It’s certainly a hot topic among I.T. pros and it's a major risk to all businesses (though not everyone knows it), but exactly what is ransomware and what steps can you take to avoid it?
We've put together some facts and information to answer those questions and more.
What is Ransomware?
Ransomware is a software-based attack that denies users access to their systems or data. The goal of a ransomware attack is extortion. A ransom demand will be made, and the systems or data will be held hostage until the demand is met. If the demands are not met in time, data may be deleted or personal information may be released.
How does ransomware spread?
Ransomware is typically delivered through an exploit kit or phishing attack. After the initial infection, ransomware is engineered to spread to shared storage drives and other accessible systems. This can include all locally stored documents and files, network shares that the infected user has access to, connected external drives like USB drives and cloud storage that the user has write access to, such as Dropbox.
- An Exploit Kit is code that is created to take advantage of an unpatched or unknown system vulnerability in an operating system, software or other application.
- Phishing is masquerading as a trustworthy entity in an electronic communication, where the intent is malicious.
Types of Ransomware
Cop or Locker
This type of ransomware is most often acquired through phishing attacks. With a Crypto attack, the data on your system is encrypted, which prevents you from accessing it. The only way to get the encryption key is the pay the ransom. Most popular examples of this type of ransomware are called Cryptolocker and Locky.
The newest ransomware strain is also generally acquired through phishing attacks and operates on the same underlying concept as Cryptographic. However, the Hostage version goes one step further and steals browser, chat history and contact lists, and records video & audio. The criminal will then threaten to send this personal information to your contacts if a “fee” (the ransom) is not paid. Hostage ransomware goes by the names Crysis and Jigsaw.
A Brief History of Ransomware
Ransomware is not new. It first appeared in 1989, when an “Aids” Trojan on floppy disks asked for $189 to unlock a file. CryptoLocker, one of the most prolific versions, came on the scene in 2013, followed by CryptoWall in 2014. In 2015, Cryptowall 3.0 and 4.0 were released, with new encryption layers and packaged in exploit kits.
And now in 2016, we have seen an explosion in ransomware growth thanks to the Ransomware as a Service (Raas) – a phenomenon made possible by the Cloud.
It is now the fastest growing malware threat, targeting users of all types - from home to the corporate network. With over 4,000 attacks occurring daily since the start of 2016, the growth of ransomware is about 300% in one year alone.
What are the markers of a ransomware attack?
To be considered successful, a ransomware attack must:
- Take control of a system or device
- Prevent access to the device and its data to some degree
- Inform the user that the device is being held for ransom along with a price and a method of payment (there are numerous versions of this…it can be referred to as a “fee”, a “fine”, and the amount may increase as time passes.)
- Accept payment from the user
- Return full access to the device once payment is received. (Unfortunately this isn’t always the case)
5 Steps to Protecting Your Data From a Ransomware Attack
Ransomware is a growing business and no business is immune. But proactive protective measures are a good defense against this threat. Here are 5 steps you should take right now.
User Education: End-Users must be educated on how to recognize threats and avoid dangerous behavior.
Thanks to the success of social engineering tactics, cyber-criminals have found that it’s much easier to convince a user to hand over access to the network than it is to break in themselves. Underscoring this trend of targeting end-users is the fact that ransomware encryption is now believed to be included in over 90% of all phishing emails.
With a new phishing attempt generated every minute, it’s not an exaggeration to say that every business network is unfortunately one bad click away from being hit with a ransomware attack. And more often than not it’s not intentional or malicious – it’s simply a lack of education.
You can minimize the ransomware risk through proper education and training of end-users on how to spot and avoid these attempts. Remind employees never to click unsolicited links or open unsolicited emails in attachments in emails. Know how to spot a phishing attack and train your teams so that they know the red flags as well.
Restrict Access: Operate on a principle of least privilege
As discussed above in how ransomware spreads, ransomware executes and spreads under the logged in user account. So all of the networks and drives that the infected user has access to are open to the ransomware infection as well, even when a single user clicks a bad link on his or her laptop.
To prevent this, keep data stores and shares protected by limiting the number of users who have access to them. If a user doesn’t need access, don’t give it to them. Administrator accounts should be avoided or used on a very limited basis, and if they are in use, they should be restricted from using email and should only be logged into when necessary. When no longer needed, users should log out and log back in with an account with less access.
Anti-malware is a must
Traditional signature-based Anti-virus is no longer an effective security measure against today’s malware strains.
Advanced endpoint protection is required, and any AV program must be capable of stopping processes that exhibit malicious techniques (behavioral scan). It also must be ON and kept up to date at all times. Because phishing emails are known to carry ransomware encryption, make sure you have strong spam filters in place. It is also recommended that you implement inbound mail scanning and blocking.
You must have a procedure in place to monitor your end-point security programs and keep them up to date.
An unpatched system is an open door for ransomware.
Not sure what patch management is? Read this blog post!
One of the high profile ransomware attacks that occurred earlier this year against a hospital is believed to have been the result of an unpatched vulnerability on the network.
In order to have a fully protected system, you must have a patch managem
ent strategy in place. This includes enforcing patch
installations and reboots by your end-users (allowing one person to ignore or delay the system prompts jeopardizes your entire network), or even better, controlling the process through a centralized system.
Patching also applies to third party applications, so be sure that Adobe Reader, Java and other common ones are included as part of your overall strategy.
All patches should be applied quickly after they are released and certainly no more than 30 days after.
Data Backups & Recovery
There is only one guaranteed way to get your data back after a ransomware attack – if it’s been safely backed up and secured.
Thought we were going to say pay the ransom? Unfortunately, there is never any guarantee that you will regain access to your data, even if you do choose to pay the ransom. There are known cases where the ransom gets paid and then the victims never receive the promised encryption key, or they are immediately targeted again, or told they have to pay a higher amount to get the key.
While the FBI has been linked to a statement saying that it makes sense to just go ahead and pay the ransom, they are urging businesses to carefully consider the risks before doing so. Not only does paying it encourage a criminal business model, but it doesn’t guarantee the desired result.
If you take the necessary steps before you get hit with ransomware – and your best bet with this type of risk is to operate on a “when” basis, not “if” – then you can do more than just hope to get your data back. You can go and get it yourself.
In order for this be an effective counter to a ransomware attack though, you must have a modern data backup service that is validated on a regular basis. Don’t just assume that your backups are working just fine – test them and do so often. And if you are still using tape backups, it’s time for an upgrade. Consult with your I.T. professional and explore one of the many cost-effective cloud-based backup options that exist today.
In addition, you want to be sure that one of your backup locations is offsite or cloud-based. Encrypt your backup location. As discussed previously in this post, you also want to restrict access to your networked backup stores. Ransomware is military-grade code that is designed to attempt to access those backup drives (and encrypts or restrict them) and will typically delete Windows shadow copies.
Backup is part of the equation – recovery is the other.
Knowing that you data is safe and out of reach of a ransomware attack is a huge relief and a great first step to getting back up and running. However, it’s equally important that you know exactly how you’ll get your data back in the event of a ransomware attack (or any type of disaster in fact). (Check out this blog post for more on this topic!)
How long will it take to restore it? How much data loss can you live with…1 hour? 1 day? 1 week?
These are all important questions to ask BEFORE an incident, and the answers will be unique for every business. But they are then key factors in determining how you design your system backups, as well as your recovery plan.
By following these steps and planning for "when" and not "if" you experience a ransomware attack, you will be well-prepared to handle the threat and mitigate your overall risks and exposure.
Remember, ransomware is not just one of many cyber-threats out there – it’s a thriving business, and you could be the next customer.