or stakeholder backlash that could damage their reputation. According to Statista, 2017 had an estimated 184 million attacks.
Initially, ransomware targeted individuals, who still make up the majority of attacks up to date. Along the way, however, attackers started targeting institutions that could not carry out operations without the full access of their data, which include hospitals, universities and government offices. In this article, we will discuss ransomware, how to prevent it, what to do if you are infected, and the importance of backups in the ransomware recovery process.
Ransomware is a type of malware that is uniquely designed to lock you out of your computer system or to encrypt your data so that you cannot access it. Furthermore, it can take advantage of your operating system’s vulnerabilities and spread to other networks or systems.
Once ransomware has successfully infected your computer systems, the individual behind the attack will then demand a ransom (hence the name) to relinquish all access to, and control of, your systems or decrypt your data. Some types of ransomware include: crypto malware, lockers, scareware, Doxware (leakware) and Ransom-as-a-service (RaaS).
These cybercriminals usually launch such attacks from afar and demand untraceable, non-refundable payments in the form of cryptocurrencies such as Bitcoin. In some latest ransomware attacks, the criminals have gone a step further to ask for payment in the form of gift cards such as Google Play or Apple iTunes, which can later be converted into merchandise or cash.
Unfortunately, successful ransomware attacks rarely leave digital evidence behind that can be used to trace the perpetrators or recover the monies paid out. Furthermore, there is no guarantee that your data will be decrypted in full even if you pay the ransom.
The first ransomware incident can be dated back to 1989 when, supposedly, a Harvard-educated biologist infected the computers of several attendees of the WHO’s internal AIDS conference. From the mid-2000s, cybercriminals have become more creative with their attacks, and after 2012, ransomware spread globally with the use of asymmetric RSA encryption.
Today, ransomware varieties have become increasingly advanced when it comes to their capabilities for encrypting files, evading detection, spreading across systems, and coercing ransoms from users. The new age of attacks involves advanced development techniques such as the use of crypters to make reverse-engineering extremely difficult, or the use of advanced distribution efforts including pre-built infrastructures that widely and easily distribute new varieties.
Spear-phishing campaigns are quickly replacing traditional phishing email blasts since the latter are now frequently filtered out as spam mail. More sophisticated attackers have developed downloadable toolkits that can be deployed by persons with less technical skills. Other forms of ransomware-monetizing schemes include RaaS programs that have revolutionized CryptoLocker, Locky, CryptoWall and TeslaCrypt.
Additionally, attackers are now using offline encryption methods that take advantage of legitimate system features (like Microsoft’s CryptoAPI) to eliminate the need for command and control communications.
Ransomware can be spread in many ways with the most common being phishing emails containing malicious attachments. Here, email attachments come masquerading as legitimate files from a trusted source. Once you download and open an infected file, it can take over your computer, especially if it has a built-in social engineering tool to trick you into allowing administrative access. Other more aggressive types of ransomware families exploit security holes in your system to infect and encrypt your computer without the need for any trickery.
Attackers also use deceptive messages on social media to gain access to victims’ computers. One of the most common channels used is Facebook Messenger. Here, the attacker creates an account that mimics that of one of your current friends. They then send messages with file attachments. Once opened, the attacker gains access to your device and locks down all connected networks.
Your computer can also be infected through drive-by downloading. This occurs when you unknowingly visit an infected website resulting in malicious software download and install without your knowledge. Your attacker can then encrypt data on your machine.
One variant called crypto-ransomware is used to encrypt your files and spreads similarly through social media (think web-based instant messaging apps). Other infection methods include exploiting vulnerable Web servers to gain access to your organization’s network and using online pop-ups.
Once an attacker has taken over your computer systems, the first thing they do is to lock or encrypt your files. At the end of the attack, your files cannot be opened or decrypted without a key known only to your attacker and probably stored on their system.
At this point, you will receive a message explaining the inaccessible state of your files and a ransom demand for money through an untraceable payment method such as cryptocurrency. Sometimes, your attacker may be creative enough to assume the identity of a law enforcement agency and claim to have shut down your systems due to the presence of illegal content such as pirated software or pornography. They then demand payment in the form of a fine.
In a leakware or doxware attack, your attacker will threaten to publicize any sensitive data on your device unless you pay them. However, since finding and extracting such data requires technical expertise, the most common types of attacks are encryption-related.
Ransomware has evolved over the years from simple email attachments to infected websites, mobile apps and even digital advertisements. Its effectiveness has increased its demand over the Dark Web where it is sold as ransomware-as-a-service (RaaS) portals. Potential targets include:
According to the US Department of Justice, this cybercrime has the potential to cause global-scale impacts. Like most other malware, ransomware often infects a computer system due to clicking unsafe links or downloading unsafe programs.
However, unlike other malware attacks, ransomware is not removed when you flash your BIOS, wipe your drive, or attempt to return your OS to a prior restore point. The program locks your files before the ransom demand is made. At the same time, the attacker creates a unique decryption key and stores it on his or her servers.
Failure to pay the ransom on time or any attempt to alter the encryption program leads to the permanent deletion of the decryption key, which renders all your locked files inaccessible. More often than not, most similar attacks only end when the victim pays the amount demanded.
Though you can still use an infected computer, the risk of losing valuable data can significantly impact productivity. Other impacts of this attack include:
Ransomware can be scary since you stand to lose critical personal and business data in the process, and may result in other short-term and long-term effects even if you pay the ransom. However, there are a few anti-ransomware strategies that you can use to protect yourself and your business.
Do not store all your data in one place. Regular data backup is necessary because it allows you to restore any data lost as a result of ransomware attacks and other disasters. Note that CryptoLocker also finds and encrypts data on drives that are mapped. Ergo, you need a regular backup schedule to an external backup service or drive that has no assigned drive letter or is disconnected when no backup is ongoing.
CryptoLocker frequently arrives in a file named with a “.PDF.EXE” extension because attackers count on Windows’ default behavior of concealing or hiding known file extensions. Therefore, by enabling your computer’s ability to see full file extensions, you can easily spot suspicious ones.
One particularly notable CryptoLocker behavior is to run its executable files from Local AppData and AppData folders. Thus, you can create rules within your system, either through Windows or an intrusion prevention software, to disallow this behavior. You can always exclude legitimate program files that run from the AppData area.
If you have a gateway mail scanner with the ability to filter files received by extensions, it may be advisable to deny emails with the “.exe” file extensions or any files sent with more than one file extension – where one is an executable extension.
If you legitimately need to receive or send executable files within your environment after denying emails with “.exe” extensions, you can opt to use ZIP files that are password protected or exchange emails via cloud services.
Cryptolocker/Filecoder accesses target machines via Remote Desktop Protocol (RDP). This is a Windows utility that allows other users to access your desktop remotely. Disabling RDP can go a long way in protecting your machine from remote attacks.
Security is always a shared responsibility between you and your employees. Therefore, always ensure that you carry out routine, updated employee training on your system and network security, threat assessment, and their role in fighting cybercrime and ransomware prevention.
Malware authors often count on people running outdated software that has known vulnerabilities they can exploit for their personal or financial gain. Regular software updates can significantly decrease the potential for attacks. This is because some vendors release regular security updates as well as emergency updates.
You can enable automatic updates or manually visit a vendor’s website to get updates. Beware that perpetrators also like to disguise their software as update notifications.
Having both a software firewall and anti-malware software can help you identify a potential threat or suspicious behavior. You need both defense layers because malware authors often send out new variants to avoid ransomware detection.
Most malware types rely on remote instructions to execute. If you happen to find a new ransomware variant that has gotten past your security software, chances are it won't get past your firewall as it attempts to connect remotely with its Command and Control (C&C) server.
There are several ransomware prevention steps that you can take to avoid unauthorized access. These security practices can significantly improve your defenses and protect you from all sorts of cyber attacks. They include:
You should place certain limitations on any contractor or employee who:
Any person, employee or contractor with access to your systems creates a potential vulnerability point for attackers. Turnover, improper restrictions, and failure to update your passwords can result in ransomware protection vulnerabilities and heighten your risk of attacks.
You need to put in place a multifaceted ransomware detection system to ensure comprehensive protection. It should have endpoint protection for user systems, intrusion detection, enterprise virus protection for servers, known malware detection, central logging for event correlation, network port monitoring and data pattern detection.
The quick detection of malicious activity allows for immediate containment before it spreads and causes further harm. All your infected systems should be quarantined, remediated and restored. Sometimes, your systems may not capture a successful ransomware attack until it is too late and you are locked out of your data. Even your backups may be compromised, rendering them useless.
Therefore, your system administrators need to remain vigilant during the detection stage to enable them to quickly start containment measures to stop the attack and restore encrypted data. System administrators should also install effective third-party tools that help detect attacks and aid in ransomware protection.
Unfortunately, there is no 100 percent guarantee when it comes to cybersecurity. No matter how well your IT department is at ransomware detection and protection, occasionally, successful attacks happen that force organizations into the recovery stage.
Ransomware recovery time is dependent on how widespread the attack was and your level of preparedness. Regardless of scale, from the encryption of a few files to the loss of an entire site's data, it is usually your most critical data that is targeted. Your disaster recovery procedures and tools will be used and tested throughout the whole process.
Effective ransomware defence ultimately depends on education. You should take the time to learn more about your best options for software updates and automated data backups. Educating yourself and your employees on the telltale signs of a threat or attack and distribution tactics such as spoofed websites, drive-by downloads and phishing attacks should be your top priority as this knowledge will help you collectively protect against ransomware.
You also need to implement security solutions that allow advanced threat protection. Endpoint Detection and Response (EDR) tools are perfect for monitoring activities on your networks and endpoints to identify, protect and mitigate threats. NetBackup tools also go a long way in detecting and preventing ransomware and other attacks.
There are three types of ransomware clean-up and preventive tools. The first category is disinfection tools for computers that need clean certification before you can restore data after an incident. This feature is present in many mainstream anti-virus programs.
The first category is disinfection tools for computers that need clean certification before you can restore data after an incident. This feature is present in many mainstream anti-virus programs.
The second category comprises decryption tools that are launched once an attack is successfully underway. Unfortunately, these tools are limited and remain dependent on researchers recovering attackers’ individual key databases once they are caught.
The third category is ransomware protection tools that use behavioral analysis to spot events suggestive of ransomware presence on a system and have it intercepted before any damage is done.
Some of the best ransomware prevention and recovery tools today include Veritas NetBackup appliances, the Trend Micro lock screen tool, Avast tools, BitDefender, Kaspersky tools and Lab decryptors, AVG decryption tools, Webroot SecureAnywhere tools, Malwarebytes, McAfee Interceptor Review, No More Ransom and CryptoPrevent.
Testing the effectiveness of ransomware protection tools against real samples is incredibly tricky. Moreover, some tools are specific to particular past incidents that may not be active today.
However, perhaps the best way to test these tools’ effectiveness is to set up a virtual machine (VM) that matches your system environment and has no actual network access. From here, you can test for different attack situations and use restore points from your backups (such as Veritas NetBackup appliances) to see their effectiveness.
Crypto-ransomware targeting computer systems has turned into a mass phenomenon in recent years. Without proper ransomware protection tools and training, by the time you see the ransom demand, it is already too late to pull the plug and stop further compromise. The outbreak of different varieties such as WannaCry/NotPetya have shown the extensive damage that a highly distributed attack can do.
While antivirus programs are presently better tuned to detect and block some types of ransomware (usually by watching out for suspicious behavior), having the right type of backup remains the number one defense against this and other malware attacks. Veritas NetBackup Appliances has a range of products that help you prevent and detect attacks as well as recover your data.
Veritas customers include 95% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to protect large amounts of data.