In general, encryption is a good thing and the stronger the better. Protecting data both at rest and while in transit is a recommended security best practice of which you should be aware. But when you discover that all the files on your computer have been encrypted with 2048-bit AES encryption and you had nothing to do with it, then it’s another matter entirely. If God forbid, you should ever have this happen to you, then there’s a good chance you’ve been a victim of ransomware. In this post we’ll examine how ransomware works, the various types, how prevalent it actually is, the motive behind it, and how to prevent becoming a victim.Ransomware has been gaining attention recently primarily as a result of some high-profile cases such as the attack on MedStar Health
, but it’s been around for a while. The first known case was the “AIDS” ransomware back in 1989 which hid files on a computer’s hard drive and encrypted the filenames. It attempted to extort payment from victims by leading them to believe that a software license had expired. Actual public key cryptography for ransomware didn’t appear until 1996 as part of a proof of concept project. The use of asymmetric keys made things extremely difficult for the victim when it came to decrypting their files and left as the only recourse to either pay the demanded ransom or kiss their files goodbye.Things have evolved since 1996 with the use of stronger encryption standards used in ransomware along with the methods for its distribution. The preferred delivery method for ransomware is trickery in the form of Trojans: phishing, spear phishing, infected ads (malvertising), malicious downloads, and drive by web attacks. Despite the rise in ransomware in the wild, otherwise known as “encounter rate” (ER), the ratio of infections
as reported by Microsoft’s Malicious Software Removal Tool (MSRT) is quite low. Microsoft’s Security Group attributes this to a combination of increased user awareness and the effectiveness of contemporary AV software. I think I’ll take that encouraging bit of news with a large grain of salt.The preceding should provide a hint as to the most heavily-targeted platform by ransomware: Microsoft Windows. However, before Mac users get too smug, ransomware targeting the Mac
known as “KeyRanger” was discovered in 2016. The targets of ransomware can be divided into three groups:
- Personal computers – primarily MS Windows
- Mobile phones – almost exclusively Android
- The Enterprise – servers, storage, and offsite storage
Mobile ransomware essentially locks users out of their phones rather than encrypting files. The net effect is still the same: pay a ransom in order to regain access to your device. Ransom is typically collected via Bitcoin, wire transfers, premium-rate text messages, Paysafecard, and even iTunes gift cards. It’s rumored that some large businesses are holding Bitcoin in reserve as a mitigation strategy in the event of an enterprise ransomware attack.It should be noted that not all ransomware targeting PCs involves payloads that encrypt files. Some of it is pretty brain-dead simple as is the case with ransomware that hijacks web browsers. Recovery is then a simple matter of killing the browser process in Windows Task Manager and being sure not to restore the previous browsing session upon restart. Even some ransomware that encrypts user files can be easily defeated if the creator has been sloppy about exposing encryption keys. Unfortunately, such situations aren’t the norm, especially when the enterprise is the target. And not surprisingly, there’s some serious money associated with the ransoms extorted from the victims of ransomware. Losses due to the CryptoWall ransomware are estimated to be a least $18 million. A variant of ransomware, known a leakware, attempts to extort payment to prevent the perpetrators from publicly posting potentially incriminating information stolen from victims’ computers. In some cases, simply threatening to publicize that an organization has been victimized by ransomware is reason enough to pay up.Mitigation of the effects of ransomware for both end users and enterprises comes down to awareness. At the end of the day, prevention is always the best form of mitigation. This entails end user education. It begins with never opening attachments in suspicious emails. A popular form of Trojan delivery for ransomware is those ubiquitous courier emails (DHL, FedEx, UPS, etc.) with zipped attachments. And it should go without saying that visiting porn sites and free music download sites are the virtual equivalent of tap dancing through a mine-field. You’d also be well-advised NOT to call any phone numbers for tech support that are displayed on infected systems no matter how authentic they appear. It’s a sure bet that you won’t be directed to Microsoft Support and your wallet will be considerably lighter aafterwardOnce infected, the strongest form of mitigation is having a solid and reliable backup system in place. In the enterprise, that means having offsite backups that can’t be reached from the corporate intranet. Ransomware these days is savvy enough to map your network and then seek out all possible backup locations. This includes even deleting shadow files on client machines. And having reliable backups in place is only half the battle. Periodically testing the restoration phase of a backup system is an extremely good idea. This should be part of any disaster recovery and business continuity plan. When worse comes to worse, sometimes the only option remaining is to grit your teeth and pay the ransom and even then, there’s no guarantee that it will result in regaining access to your files and systems. A host of platitudes can be spouted around this topic, but none apply more than "better safe than sorry" and the one about "an ounce of prevention."