10 May 2019

Ransomware; How to protect your business

As scary as it sounds, and sometimes also called Scareware, Ransomware is a type of Malicious Software "Malware", that uses a simple and yet powerful scam method, extortion. Through social engineering and fear, ransomware cyber criminals can obtain money from infected victims. It locks the infected system by encrypting valuable data then demands a ransom in exchange for a key which decrypts the data.

Cyber criminals are expanding their dirty business from consumers to corporate victims and adjusting their prices accordingly. If a hospital, government agency or business is vulnerable to ransomware it's not just pictures and personal documents that cyber criminals will aim for, but important data such as records, financial information or databases. Suddenly the potential loss becomes much greater. In order to keep their business running, corporate victims see no other choice but to pay.

According to FBI, the year 2015 was reported with a total loss of $24 Million as a result of ransomware attacks. Hospitals are on top of the list and are continuously being targeted, because of their low-security implementations and critical information. In the same year, the Hollywood Presbyterian Medical Center in Los Angeles reported paying $17,000 in Bitcoins to ransomware hackers for having their data unlocked. Happening at about the same time, Los Angeles County Health Department and two Hospitals in Germany had the same inconvenience. The year 2016 has come and the total loss so far is much greater than 2015, the FBI already reported $209 million only in the first three months of the year.

Why are ransomware attacks so effective?

Cyber criminals are continuously creating sophisticated and more innovative code. CryptoWall, the most popular ransomware tool, has evolved to CryptoWall 4.0 with updates to deal more damage. Other names have also been seen around, such as Locky and Cryptolocker, which have been successfully infecting consumers and corporations over the past months. On top of that, with the existence of Malware as a Service "MaaS" platform, any script kiddy or less technical experienced criminal can easily create and benefit from the malware. The low startup investment, low risk and potentially high returns for an illegal ransomware business make it irresistible to many criminals out there.

Luckily, most ransomware criminals usually work in a "professional" manner; they will quickly send the decryption key after the ransom has been successfully paid, however, there are no guarantees. It's better to be prepared, than to hope your data will be safely returned to you.

In the beginning of 2016, common ransom demands varied from $250 to $300 depending on the ransomware type. Now that the game is changing, criminals are projecting how much money the victim can pay. If it's a large corporation, the ransom can be excessively high from thousands to hundreds of thousands of dollars.

How do ransomware attacks work?

Cybercriminals trick their victims and spread their malicious software using two skillfully crafted social engineering methods. The first is a malicious Email attachment and the second is a compromised website. Once the victim opens the attachment or visits the website, the system is exposed and infected by ransomware, and then it takes the following steps:

  1. Sends information and a public key of the infected system to the ransomware creator's Command and Control. 
  2. Encrypts critical data such as Office documents, Databases, HTML files, Photos, etc, using strong methods such as RSA-2048 and AES-128.
  3. Erases all Operating System automatic backups to avoid data recovery. 
  4. Displays a notice on the desktop with instructions on how to recover the data and directions on how to pay the ransom (usually in Bitcoins). The notice is usually a kind of threat, insult or a trick (such as an FBI notice).

If the ransom has not been paid, the files are left encrypted without the possibility to decrypt them. If the ransom is paid the decryption key is (hopefully) received and the files can be unlocked.

Why are companies vulnerable to ransomware attacks?

On the Internet, no one is 100% safe. Ransomware attacks are frequently targeting popular Microsoft devices. However, news has recently spread that the first Apple computers and Linux servers have also been infected. But it's not only PCs that are at risk, some Android ransomware applications have been discovered as well.

Ransomware looks for common Operating Systems vulnerabilities; if a system is not updated and backed-up frequently, it can be at high risk. The same is for security systems such as Antivirus, Firewalls, Intrusion Detection Systems "IDS", which may not find the threat because they are not updated properly.

Social Engineering can find its way through even the strongest security systems. 90% of attacks online are said to be delivered through skillfully crafted scams. No Antivirus, Firewall or IDS will work if the user lacks knowledge on security awareness and does not have the necessary skills on how to protect from social engineering.

What can we do to stay safe from ransomware threats?

Backup your data. Honestly, this is the only solid solution available.

Ransomware is continuously altering its exploit and evasion techniques. Having the latest security mechanisms and updated Operating Systems might help, but they do not guarantee 100% protection from any kind of malware. Most of the time it is human error that get systems compromised. Accidents can be greatly reduced with the help of regular employee security training, and a little common sense. The following are 6 best practices to stay safe from ransomware:

  1. Create regular backups, encrypt and keep them offline and offsite. Some people call it the 3–2–1 rule: 3 copies of the data, saved in 2 different formats with 1 copy offline or offsite. 
  2. Enable "view file extensions" so that the file types can be easily spotted and potential harmful hidden files can be identified. 
  3. Be suspicious when opening unknown Email attachments. If you do not know the sender, do not open the file.
  4. Update applications often to avoid vulnerable security holes. Malware does not always depend on attachments to infect a system; it also uses security holes in applications such as Microsoft Office or Windows.
  5. Keep security systems such as Antivirus, IDS, Firewalls, updated and well implemented.
  6. Operate in a limited user account for day-to-day activities. Restrict the log-on time in administrative mode.

...and finally, don't give up and panic!

Ransomware is difficult to defeat and can put you in a tough situation. Many victims pay the ransom and accept the monetary loss as a cost of doing business. Don't give up and panic, some malware out there has known fixes which can help significantly with a properly trained IT support technician. As James Scott (from the Institute for Critical Infrastructure Technology) said: "It's more psychological than it is technical". Fear is a strong emotion that can make you take a rash decision without looking for alternatives. The best solution is to start right now, and be prepared (Backup, backup, and backup!!). Learn how to avoid it with the right security awareness and common sense, and know what to do in the case that you get infected.