Ransomware: What You May Not Know Could Hurt You
Ransomware is one of the most common and devastating infections that poses a threat to your data today. Ransomware is a type of malicious software, or malware, which takes a system or number of systems hostage, demanding a fee to unlock or decrypt files. Over the past few years, a number of high-profile targets have fallen victim to these infections, including UK Parliament, Hollywood Presbyterian Medical Center, Los Angeles Community College, and seven police departments in Maine. The cost to affected businesses and other organizations was estimated to be $1 billion in 2016. If an incident can occur within these organizations, you are definitely also at risk.
According to McAfee, one of the leading antivirus software vendors, ransomware is predicted to peak during mid-2017, and recede thereafter. Some advancements are being made that may lead to the eventual elimination of ransomware, but until then, your organization must continue to remain resilient against these threats. Hundreds of thousands of new variants of malware are released each day, and the ransomware we’re combating is just in its current iterations. It’s unclear how effective these mitigation techniques will be against newer versions. To help keep you protected and prepared in the event that an infection occurs, here are six important facts that you should know about ransomware:
It doesn’t take an experienced coder to launch a ransomware attack anymore. Packages have become available for purchase on the Darknet that can be rebranded and deployed by even the most novice cybercriminal. Once purchased, a malicious actor only needs to customize it with a name, add a personal note, determine a ransom amount, and start distributing. The original “publisher” then takes a cut of the ransom, once the fee has been paid. This should put into perspective the scale of these organized cybercrime groups, reminiscent of the prohibition-era organized crime wave. These groups have hierarchies, structure, and often hide behind the lax laws of developing countries.
- No files are safe
Ransomware can, and will, encrypt files not only on your hard drive, but also external device and mapped network drives. The current generation of ransomware, dubbed “Cryptoware 2.0,” can encrypt database files in addition to documents and pictures. Some more advanced versions can even find and encrypt non-mapped network shares. If you use a cloud-based backup that maps a drive or services such as Dropbox, the files stored in these locations are susceptible as well. This is why it is important to carefully control, limit access to, and hide paths of critical network storage and backup locations.
- Not all ransomware is created equal
Non-encrypting ransomware uses a more simple approach at holding your system hostage. Some of these infections are as simple as a splash screen that starts up with Windows, and can simply be removed from MSCONFIG on systems developed by Microsoft. This is one instance where the occurrence of ransomware may not be entirely detrimental. Unfortunately, much of the risk surrounds the encryption-based ransomware, as it is most common and devastating. Even if you are infected with one of the encrypting variations of ransomware, there is still hope…
- You may be able to find an unlock key
Some antivirus companies have published “decryptors” and unlock keys for some of the more common ransomware. Kaspersky and Trend Micro, two other leading antivirus and data protection companies, have a collection of such tools. Additionally, ID Ransomware is a free website that can help you identify which variation you are infected with so that you may begin to take steps toward remediation.
- Paying the ransom
It is never advisable to pay a ransom. Your first course of action should be to assess the damage. Determine which files have been affected, how important they are, which variation of ransomware you are infected with, and whether or not a decryption tool is available. From there, determine if restoration from a clean backup is possible. In the case of Hollywood Presbyterian, a $17,000 ransom was paid before reaching out to law enforcement for assistance. In another instance, Los Angeles Community College was advised by law enforcement and cybersecurity consultants to pay the $28,000 ransom after evaluating cost and impact. While some generic ransomware infections are mass-distributed, these targeted types of ransomware attacks that occurred at Hollywood Presbyterian and LACC are especially dangerous and costly.
- You may not get your files back anyway
Should you decide to disregard the warnings not to pay the ransom, as even some of the aforementioned high profile targets have been forced to do, there is no guarantee that you will get your files back. Due to the malicious nature of the cybercriminal networks that stage these ransomware attacks, you cannot expect any form of support from the perpetrators. Once they have your money, they have no motivation to support their “software” or have any further interactions with their victims. Another concern with paying a ransom is that some ransomware employs rootkit technology. This means that even after files are unlocked, the remnants of the infection still exist. While your files may become accessible again, your system is still infected, which could leave your company vulnerable to further exploitation.
In an effort to better understand how these infections work, and how to protect against them, OCD Tech’s Scott Goodwin has developed his own ransomware infection in just 245 lines of Python code to test against various protection measures. To determine how vulnerable your business is to a ransomware attack, and how effective your Disaster Recovery plan would be in the event of an infection, contact OCD Tech for an assessment.