A Survivor’s Guide to Ransomware

Finjan TeamBlog, Cybersecurity

Finjan A Survivors Guide to Ransomware

Each week seems to bring fresh tales of horror from the cyber-security landscape. Email hacks, data breaches, compromised social media platforms – and good old-fashioned malware.  The trending threat of the moment is coming from a new breed of malicious software, known as ransomware. In this guide, we’ll explain what it’s about, and how to protect yourself from it.

What is Ransomware?

Ransomware is a kind of malicious software (malware) that’s introduced covertly onto a user’s system, then proceeds to restrict the user’s access to their data and / or programs. It’s a form of “data kidnapping” which has the same objective as many a human abduction: access to an infected system will be restored, if the user pays a certain amount of money (the ransom).

There are several existing and many emerging variants of ransomware. Some use encryption as their mode of attack, some ship as virus loads, some can transform off-the-shelf software into a ransom-demanding nightmare, while others are based on PowerShell.

How Bad Is It?

A typical attack begins with a booby-trapped email message containing a malware attachment or click through link to an infected website, or a bogus pop-up ad on a user’s screen which claims that their system has been infected, and urges them to click on the advert to find the solution.

Having taken the bait, the user soon finds that their system now includes an unwelcome and additional piece of software – one that may encrypt all the data on their hard drive so it’s no longer usable, or even create a new master boot record for the drive. The payload comes with the kicker of a demand for payment to the attackers, before they’ll agree to release a decryption key so the user can regain access to their system.

Ransom demands may be as little as $10, or $1,000 and more – depending on the individual or organisation targeted. Payment is usually requested by wire transfer, Bitcoin, premium text message, or other forms of online credit. And the ransomware package will often include features to ramp up the pressure on the recipient, and increase their urge to pay – such as increasing the ransom if payment isn’t made by a certain time, or flooding a user’s screen with random pornographic images (potentially a huge embarrassment, in a work / office context).

Paying the ransom may not even be the end of the ordeal. Aside from the risk of laying yourself or your organisation open to further extortion attempts, there’s the very real possibility that the attackers themselves won’t or can’t supply the decryption keys necessary to restore your system.

This may be through pure malice, as a tactic to extort more payments, or because the assailants bought their ransomware solution from another source, and don’t actually have the decryption key. And ransomware often includes a spyware component that remains on systems after restoration, recording keystrokes, mouse movements, and other data.

How Big Is The Threat?

Ransomware is very much the flavour of the moment, as far as malware goes. The software can be coded or acquired fairly easily, and yields quick returns for cyber-criminals, as it’s often less hassle for an organisation to just pay the money and get the keys, rather than spend time and more money attempting to get their systems back online internally.

It’s enjoying a high success rate, too. Though the UK has been playing a role as its testing ground, the FBI in the US estimates that annual payments of around $150 million there are going directly to the initiators of the general class of “rogueware” attacks, which include ransomware and scareware anti-virus scams.

A report released this month (June 2016) by email watchdogs PhishMe suggests that, as from the end of March, 93% of all phishing messages in the US were laced with ransomware. The first quarter of this year saw some 6.3 million phishing emails – a rise of 789% over the last quarter of 2015.

In the first week of June, a report in The Sydney Morning Herald uncovered an alarming statistic: at least 10,000 people had already fallen victim to an email scam perpetrated by ransomware attackers posing as Australian energy giant AGL. Their fake messages were sent out as bills to existing AGL customers, urging them to download a copy of their invoice – which shipped as a zip file, laced with ransomware that locks down the victim’s machine. Recipients are then required to pay 880 Australian dollars (about US$640) before their machines are unlocked.

10,000 victims of this one scam, already. And that’s just the reported ones.

It’s a growth industry. Though TeslaCrypt and Locky have been prospering, other classic ransomware forms like CryptoWall are already giving way to improved strains, as developers pour the profits of their successful scams into R & D. With ransomware becoming more sophisticated, users and IT professionals will need to be increasingly on their guard.

How Can It Be Avoided?

There’s no catch-all solution for preventing ransomware attacks, but these general precautions apply:

  • Schedule and perform secure backups of all your data: If a machine becomes infected with ransomware, the quickest solution is to wipe it clean, and restore a safe configuration of software and documents from clean backups. For enterprises, this means determining how far back your archives should safely go – and ensuring that backups are stored in locations not connected to your existing network. This will help keep them safe, in the event that your network is compromised.
  • Use firewalls and anti-virus software from reputable manufacturers: Your security suite should be capable of sand-boxing; isolating suspicious code or attachments in a safe area (Virus Vault, Quarantine, etc., depending on the product) and running tests on them to establish their true nature. Remember that fake anti-virus sites are a vector for some ransomware, so don’t trust them to help you.
  • Enable pop-up blocking, for your Web browsers and mobile apps: This will eliminate the temptation to click on those tempting ads and warnings. If you must interact with them, the only thing you should do is close them.
  • Be wary of your email correspondence: Ransomware attacks often originate from sources that seem to be legitimate – organisations you have regular dealings with, or people within your own company. One popular ruse for gaining access to corporate networks is by getting email recipients to forward messages on to colleagues in other departments. Standard precautions about links and attachments apply.
  • Stay informed: Read the literature, blogs, and cyber-threat bulletins. Subscribe to threat intelligence services. And train your people on the current threats, and security procedures.

What Happens If You’re Affected?

If you fall prey to a ransomware attack, the first thing to do is not panic. Then:

  • Disconnect your system from the Internet: This will at least block off the pipeline of potential communications back to the attackers, who may be using their malware to monitor your system. If you’re on a corporate network, shut down your machine, and alert your IT division to the threat.
  • Get in touch with the authorities: Send out alerts to local law enforcement, industry watchdog agencies, and the likes of Interpol or the FBI, detailing the nature of the extortion scheme.
  • Don’t pay the ransom: This one’s a judgement call, on the part of each individual or organisation. But knowing that any payment you make to the attackers will probably be ploughed back into their research and development fund for improved ransomware should give you pause. And once they’ve pegged you as someone willing to cave in to their extortion, they’ll likely target you again.
  • Restore your system from secure backups: Note that you may have to reset your hardware to its factory defaults, or even wipe it clean of all data, before proceeding.

Share this Post

Article Name
A Survivor's Guide to Ransomware
The trending cyber threat of the moment is known as ransomware. In this guide, we'll explain what it's about, and how to protect yourself from it.