The problem of ransomware isn’t getting better. Recent examples of widespread attacks, including CoinVault, CryptoLocker and CTB-Locker, show that ransomware has become an important part of the cyber-criminals’ arsenal.
Despite this worrying trend, a survey we conducted recently found that a mere 37 per cent of companies across the globe actually consider this to be a serious danger: an oversight businesses simply can’t afford to make.
Ransomware is effectively a digital mechanism for extortion - blocking access to a computer system, or encrypting data stored on the computer, until the victim pays a ransom. The key motivation is to extort money from victims. But if the victim is a business, and it doesn’t have a backup, the impact on the company’s intellectual property and other sensitive data could be disastrous.
One trend in particular is the growth of the mobile ransomware attacks. Mobile malware is generally focusing more and more on monetisation. In fact, our recent report found that 23 per cent of the new malware threats detected were created to steal or extort money, with mobile ransomware programs demonstrating the highest growth rate of all in this area.
Typically, ransomware is delivered as an email attachment: once the attachment is opened, the malware is installed on the victim’s system. However, a victim might also be infected with ransomware by clicking on a link or downloading an infected file from a website. Like a lot of malware, ransomware programs try to be as stealthy as possible, showing no impact on the system until it is blocked or data has been encrypted. It is only when an unwelcome message appears on the screen, demanding payment of hundreds or thousands of pounds that a victim realises something is wrong. Unfortunately, at this stage, it is already too late to save data through security countermeasures (unless the way the cyber-criminals have implemented their encryption mechanism allows security researchers to develop a way of decrypting the data – something that has become less likely over time). The cyber-criminals often apply additional pressure to their victims by setting a time limit for payment – after which the data will be lost for good.
How does it work?
Let’s take TorLocker as an example. This ransomware program starts by deploying an encryption mechanism that is nearly impossible to crack. The malware deletes all system recovery points and encrypts the victim’s Office documents, video and audio files, images, databases and virtual machine encryption keys, certificates and other files on hard network drives or other connected storage devices. Then it displays a dialogue box demanding that the victim pays a ransom to decrypt their own data.
What’s particularly troubling is that TorLocker infects each system in a unique way, so even if somehow a key to decrypt the data is found, the key would not be useful for decrypting data on other systems.
What should victims do?
Paying the ransom is unwise, as it never guarantees the data will be decrypted. There could be bugs in the malware itself, making the encrypted data unrecoverable. Irretrievable data could cause IT infrastructure damage and/or down-time, all of which could result in legal consequences for a business due to information loss and damaged relations with partners and customers. On top of this, the cyber-criminals might simply take the money and run – i.e. fail to decrypt the data once they’ve ‘been paid’.
And it doesn’t stop there. If the ransom is paid, this only confirms their business model, so they will continue to develop ransomware programs to exploit individuals and companies.sa
To fight back in this war against cyber-crime, it is vital to employ security in-depth, including a robust backup solution, based on a comprehensive cyber security strategy. As part of a business’s armour, it is important to make ‘cold’ backups – read-only and write-only, no delete/full control access - that cannot be deleted by a ransomware program. Some ransomware programs also encrypt files, including backups, stored on network shares or other connected devices.
If you have already been infected, and there is no backup or preventive technology in place, there is very little that can be done. So, before the worst happens, businesses must put measures in place to block ransomware and ensure that staff are aware of the tricks cyber-criminals use to entice victims into installing ransomware programs. They should also beware of using uncredited software that has been found on the Internet, claiming to fix encrypted data. In the best case, this software is a useless solution and in the worst it might distribute additional malware.
The fact is that the average consumer and both large and small businesses can all be victims of ransomware. Cyber-criminals certainly do not discriminate and are often looking to impact as many people as possible to reap the highest financial gain. Unfortunately, ransomware attacks against businesses are only growing, as cyber-criminals become increasingly aware that organisations are more likely to pay the ransom in the hope of maintaining business continuity.
While today’s threats are becoming more sophisticated, too many of us – both in the office and at home – need to improve cyber security practices. What’s worse is that some are still using either outdated or unreliable security solutions that do not provide any of the necessary protection.
With the growing number and complexity of ransomware attacks, it is vital that we stay on our guard and deploy the most effective protection available.
David Emm, principal security researcher, Kaspersky Lab