Ransomware has been around since the late 80s, but its growth in recent years, both in volume and value, has been considerable.
McAfee reported a twofold increase in samples between 2012 and 2013, and Cryptowall – one of the most damaging recent pieces of malware – was estimated by the FBI to have earned its operators more than $18 million by June 2015. This growth can in part be attributed to anonymous digital currencies facilitating ease of use with a lower likelihood of the trail of money being followed successfully.
More worryingly, as the rewards have become greater, ransomware writers have become more technically sophisticated and it is now getting more and more difficult for victims to retrieve data without payment. Ransomware restricts access to systems and data, often by encrypting files, but also by simply locking systems or devices. The threat actor will then demand a ransom for users to regain access, often using hard-to-track payment mechanisms such as Bitcoin.
Ransomware can take advantage of technical or human weaknesses, often in combination. Phishing is one of the most common ways to exploit the user, and fake parcel delivery notifications, customer complaints and official letters are becoming more and more convincing. It only takes one click through to a malicious website or to download an infected file for the malware to take hold.
Technical weaknesses can allow a drive-by downloads – where a computer is infected via a legitimate, but hacked website – carrying malware to be installed, via corporate devices taken out of the safety of the business network and being used on public Wi-Fi. Once the ransomware is installed it begins encrypting any and all files on the local device and any connected shared drives.
So, how can businesses protect themselves against the threat of ransomware? There is no one solution to the problem, so organisations must adopt a combination of defences to increase their resilience, applying robust controls from the strategic to the tactical. There are four basic ways to lower your risk.
- Patch and update regularly: As malware often exploits known software vulnerabilities, updating is still one of the best forms of defence. It is vital to implement a regular patching process to improve resilience, moving away from older, unsupported operating systems such as Windows XP and web browsers.
- Use antivirus and – again – keep it updated: In many cases, it is a good idea to use a different provider on local machines from those used on servers or email gateways to ensure the broadest possible approach.
- Test regularly to ensure no vulnerabilities exist: This will show any weaknesses that attackers could exploit, while penetration testing will give you a complete picture of what a hacker might achieve. This should be carried out at least every six months and after any significant change to your systems.
- Educate your users to mitigate against human error: An employee who is aware of ransomware and knows how to spot a phishing attack protects your business and, incidentally, protects them against falling victim to cybercrime themselves.
There are also a number of more specific preventative measures that you should take. Regular backups and data retrieval procedures, for example, are a must. If a ransomware attack is successful, the only solution is often to restore to the last backup, and the longer the period since the last backup, the greater the impact will be on the business.
Additionally, malware needs permission to execute to infect a device. Removing this permission from certain users can help to lower the risk of malware being loaded onto a machine. If a user does not need superuser access, do not give them. Grant read-only privileges by default, as most people only need to access files to read them. If the malware does not have permission to write, it cannot encrypt the files and then delete them.
Threat monitoring solutions can also be useful. Malware can lie dormant within an organisation until it makes contact with its command and control server to obtain its instructions, so it may be possible to neutralise the threat before it becomes a serious problem.
Lastly, most cases of ransomware are delivered either by a malicious website exploiting vulnerabilities in a web browser, or as an email attachment. A sensible precaution is to restrict access to file system locations from which programs are likely to be executed, such as Internet Explorer, WinZip, WinRAR, or 7-Zip. Software Restriction Policies (SRP) were introduced in Windows XP and Server 2003, and allow users and domain administrators to control the ability of programs to execute.
If the worst should happen, never pay the ransom. This funds criminal activity and perpetuates the market for ransomware – not to mention that there is no guarantee that data will be recovered. Rather, seek advice as soon as possible if you are not confident in restoring your system and completely removing the malware.
Ollie Whitehouse, technical director at NCC Group
Photo credit: wsf-s / Shutterstock