Ransomware has become one of the biggest profit makers for malware authors over the last few years. The most visible forms of ransomware were notably CryptoLocker (2013), WannaCry (May 2017) and NotPetya (June 2017), whose victims range from Telephony companies, the British NHS, Delivery Companies (FedEx), Car manufacturers (Honda and Renault) to Nation States (Ukraine). The majority of these attacks are often not targeted, and most businesses are likely to face this threat at some point in the future, if they have not done so already.
We'll start off with an introduction to ransomware, covering what it is and why you should care. Part 2 will show how your IT teams could identify that your systems have been infected. Part 3 will outline the steps to take if you find that you have been hit and Part 4 will close the series with some practical tips on how to protect yourself.
Let’s start with some questions:
What is ransomware?
Ransomware is a fast spreading type of malware that encrypts computer files and holds them to ransom. By locking the screen, keyboard or files, attackers prevent or limit users from accessing their system and typically demand payment, usually in the form of electronic currency such as Bitcoin, in exchange for a key to unlock the files or system.
In a minority of cases, ransomware samples have been known to either fail to unlock encrypted files even if payment is received, or intentionally scramble the contents of files, thereby effectively losing access forever. There is also a risk that ransomware may leave traces of itself on the affected system after payment meaning that data is still vulnerable to encryption in the future.
What does Bitcoin have to do with it?
Bitcoin is a worldwide cryptocurrency and is usually the preferred ransom payment method due to the anonymity it provides. The system works without an intermediary (like a bank or credit card company) and transactions take place between users directly.
What is a ransom note?
A ransom note is much like its real life ransom note counterpart. It describes to the victim or third party the process they will have to go through to return the “item” the attacker is holding. In malware terms, it is usually left in plain sight instructing the user to transfer a sum of money (usually Bitcoin) which they will exchange for decryption capabilities or providing access to the encrypted files. The ransom note can come in a variety of forms, however the most common are a file on the user’s desktop, a new desktop wallpaper or a prominent message upon boot (which restricts the computer from booting).
Figure 1: WannaCrypt ransom note example
Should I pay?
By paying the ransom you will only end up fuelling the malware industry, helping to fund similar attacks on innocent victims. Furthermore, if you have identified yourself as somebody who pays a ransom you might just be targeted again in the future. Even if you do pay up, there is no guarantee that you will actually receive a decryption key that will bring your data back. Furthermore, some ‘fake’ ransomware variants may not even encrypt data effectively while others have already been cracked and decryption tools have been made available.
Why should I care?
In past years, ransomware has grown into a significant threat – not only to large businesses, but to everyone. You do not need to be a specific target to become a victim, so do not think you’re ‘not important enough’ to get hit. Attacks against personal computers are also common, and in relative terms, potentially more impacting, as the home users do not necessarily have a backup strategy in place.
Consequences of an attack can be severe. In addition to the business disruption an infection can cause, the financial damage a ransomware attack can cause range from costly response investigations, dealing with PR disasters or legal actions if sensitive data has been disclosed, to potentially having to pay fines for breaching the DPA (Data Protection Act) or GDPR (General Data Protection Regulation). Most importantly, the business could suffer severe reputational damage, lose current or potential customers and weaken its brand in the long term.
Furthermore, the purpose of ransomware is not always to gain a pay-out for the attacker. In recent cases, it has been considered that some ransomware could be used as a smokescreen for other nefarious purposes. These could be a traditional attack against the network, to cover traces of an earlier attack (by trashing the network), to provide cover while data is exfiltrated from the network, or even to limit or destroy productivity of the system while the IT team is busy dealing with a very visible ransomware infection.
How am I infected?
Phishing continues to be the most common infection vector for ransomware. Computers or mobile devices can be infected by clicking a malicious link in an email, an attachment or a message on a social networking site. Other methods of infection include drive-by attacks (ransomware is installed when a victim opens a compromised website or visits a page which serves malicious components, such as adverts) or watering hole attacks (an attacker guesses or observes which website its target(s) often uses and infects one or more of them with malware).
Having clarified some of the basics about ransomware, in the next part of this series we will go into more technical detail, providing a step-by-step guide for IT teams to combat on-going ransomware infections, and highlight the source of an infection where it is not immediately obvious, and has not yet been flagged by an end user...