Ransomware is now a routine cybercriminal business model. Learn how to recognize and defend against attacks before they happen.
Ransomware is a form of malware that, after covertly installing itself on the victim’s hard drive, encrypts its contents and demands a ransom be paid for its recovery. Simple Ransomware may block access to the system in ways a technical person can reverse, but more commonly, it’s impossible to recover the data without paying the ransom or restoring a system backup. Even if you have system backups, you’ll still incur costs if infected. Disinfecting computers and restoring backups can take days or weeks depending on the extent of the infection.
Of all the malware and virus dangers out there, ransomware currently leads as the preferred attack methodology used against businesses. According to Malwarebytes, a leading security firm, ransomware distribution increased 267 percent between January and November 2016, the fastest expansion they’ve ever seen.
Now it’s even possible for cybercriminals to buy turnkey ransomware kits that enable people with little technical knowledge to deploy the scheme. It’s called Ransomware as a Service (Raas), and the advanced cyber criminals who author it often get a cut out of each ransom.
Essential characteristics of Ransomware
Ransomware actually made its first appearance way back in 1989. A remedy was eventually developed for that, but ransomware technology has changed a lot since then, and common infections are mostly incurable. Once you’re infected, usually the only option is to pay up for the decryption key or restore from backups.
Key features of modern ransomware include:
- Unbreakable encryption – The software generates a random encryption key and uses it to encrypt the data. It can only be reversed using the decryption key, which you must purchase from the attacker.
- Scrambled file names – It often scrambles file names so it’s harder for you to be sure which files were affected.
- Time-limited ransom demand – The software displays a message containing the ransom demand. If you miss the deadline, the ransom will increase. After that, your data will be irreversibly destroyed.
- Requires payment in Bitcoin – This is a crypto-currency that can’t be easily tracked by law enforcement agencies.
- Can spread to other devices on a network – Ransomware can propagate across a network and infect other attached devices.
- Evades antivirus protection – Ransomware employs techniques that make it tough to detect.
How Ransomware Spreads
Many methods can be used to infect victims, which makes it challenging to protect against ransomware. The most common infection techniques include:
- Phishing emails: Email messages that appear legitimate but contain malicious attachments or links to compromised websites are sent to employees. With a single click, the infection process begins.
- Drive-by downloads: Malicious code can download from a compromised site onto target computers with the user even clicking on anything. The website scans each visiting system for known security weaknesses and uses them to download an exploit that will install the ransomware.
- Malvertising: Infected ads on legitimate sites can exploit weaknesses in the user’s system to download code.
- Free software downloads: A user willingly downloads a file, unaware that it’s infected.
The Mechanics of a Ransomware Attack
An infection can start through any of the routes described above. The process goes like this:
- Victim clicks on a link in an infected email or visits a website that contains malicious code.
- A downloader is installed on the victim’s system.
- The downloader connects to a remote server and downloads the ransomware onto the local system.
- The ransomware begins encrypting the system. Everything local is encrypted. Connected devices and cloud accounts can be encrypted too.
- The ransom message pops up on the screen, giving instructions on how to pay for the decryption key.
This all happens with a few seconds to a few minutes, leaving little opportunity to intervene even if you realize what is going on.
Fending off Ransomware
The threat of ransomware must be taken seriously. It can throw a business offline in minutes and result in significant disruption and expense. Use these defenses to help keep IT infrastructure safe:
- Backups: Make backups to an external hard drive or account and disconnect it between backups; otherwise the ransomware can encrypt the backup as well.
- Patch and update: Make sure all user operating systems and browsers are patched and current with the latest security updates. Remove outdated plugins and add-ons.
- Ad blocker: Use an ad blocker to avoid potential infection from malicious ads.
- Educate users: Users should be reminded to never open spam emails or email from unknown senders, and never click links or download attachments unless they are 100% certain of their source.
- Limit account permissions: Give users the minimum permissions they need to work on a system so they can’t install unauthorized software (knowingly or unknowingly). Reserve administrator accounts for actual administrators.
- Antivirus software: Use an antivirus with real-time protection and automatic updates. This won’t block all infection sources but it will help.
- Consider a traffic filtering solution: Cybersecurity companies have been developing cloud-based traffic monitoring solutions that identify when a ransomware or other cyber attack has initiated and blocked it. These work by inspecting all traffic going in and out of devices and watching for suspicious connections. Suspected connections are blocked or rerouted to a safe destination. This prevents ransomware from making the connection to “home” and downloading its payload.
- If you get infected, disconnect: Immediately pull the plug on an infected computer, and disconnect it from the network to prevent spread while you sort out the problem. You may need to disconnect entire network segments. Some variants of ransomware can be unlocked by an antivirus company, depending on the strain, although many cannot. If you can’t unlock your files, and you can’t restore from backups, the only option is to pay the ransom or lose your data.
Ransomware is now a functioning business model employed by organized groups of cyber criminals. It’s a global company that targets other businesses as well as private individuals. An infection can be devastating. Understanding how ransomware works and how to protect against it can save endless headaches and heartache. The threat is high, but you can protect against it, and you must.
Published on 27th April 2017 by Ian Brady.