Today’s Real Threat: Ransomware
Posted by Matt Sidman at March 20th, 2017
For a printer-friendly version, click here for the PDF: Today’s Real Threat: Ransomware
Ransomware: Today’s Number One Electronic Threat
Imagine turning on your computer, only to face one of the following messages on your screen:
These are real samples of Ransomware, a form of digital extortion. It is trojan malware that restricts the user from accessing data or operating the device until a “ransom” payment is made to release the asset. Ransomware is expected to be the number one malware and data theft source in 2017, and has become the preferential method of revenue generation of malicious hackers.
Ransomware By the Numbers
|Average ransom payment amount in 2016, paid in bitcoin. Up from $294 in 2015 (source: Symantec)|
|Number of “Locky” (a Locker variant) infections in March 2016 alone (source: Symantec)|
|Percent growth of ransomware reports since December 2015|
|Number of ransomware attacks in 2015 3Q (source: Gartner)|
|Amount paid to ransomware criminals in 2016 Q1 (source: CNN)|
|Percent of ransomware infections from email links, attachments, or compromised website|
|Less than half of ransomware victims fully recover data, even with paying the ransom or recovering from backup|
The Types of Ransomware
Ransomware comes in two flavors: Crypto and Locker.
Crypto ransomware seeks to encrypt and hide data, files, and folders. It will start with the drive on the infected computer, and then scans the entire network for any accessible files, folders, and shares. Crypto ransomware becomes highly effective once it has encrypted the network server drives and files, making them inaccessible by any user, including network Administrators.
Newer versions do not require the infected user account to have authorization to the network files. That is, if an intern on a restricted computer contracts the Crypto malware, it can spread to encrypt all files on the network, including financial, personnel, and client files, even if the intern was restricted from those files.
Crypto can spread across the entire network encrypting files, folders and backup drives. Backup disks connected by USB or network are not safe from Crypto. Once a Crypto infection is detected, recovery usually requires a good backup, which is a good reason to not keep backups onsite and connected to the server.
Locker ransomware seeks to make the entire computer inaccessible to the victim. The computer is locked, the image on the screen replaced by an image informing the victim of the infection, and the victim is then prevented from using the computer.
Locker will look like a message from a legitimate organization, such as the FBI or an antivirus software vendor. However, since no legitimate organization will operate this way, it is a dead giveaway that this is an infection.
Locker is much more recoverable than Crypto by an IT professional with experience and appropriate tools.
There are many reasons that Ransomware is effective:
Easy to distribute: The trojan malware that delivers the payload is delivered through email links, attachments, and compromised websites. No targeting is required, and obtaining an email list is all that is needed to distribute the malicious code.
Payable: The average ransom in 2016 was $679, up from $372 in 2014. This amount is often cheaper than hiring an IT professional to clean the infection and recover lost data.
Platform independent: Every type of electronic device with internet connectivity is susceptible to ransomware. Apple, Android, WIndows, servers, laptops, Linux, and IoT (Internet of Things) devices have been known to contract ransomware infections.
Difficult to Track: It is very difficult to locate the source of the malware, and because payment is usually in bitcoin, the payee is often invisible.
Defense Against Ransomware
Effective defense against ransomware requires three distinct phases:
Prevention and Awareness
Train staff to recognize malicious content. Everyone should understand how to detect whether email looks legitimate or might be spoofed. Maintain an open communication between all staff and knowledgeable IT resources for quick assistance when unsure what to do with malicious email or websites.
Upgrade backup system to a more robust disaster recovery (BDR) solution. Conventional backup disks connected to the server are susceptible to Crypto attacks, and can be rendered unusable for recovery. BDR solutions that utilize server imaging on an appliance and automatically replicates these images to offsite secure storage have proven to be the most effective recovery solution from Crypto. BDR images can be taken frequently – as often as every 15 minutes – to reduce incremental loss. The data expected to be lost permanently includes files created or updated since the last good backup. Backups should be monitored, tested, and securely stored.
Make sure all known exploit targets are closed, including applying security updates and patches, removing unused and superfluous software, and retiring unsupportable computers (Windows XP and Vista) and software versions (Adobe Acrobat 8 and Java).
Secure email with encryption and current platforms. Businesses should not be using public domain email services (gmail.com, yahoo.com, sbcglobal.net, aol.com) and should utilize business-class email systems (Office 365, Exchange, GSuite).
Implement Adaptive Security Architecture. Retire aging firewalls and replace with newer appliances that can be monitored and updated with rules and features. Consider web content filtering to help block malicious web content and protect users.
Contain the Threat
To reduce the damage from ransomware, it is important to be able to detect the infections as quickly as possible. Antivirus, configured to scan in real time and notify network administrators of infections is the first line of defense. Staff should be comfortable contacting IT support when things just don’t look right.
The goal for any organization should be to recover from a ransomware attack without payment of ransom. This strategy has two positive effects:
- Loss is limited to what the firm can control, and not extended to monetary payment.
- Compliance with the ransom demand places the firm at future targeted risk. It is best to stay off the radar for future attacks.
The most appropriate approach to recovering from a ransomware attack is to plan and assume the worst possible circumstances. The worst case is that all servers and shared data becomes inaccessible and unrecoverable. Recovery will need malware removal tools and skills to extract the damaging software, and robust backup images are required to restore lost data.
Ransomware is a real threat that has potential impact on virtually every user on the internet. The attack methods are smart, but prevention and recovery can be relatively painless with a concerted program and solution set.
Teqworks, a Managed IT Service Provider to businesses and non-profit organizations throughout the Chicago suburbs, can help your firm prevent, prepare, and recover from these threats.
Contact Teqworks today to set up a consultation and assessment.
Category: Insights Blog