A recent advertisement on the dark web demonstrates the ambition of the creator of a particular variety of the malignant software known as Ransomware, which encrypts the files of an infected system or network and holds the decryption key as ransom. There is now an entire industry coalescing around the creation and proliferation of this type of “malware,” which means two things:
- There’s money to be made.
- Because of how the malware is distributed, everyone is at risk, not just large “juicy target” organizations.
“Kaspersky Security Network shows that in 2013 about 2.8 million crypto attacks were registered – that is nine times more than in 2012 – and all the evidence suggests that their number will continue to rise because many people are still willing to pay the ransom. According to a survey conducted by Interdisciplinary Research Centre in Cyber Security at the University of Kent in February 2014, more than 40 percent of CryptoLocker victims agreed to pay. Moreover, a Dell SecureWorks report shows that the same malware rakes in up to $30 million every 100 days.” Article from Network World online, July 2015.
Here’s a common scenario: The victim receives a “phishing” email with a disguised executable file attached. Some recent examples include an email on the day in July that Amazon celebrated the 20th birthday of their Prime service with deals “better than Black Friday.” Disguised as a competitive offering from another retailer, it induced the recipient to click on the attachment to see the “great offerings.” The Ransomware then proceeded to encrypt any and all files that system was attached to. The encryption levels being used now are too strong to be broken in any business-reasonable timeframe.
When enough files are encrypted, an organization can start to feel desperate to regain use of their information. Usually, the first indication that the infection has occurred is when files can’t be opened, or a pop-up dialog box appears, giving instructions on how to get the encryption key to unlock the files. The common practice now is that the key is only offered for a short period of time, say 3 days, during which the ransom amount goes up until the deadline is reached and the offer to decrypt the files is withdrawn.
Some organizations have paid the ransom, only to find out the key they purchased was ineffective – essentially, the hostage was killed. The criminals involved have also been known to sell an effective key, but then leave behind another form of malware that continues to punish the victim.
The best remedy for countering Ransomware is to have regular, reliable backups of all the key data that’s required to run your operation. The backup should not be continuously available on the network, as that presents the possibility that an infection could spread to the backup, rendering it encrypted also and therefore useless.
A common way that infections happen is by employees using their work-provided systems to access personal email, social media and other common applications. These sources often lack the filtering applied to the pure work applications. One approach is to lock everything down so that these personal-use services are unavailable, but this can create morale issues, and cause employees to seek work-arounds – it’s all part of the modern lifestyle. A happy medium is to create a rather open and free employee/personal use WiFi network, that’s isolated from the regular network. This allows employees to access those personal services they want to have without running the risk that a personal email can compromise mission-critical data.
But that is not to say users should become complacent in any case. As a law enforcement authority assigned to pursue computer crimes once stated, “Every time we build a 10-foot wall, the bad guys build an 11-foot ladder.”