Crypto ransomware has been crippling businesses and headlining security news. Here’s what it’s all about, and what you can do to protect your organization.Business Security Best Practices, End-Point-Protection // 09.05.2016
At the end of 2015, our security advisor Sean Sullivan predicted 2016 would be the year of extortion. So far, he’s been absolutely right. Crypto ransomware has been headlining security news in recent months, crippling businesses and organizations small and large. With no visible alternatives, many have been forced into paying the ransom – which may get their computers back online, but it also encourages the cybercriminals in their data racketeering.
Here’s our quick guide to ransomware – what it’s all about, and what you can do to protect your organization.
Crypto-ransomware encrypts the files on a computer, essentially scrambling the contents of the file so that the user can’t access it normally without a decryption key that can correctly unscramble it. A ransom payment is demanded in return for the decryption key. Once the malware has infected one machine, it can spread to others in the network, making it impossible to carry out normal business operations.
The payment is often asked for in Bitcoin, a virtual currency that is difficult to trace. The attacker usually imposes a deadline by which payment should be made. After the deadline, often the payment amount increases and a new deadline is set. If the second deadline is missed, it is likely the attackers will delete the decryption key altogether. Once the key is deleted it may be impossible to ever recover your data.
Users may encounter ransomware in a number of ways. The most common method is via email, as an attached file. The file is usually either disguised as a document containing urgent information or desirable content, or in a ZIP or packed file with a misleading name. This method depends on tricking the user into opening the attachment and running the malicious file. Aside from attachments, email can also spread ransomware through malicious links they include (read on to the next paragraph).
Another common way attackers distribute ransomware is to include it in the payload of an exploit kit. Users can be exposed to exploit kits when they visit a compromised website or are redirected onto a malicious site (for example, via an email link). The exploit kit probes the user’s computer for any exploitable flaws or vulnerabilities, which are common in outdated software. If one is found, the exploit kit downloads and installs the ransomware onto the user’s machine. To an average user, this can happen completely without their knowledge.
The ransom fee demanded is usually around $300 to $500 for a computer. If 20 computers are infected, that can add up to as much as $10,000. It’s also possible that cyber criminals who conduct ransomware attacks targeted to specific businesses can ask one lump sum of their choosing. (For an interesting discussion on the monetization of crypto-ransomware, check out this F-Secure Labs blog post.)
But the money that’s demanded is only a tiny fraction of the actual cost. The real damage comes from the effects of network downtime (lost productivity, lost business opportunities, reduced customer satisfaction and damage to the brand) and the costs of restoring the network (resources to respond to the attack, repairing or replacing systems).
F-Secure advises against paying the ransom. While doing so is one way to get an organization’s system working again, a better way of getting your businesses’ files back begins before you ever get hit – by taking regular backups. That way if you do get attacked, you can relax – and restore from the backups. If everyone took backups of their work, ransomware would cease to exist as a business model for the criminals.
If your files have been ransomed and you don’t have backups, it’s worth going online and seeing if a decryptor tool exists for the ransomware you’ve been hit with. This list is a good start, although decryptors are typically only available for early versions of some families. And keep in mind that attackers update their approach to use ransomware that doesn’t have a decryptor tool available.
You also might find it useful to share your situation on a help forum like Bleeping Computer, where there are threads for help with Locky, TeslaCrypt, CryptoWall, Petya, CryptXXX, Locker and many others.
Prevention is better than cure, and that’s certainly true for ransomware. Take precautions to prepare for and avoid a ransomware attack and you’ll be much better off. Here are our tips to keep your business running:
Photo: Getty Images