Since the 1970s, malware has evolved from a mere annoyance to a criminal industry. Malware developers profit by selling tools to build botnets, steal information, and spy on users. The discovery of CryptoLocker in September 2013 marked a significant evolution in malware tactics; encrypt data and hold it for ransom.
From a malware developer’s perspective, ransomware makes good business sense. Instead of selling malware to other criminals, and presumably security researchers and undercover police officers, ransomware provides a direct revenue stream that is highly automated. And it works.
According to the Town Crier, Police in Tewksbury, Massachusetts suffered a CryptoLocker infection in December 2014 and, “police systems were down for between four and five days as the department worked with the FBI, Homeland Security, Massachusetts State Police, as well as private firms in an effort to restore their data without paying the ransom.”The police force ultimately paid a $500 ransom to re-gain access to their critical files.
In February 2015, the Chicago Tribune reported that police in Midlothian, a suburb of Chicago, “paid a $500 ransom to an unidentified hacker to regain access to data from a police computer the hacker managed to disable, records show.”
Local news station WCSH-TV reported that in March 2015 the shared computer system of the Lincoln County Sheriff’s Office and four town police departments in Maine were infected with the megacode virus and the departments reluctantly paid $300 to regain access to their files.
With reports of more than 50,000 infections per month, it is unlikely that police departments were intentionally targeted. Ransoms of $300 to $500 are similar to those reported by consumers and businesses worldwide. Police departments, despite access to world-class expertise, do not fair better than other victims.
While technical details vary, ransomware usually leverages public key cryptography. The key required to decrypt the victim’s files is withheld until payment is received. For example, when a CryptoLocker-infected PC contacts the CryptoLocker server, the server generates an RSA key pair and sends the public key to the infected PC. The CryptoLocker software then encrypts the user’s files using the public key. The private key required to decrypt the files is not stored on the victim’s PC and can only be obtained by seizing the CryptoLocker server or paying the ransom.
In theory, nobody should pay a ransom. Doing so only facilitates the continuing criminal enterprise. In practice, those without proper backups will continue to pay to recover critical business files and priceless family photos. Since criminals can fully automate their operations, they likely will remain profitable even if only a tiny percentage of victims pay.
The widespread existence of ransomware is a wakeup call to those without a solid backup strategy. RAID configurations, network attached storage devices, and SANs provide little protection. The infection of a single PC whose user has write access to a corporate file share can result in all files being encrypted.
In addition to general malware defences and user awareness training, the primary defences against ransomware are backups and storage systems that enforce versioning.
To effectively protect against ransomware and other threats, backups must be offline and inaccessible to the infected computer. Ransomware may not be detected until after a sizeable volume of data has been encrypted, and that may take a considerable amount of time. Large organizations may need to recover from backups made weeks or even months prior to detection.
File versioning is another useful defence. A secure local server or cloud-based backup system that automatically retains old versions of changed and deleted files helps mitigate ransomware risks. Smaller organizations and individuals who have not invested in offline backup systems might find a cloud-based alternative more cost-effective.
The best response to ransomware is to wipe and reinstall infected systems and recover data from backups. Cybercriminals will likely begin targeting corporations due to their ability to pay larger ransoms. All businesses should assess their vulnerability and ensure that appropriate controls are in place. Ransomware is profitable and will continue to evolve for the foreseeable future.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…