Ransom encryption malware and what you should know
Stories of victims being infected with malware which encrypts important files and holds the keys for unlocking those files for ransom are being told almost daily now. This is due partly to the increasing frequency of occurrence, partly because of the insidiousness of the activity, but, mostly because more and more entities are reporting they are actually paying the ransoms to unlock their files. This trend is being reported by individual users, medical institutions, government agencies, and most recently by educational institutions like the University of Calgary where they paid $20K to decrypt their files (http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979).
Since this type of ransom encryption malware (Ransomware as it is now called) has proven to be so profitable, more money is available to be poured into the development of bigger, better and more sophisticated ransomware. It has become so popular that Ransomware-as-a-Service (RaaS) is now in the technology vernacular to reference the ability for less technologically advanced criminals to cash in on this new cash cow by using their resources to deliver the ransomware, receive payment (less a commission to the service provider of course) and arrange for the untraceable payment infrastructure without ever having to develop the ransomware. This malware juggernaut is not going away until there is no money to be made. People will refuse, or no longer need, to pay ransoms when they have taken the time to understand how it infects computers, how to protect against it as well as how to recover easily and successfully from an infection.
What is it?
Ransomware is a piece of software that is delivered to, or unintentionally downloaded by, a user which when “activated,” ultimately seeks out and encrypts files and the files are no longer accessible. Sometimes the software will run a sound file and/or flash a message on the screen announcing that your files have been encrypted and instructions are provided regarding how payment of the ransom can be made. Other variants simply leave a message and instructions in the same location as the encrypted files. There are variants of this type of malware that are taking bolder steps and not only encrypting important files, but, encrypting entire computers or servers rendering them completely inoperable. An example might be an entire email server is encrypted which means you cannot send and receive email or access existing email.
What if you pay the ransom?
As insidious as the act of holding somebody’s computer files for ransom may be, there does seem to be “honor among thieves” (to the extent that thieves have honor). There have been few, if any, reports where the ransom was paid and the files were not unlocked. It is clearly in the best interest of the perpetrators to promote a reputation of releasing files when ransom is paid…if there were even a hint that paying the ransom would not unlock important data, users would be hesitant to pay. This is not an endorsement for paying ransom when infected with such a malware…the more these criminals are successfully paid, the more likely they are to continue.
How does it happen/work?
Contrary to popular media reports, the infections are rarely a result of being “hacked.” When a computer system is “hacked,” the system has been forcibly compromised in a manner that provides some external user access to the system. The perpetrators of ransomware do not generally attempt to gain access to a computer system, but, rather to encrypt files on that computer system so they are not usable. No data leaves the computer or network. The majority, if not all, of the infections are due to a user inadvertently downloading or opening the payload file either from an attachment in an email message or from a link within an email message or a website.
How does one recover?
When infected with ransomware, the first order of business is stopping further encryption. Generally speaking, experienced Technology Professionals will find stopping and containing the infection fairly simple. Once the infection has been stopped or contained, there are really only three options to recover. Option #1: recover the encrypted files from your last successful backup. Option #2: pay the ransom. Option #3: do nothing, start from scratch and move on. Clearly, option 3 is the most painful and the option that could be argued is not really a recovery option. However, this list of options demonstrates that, when infected by ransomware, the only way to avoid having to start all over again or pay the ransom is to ensure that proper backups are in place.
What should you do?
Probably the best advise universally applied in technology is “an ounce of prevention is worth a pound of cure.” However, there is no magic bullet and a multi-layered approach is required to protect and recover computers and networks.
When talking about preventing viruses and malware, anti-virus and anti-malware solutions are ALWAYS recommended. However, with anti-virus solutions alone, the challenge is ransomware changes disguise so frequently that anti-virus solution providers can’t keep up with the “Wanted Posters” fast enough to catch them before they have done their damage. It can be effective to catch or prevent ransomware using the functionality within the anti-virus solution to look for the signature behaviour of the ransomware and stop it then…this feature is usually called something that references intrusive type behaviour or intelligence..like “Smart Scan” or “Intrusion Prevention.” The problem with this option is that many individual users are unaware of where to turn this feature on or when they do turn it on, they experience such a significant decrease in performance of their computer that they end up turning it off neglecting the ability that the anti-virus solution should have to tweak and improve the performance to maintain the protection.
Using some sort of a solution to evaluate Internet traffic and emails to determine if attachments or links may lead to potential threats is extremely important. There are a variety of solutions from physical appliances on-site to cloud-based solutions which can be deployed. In some instances, you may even consider deploying multiple (i.e. “layered”) solutions to monitor Internet traffic.
Knowing the only true way to recover from ransomware without paying the ransom is to recover from a backup, then it becomes critically clear that a quality backup system be in place. It is not enough to copy important files to a portable hard drive once in a while. If the portable hard drive is left connected to the computer or network, those files will become encrypted to during an infection. A quality backup solutions is going to have to provide and easy and non-intrusive way to back data up as frequently as possible to minimize the possible loss of data during a recovery. It will also become equally important that the backup solution provide an effective and efficient method to recover that data. Finally, since ransomware is now targeting entire computer systems, the backup solution should provide a way to back the entire system up so that a full recovery of the computer system can be made. This is often referred to as a “Bare Metal Backup” which can then provide a “Bare Metal Recovery.”
Probably the most important thing you can do (next to backups) is to educate yourself and/or the users of your network. Educate users to understand how to trust their instincts and evaluate whether clicking on an attachment or link in an email makes any sense. If you receive an email that you have received a fax and it is “attached” or at the “following link,” and you always pick your faxes up at the fax machine, DON’T CLICK! Users need to be educated about how to question emails and understand how social engineering is used to entice users to follow through on clicking attachments and links. Use the Social Engineering Red Flags document on our website that we have “borrowed” from https://www.knowbe4.com (a great site for announcing developments in viruses and malware and other security threats).
…consult with your IT Department or third-party service provider about what is currently in place to prevent and recover from ransomware. Be prepared to accept recommendations by these parties if there are additional costs associated with them. If you wish to have a conversation about or a review of your IT cybersecurity, please do not hesitate to contact Fortify.