Would you pay a ransom to unlock your encrypted files?
Starting up her PC that morning the CEO was shocked to see a frightening message demanding she pay cash into a Bitcoin account in order to access to her files. Looking around the office she realized everyone had the same problem - her company was being held to ransom.
Ransomware is malicious software that typically encrypts files and demands a fee in order to unlock them. “Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals,” warned the FBI in May. A 2014 Survey on Cyber Security by the University of Kent revealed 1 in 30 UK adults were hit by the CryptoLocker ransomware strain.
Other ransomware attacks include (but are by no means confined to) CryptoWall and TeslaCrypt. While some attacks are relatively weak, the most challenging use RSA 2048 class encryption that takes an estimated 6.4 quadrillion years to crack on a PC. (There is also less dangerous lockscreen ransomware which is easier to deal with).
Ransomware is often capable of spreading itself across your network in order to encrypt shared network drives. In other words, one infected machine can bring your entire company to a halt.
Ransomware victims come from all walks of life and these attacks cause a great deal of suffering, according to FireEye researchers who recently collected messages from a website set up by ransomware creators.
These attacks are also becoming more personalized. In one recent example crooks encrypted a company’s customer data, demanding cash to enable the company to operate at all.
We know hackers use phishing emails, unpatched programs, compromised websites, online advertising and free software downloads to infect target machines. Sophisticated phishing attacks have undermined security conscious users, and other people cause problems too, millions were compromised by the 2013 theft of millions of Adobe account passwords, and attacks on big name systems continue.
Faced with wholesale data loss, many will pay the ransom.
In excess of $18 million was paid to criminals behind the CryptoWall attack that infected over 625,000 systems between April 2014 and June 2015. The CryptoLocker strain extorted an estimated $27 million in just two months. These estimates represent a drop in the ocean of how much money might really have been extorted through these attacks. No one wants to admit they’ve been held to ransom.
What can we do? The old rules apply. Security, strong passwords that are not re-used, being wary when using public Wi-Fi, avoiding use of jailbroken devices and ensuring you regularly update system, anti-virus and anti-malware software all help defend against attacks.
Additional organizational defenses include mail filters to protect against phishing, blocking executable attachments in mail, prevention of downloads from unapproved sources and monitoring of network traffic. Switching to current edition operating systems that continue to receive vendor security support also makes sense.
Security awareness training is important. Staff must fully understand what’s at stake, what to watch for and what they should avoid. It only takes one successful penetration to impact your business, so such training pays for itself.
As former hacker Dustin Dykes says, “The security systems have to win every time; the hacker only has to win once.” (The Art of Intrusion). Attacks do succeed and we must prepare ourselves for that eventuality. Regular backups to storage media and or use of online backup services like Carbonite or Backblaze are mandatory. A company that fails to maintain regular backups is dancing with disaster – if the hackers don’t get you, equipment failure will.
"The key is to remove power from the extortionists, and you do that by backing up your system regularly," Kenneth Bechtel, a malware research analyst with Tenable Network Security. "With backups, there's no need to pay the ransom to get your data back or interact with extortionists in any way, which can increase your risk."
What to do when it fails
What can you do if all your protections fail? Attackers typically want payment within a short time frame.
- If you’re fortunate you, or a security professional, will be able to identify what strain of ransomware you’ve been attacked by and find a safe decryption/unlock tool to free your data and lock out the criminal code.
- If you have back-up you may do nothing and just delete your computers, run every reputable anti-virus tool you own and reinstall operating systems and data from your back-ups.
- Faced with little choice, many who have no other way to get their data back will pay up. Hackers usually want to be paid in Bitcoin and it is possible you’ll need to use a TOR browser to make payment.
Ultimately, “ransomware operations rely on their victims paying up,” explain researchers from Kaspersky Labs. “Don’t do it! Instead, make regular backups of your data. That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.”
No matter if you are a Fortune 500 company or a self-employed sole trader it really is better to take precautions against any form of security incident today, than suffer the consequences tomorrow.
Want to protect yourself? Take a look at how Orange Business Service’s cloud-based Web Protection Suite can help protect your business against complex malware and malicious attacks.