Ransomware: how to protect yourself

ransomware locked data

(Post 10 of the 12-week Information Security Management blog series)

You would have to be hiding under a rock for the past several years if you haven’t noticed the increased media coverage about a particularly nasty form of malware infamously labeled ransomware. In 2016 alone, several U.S. hospitals made the news after falling victim to this electronic form of extortion. The San Francisco Municipal Transportation Agency even fell victim to this type of attack. What has been all over the news most recently is a particularly intrusive and pesky version of ransomware called ‘WannaCrypt’, also being dubbed ‘WannaCry’ likely due to the wide-spread havoc it has cause. With all this attention, it is hard to ignore the feeling that ransomware is a growing problem.

What is Ransomware?

One simple description of ransomware is that it is extortion through the use of malicious software (malware). Most often it has been distributed through Trojan horses, a form of malware that masquerades as something legitimate, such as anti virus software or music files, and then, like the famous Trojan horse of Troy, delivers a surprise attack from a payload held within. Scammers have traditionally preferred spam email and torrent sites as a distribution method for their ransomware. Though recently, as we have seen with WannaCry, cyber-criminals have demonstrated that ransomware can be distributed through self-replicating worms, another form of malware.

Once the ransomware has infiltrated its target, it takes over, denying access to critical resources. Users are typically met with a demand for some form of payment, often a crypto-currency such as Bitcoin, in exchange for returned control of the resource. After the demand for payment has been met, the key to regaining access is provided, but the malware may still exist, posing a threat that the attacker could decide to lock it down again and demand another payment.

According to this 2015 report by Symantec on The evolution of ransomware, it comes in two primary forms, though others do exist.

  • Locker ransomware – This form of ransomware can take over entire computers, or at least the user interface, rendering a system entirely inoperable.  When powered on, the device simply displays a demand for payment.  Many times, this form of ransomware disables the cursor and even keys on the keyboard that are unnecessary to submit payment information.  It does nothing to the underlying file system though, so it leaves the possibility that it could be removed and the system restored to normal operating condition.
  • Crypto ransomware – This form of ransomware is specifically designed to search the contents of a computer for information that might be valuable, such as financial records, media files, and documents. Once it has identified potentially valuable information, it encrypts it so that the computer’s owner or user can no longer access those files unless a ransom is paid.
The Growing Threat of Ransomware

According to Symantec’s document on The evolution of ransomware, the first known form of ransomware was called the AIDS Trojan which was written to a floppy disk and mailed to unsuspecting victims in 1989.  With better technology and increased adoption of the internet throughout society, ransomware has gained popularity and favoritism among computer criminals. The first form of modern crypto ransomware was released in 2005 and by 2015, SonicWALL reported that their Global Response Intelligence Grid logged just under 4 million attempted ransomware attacks. The same organization reported that in just one year’s time, that number rose to at least 638 million attacks by the end of 2016. Verizon, in their 2016 Data Breach Investigation Report, was a little more conservative, showing only a mild 50% increase in the number of ransomware attacks from 2015 to 2016.

In Symantec’s 2016 whitepaper, Ransomware and Business, they presented some chilling statistics related to the ransomware threat. According to the report, 26% of all ransomware attacks are aimed at targets within the United States. Additionally, 43% of those attacks specifically target businesses. Symantec’s data shows that the services industry was hit particularly hard in 2016, but virtually no sector of business was ignored. They also show that crypto ransomware has become the tool of choice, representing the form malware used in over 90% of ransomware attacks that year. To make things worse, the priced demanded in ransom per system had drastically increased in just a single year, from an average of $294 in 2015 to $679 in 2016.

Defending Against Ransomware

There are a number of technical and non-technical measures that an individual or organization can employ to defend against any form of malware.  Unfortunately, in the case of ransomware, simply utilizing anti-malware software doesn’t cut it.

Having a good understanding of safe internet and email practices is a good start. If you don’t download files from untrusted sites or open untrusted emails in the first place, you will be reasonably protected against the majority of threats from Trojan horses.

Keeping systems patched and up-to-date is critical.  Often times malware exploits older, known vulnerabilities in applications or operating systems because they are well-documented and criminals can count on people having not properly maintained them. Software vendors release patches to fix these vulnerabilities, so apply them as expeditiously as possible and your systems simply won’t be vulnerable to many forms of malware being distributed.

My go-to solution is backups. Simply put, if it is important, back it up.  If my systems become infected (which they rarely do, but it could still happen), I know there isn’t anything of value on my workstations, file servers, application servers, databases, and even appliances that hasn’t been copied to some sort of repository.  It is much easier to wipe the system and simply reload and restore it from a backup than it is to try to eradicate a pesky form of malware.  At home, I employ the same practice. Everything of value is backed up and I will not waste time trying to fix a system that I can simply restore in just a couple hours time. If I were to fall victim to ransomware, I could simply erase my hard drives, reinstall my operating system, and then restore my backed-up data and I would be back in business as if it never happened.

Backup solutions can be intimidatingly expensive and complex, but they don’t have to be.  If you can’t justify the cost of a robust, enterprise-quality backup solution because your organization has only a handful of computers or a very tiny budget, you can buy external storage devices or even use DVD Rs  and simply utilize your operating system’s built-in back up capabilities.  Just remember to perform backups regularly. Modern versions of Microsoft Windows, Apple OS X, and popular versions of Linux all come bundled with native backup and restore capabilities. All they need is a place to store the data. Do this and you will never fear ransomware again.

 

About Dustin Wilson

I have been working professionally in Cybersecurity since 2011. I earned my A.A.S. in Computer Science, a B.S. in Cybersecurity, and am currently working on a M.S. in Cybersecurity. Prior to working in this field, I was a computer programmer for nine years.

View all posts by Dustin Wilson →

Leave a Reply

Your email address will not be published. Required fields are marked *