Ransomware — malware that restricts or encrypts access to a computer or its information in exchange for payment — has been around in one form or another for more than two decades but its activity has exploded in recent years. The reason is simple: consumers and businesses are more dependent than ever on data that exists only on their computers. Whether that data takes the form of family photos, music or tax returns, or an organisation’s critical business files or programs, people are willing to pay to get their information back, making ransomware a lucrative business model.
No Cut-Out Letters Required: How Ransomware Works
Ransomware typically shows up like other types of malware — through naïve browsing practices or by clicking on phishing emails or spam that has attachments or links to drive-by download sites or botnets. Once the user innocently clicks the wrong link, ransomware takes over the infected computer, typically using today’s sophisticated encryption methods to lock the user from access to files and programs. The ransomware includes instructions that may include a countdown timer and increasing demands as time passes.
As ransomware has evolved, new variants now target a wide range of data types — including documents, photos and even highly specialised programs such as SCADA or CAD files — and can proliferate through a network to online sharing and cloud storage sites. Ransomware has even gone mobile, appearing in May 2014 through Find My iPhone, and indications are that Android phones, which have a less restrictive app marketplace than the Apple ecosystem, are being increasingly targeted.
If you’ve had a run-in with ransomware, the clock is ticking. So let’s count down the ways to guard against this insidious malware — starting with preparation and prevention techniques as proactive measures, plus response tips in case you or someone you care about becomes a victim.
Ransomware is spread the same way most malware spreads, using targeted phishing emails, spam with attachments or links to drive-by-download sites. IT professionals need to regularly train users on safe email and web browsing procedures to help them avoid the dark streets of the Internet.
Back at home, just as you would fix a broken window or door latch to stay safe, you also need to keep your organisation’s computer systems updated. Many vulnerabilities used by attackers are old enough that they’ve been patched, so if you keep your systems updated, the chances that malware will be effective drop.
Most importantly for ransomware, backing up files and data is critical. Simplify and automate your backup systems so they’re more likely to be used. Create data partitions with automated backup and use offline and encrypted backups for critical files to protect against ransomware network shares.
The good news is that security companies track ransomware, as with other types of malware, and up-to-date antivirus tools will stop some of it. The bad news is that nearly 88 percent of malware morphs to evade signature-based antivirus, so even updated tools may not work against ransomware until weeks later. You need advanced threat protection to address malware that is morphing faster than signatures can be created. Rather than depending solely on signatures, an advanced threat protection system uses a virtual sandbox where suspicious files can be scanned and their behaviour analysed to identify even zero-day ransomware. Some sandboxes are even able to evade sophisticated malware that includes code that lets them detect sandboxes.
Despite all your preparation and prevention, hackers may still infiltrate your systems. Don’t despair. Any action hero worth his movie franchise has a few tricks up his sleeve. Once ransomware infects your system, many must "call home" using a command and control server to get the public-private key they use to encrypt your files. If you can detect and block that malware from calling home, you can thwart the attack. URL filters are typically used as a productivity tool for businesses to keep employees from inappropriate or non-business sites, but one of the most underappreciated features is the ability to also block malicious site categories such as botnets and advanced threat command and control centres.
Unfortunately, new crypto malware variants can work completely offline but even if your data is locked, it’s not over yet. Know your enemy. In many cases, identifying the ransomware can help you defeat it. Start by downloading an antivirus scanner that will mount your hard drive offline and scan it. Some lock-screen ransomware can be cleaned this way. In other cases, older crypto ransomware may have bad encryption and you can find tools to decrypt your files. In addition, some older ransomware don’t overwrite files, so you may be able to find Windows "shadow volumes" or use undelete software to get some files back.
If the worst happens, think long and hard before paying ransom to extortionists. Losing important files can be painful, but the more people pay, the more ransomware remains a lucrative option for cyber criminals. Ransomware, like any type of malware, comes from many vectors, so use a defence-in-depth approach with a next-generation firewall or unified threat management system that will help you thwart malware at every turn.
Corey Nachreiner is CISSP and Director of Security Strategy at WatchGuard Technologies