Using ransomware, or malicious software, is the most recent technique used to turn compromised computers into cash for criminals. The software holds data hostage while the attacker demands that victims pay a ransom to regain control of their data. This tactic is on the rise.
Although the sale of a credit card number, health record, or banking website password may fetch only a few dollars on the black market, a compromised machine that has been fully encrypted can be worth hundreds if not thousands of dollars. For larger organizations, the amount demanded as ransom often is in the tens or hundreds of thousands of dollars. According to the FBI, from April 2014 to June 2015, a single strain of ransomware was responsible for more than $18 million in losses in almost 1,000 instances.
What are the risks?
Ransomware, designed to prevent rightful owners access to their own files, is a threat to both companies and individual users. Victims, in a last-ditch effort to recover precious data, are sending money to an anonymous entity in return for a decryption program. While some victims pay, others have had sensitive corporate data permanently locked, often forcing the organization to revert to data backups. School districts, hospitals, banks, and government organizations have had operations grind to a halt as network and systems engineers rush to contain and eradicate the threat from their systems.
How does initial infection occur?
The delivery mechanisms for ransomware are similar to those for other types of viruses found on the Internet: an email attachment or link opened by an unsuspecting user, an advertisement loaded into a commonly browsed and otherwise safe website, or a malicious office productivity tool downloaded and installed by a user. Once the ransomware program has accessed the system, it calls out to a server on the Internet to obtain the encryption key to use. Then, the malicious code begins to identify and encrypt documents, spreadsheets, presentations, emails, photos, and videos not only on the local hard drive but also on attached USB devices and network shared drives. In a corporate environment where network shared drives often are accessible by everyone in the same department or company, huge data stores can be threatened by a single end-user-initiated infection.
Are there options besides paying?
Some early variants of ransomware are known to have bugs allowing security researchers to reverse engineer the software by writing a custom decryption program. This is by far the exception because many ransomware applications have been patched. Most ransomware samples analyzed use industry-standard algorithms and key lengths to lock up files with the same strength of encryption used to protect e-commerce transactions and classified national security information. The chance of forcing a break in the encryption is near zero.
Strong data backup processes and procedures are a good defense, but organizations cannot implement them after an infection. To determine the ability to withstand such an attack, organizations and individuals should take a systematic approach to testing the following areas:
- Email filtering – Are you effectively filtering potential threats delivered by email?
- Social engineering – Do your employees have an appropriate level of security awareness?
- Endpoint protection – Will your endpoint solution correctly identify and mitigate malicious behavior?
- Propagation – Has a penetration test been performed to determine a malicious actor’s ability to move within the network?
- Data backup procedures – Are backups regularly conducted, is data moved to a safe location, and are procedures tested?
- Data exfiltration – Can sensitive data be removed from the network? Does your organization have the ability to detect when an outside actor is conducting these activities?
- Incident response – Have incident response procedures been implemented and communicated throughout the organization?
Ransomware attacks are a growing threat affecting individuals, small businesses, and large corporations. While a strong response after an attack is critical to limiting the impact, identifying gaps, preparing your network, and testing controls will reduce the risk and exposure to one of today’s fastest-growing cybercrimes.