Russ Harvey Consulting - Computer and Internet Services

Ransomware

Holding Your Digital Life for Ransom

What is Ransomware? | Preparing for Recovery | Resources | History

Ransomware encrypts your data and holds it hostage

What is Ransomware?

Ransomware is a form of malware that encrypts your computer, locking up your data files (documents, financial data, letters, photos, music, etc.), then demands a ransom for the encryption key.

It makes all your files inaccessible, then displays a message with the promise to provide a recovery key once you pay the ransom.

The extortion requires Bitcoin or other crypto-currencies so the transaction is untraceable. If the recovery key doesn't work, there are no refunds.

How It Spreads

Organized crime and “state actors” (foreign governments) use their huge technical and financial resources to develop ransomware then offer it to small-scale criminals (ransomware as a service) to ensure rapid distribution.

Like all malware, you can get infected from many sources including:

  • visiting an infected website;
  • clicking on a malicious advertisement (even on an otherwise safe site);
  • opening a phishing email with a malicious attachment or links;
  • inserting an infected USB drive into your computer; or
  • downloading a malicious file.

If your security software isn't up to the task, your computer will become useless and your data will be encrypted.

Ransomware Facts

Some facts about ransomware:

  • Ransomware is a special sort of malware infection that encrypts your entire computer then holds it for ransom.
  • Attempting recovery without paying the ransom can destroy the encryption key.
  • Most recent security suites include some sort of ransomware protection.
  • Paying the ransom is no guarantee of recovery.
Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later — which is why you need to protect against ransomware. — Acronis

 

Computers are infected automatically, with viruses that spread over the internet.

 

Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.

 

Customer service is important; people need to know they'll get their files back once they pay. — Bruce Schneier

There is no guarantee that you'll get your data back if you pay the ransom, and your payment encourages future attacks. Your best bet is to be prepared for recovery.

DON'T Pay the Ransom

Paying the ransom should be your last option as it will only encourage future development of ransomware and more frequent attacks by labelling you as someone unprepared — an easy target.

Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.

Payment Doesn't Guarantee Anything

There is no guarantee that you'll get your data back even after paying.

[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back. — Forbes

Studies indicate that paying the ransom demonstrates that you aren't prepared, making you a future prime target.

If your confidential data was taken in a data breach which was masked by the ransomware attack, paying the ransom won't resolve the fact that your data was leaked.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
ZDNet

Costs to Businesses

The costs to businesses are very high.

The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report. — TechRepublic
[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business. — TechRepublic

Tighten Security

As inconvenient as it is, your best bet is to tighten your security (educate yourself and others about the warning signs) and restore your files from a secure backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy. — Kaspersky

The Economic Realities

It is unfortunate that many corporate boards fail to adequately finance their security staff. Much like avoiding insurance payments, this is false economy. When disaster strikes, the blame should be put where it belongs: in the corporate boardroom.

Governments Attractive Targets

Cities, hospitals and other government services are prime targets for ransomware.

Even though government tax bases have been hit hard by the COVID-19 crisis, they are now facing the threat of confidential information being released.

There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game. — Erich Kron

These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).

Ransomware-as-a-Service

Ransomware-as-a-service is a commercial product sourced on the dark web making ransomware available to virtually anyone to use.

This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine. — TechRepublic

The criminal organization provides support for payments, decryptions, etc. in return for a cut of the proceeds.

Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of businesses are likely to pay up — and how to collect the money without being caught. — Phillip Hallam-Baker

Return to top

Preparing for Recovery

Prevention isn't easy and the only you can be sure you're safe is to wipe your hard drive then recover your files via a RECENT secure backup.

If a backup device is connected to the infected computer or its network, it is likely that the backups on that drive are corrupt. Cloud-based storage can also be compromised.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy. — Kaspersky

Prevention

Preventing a ransomware attack is a combination of knowledge and education backed up by security software.

  • Avoid any risky behaviour
  • Maintain your backups and prepare for recovery.
  • Restrict access to your computers and devices.

You and everyone with access to your computer(s) needs to learn to recognize the signs of malware and phishing:

  • Learn security basics so you can recognize a threat.
  • Stop and think before acting. Keep calm and don't panic.
  • Protecting devices from physical access by unauthorized users.
  • Denying access to your network by unauthorized users.
  • Use effective passwords to prevent unauthorized access to your computer or device as well as for all your online accounts.
  • Ensure you can recognize attempts at phishing scams and identity theft.
  • Be wary of phone calls requesting computer access or personal information.

Securing your computers and networks includes ensuring that no one can commit identity theft or gain access via the “forgot my password” recovery methods.

ZDNet's 11 Steps

These 11 suggestions will help to prepare:

  1. Make sure your antivirus software is up to date
  2. Understand what's happening across the network
  3. Scan and filter emails before they reach your users
  4. Have a plan for how to respond to a ransomware attack, and test it
  5. Think very long and hard before you pay a ransom
  6. Understand what your most important data is and create an effective backup strategy
  7. Understand what's connected to your network
  8. Make it harder to roam across your networks
  9. Train staff to recognise suspicious emails
  10. Change default passwords across all access points
  11. Apply software patches to keep systems up to date
  12. ZDNet

Preventing Physical Threats

The first step is to ensure the physical safety of your computers, equipment and data. Develop policies regarding employee and guest access.

  • Limit who has physical access to computers and files.
  • Lock computers with a password when not in use or away.
  • Physically lock laptops and similar portable equipment to prevent theft.
  • Restrict access to data on a need-to-know basis.
  • Protect both devices and software with strong, unique passwords.
  • Change the default passwords on critical equipment like your router.
  • Lock away backups and critical recovery devices when not in use.
  • Limit repair and recovery work to authorized personnel or contractors.
  • Limit administrator privileges to those that need it.
  • Ensure all computer(s) are fully patched as quickly as possible.

Preventing External Threats

Once you've ensured that your hardware and data is as secure as possible, train your employees to recognize and respond appropriately to any threat.

When in Doubt

If you have any doubts about an email, don't click on any links. Report it to your IT department or support resource.

Be cautious of sensitive instructions received via email, especially if it involved large financial transactions. Call the department head to verify legitimacy.

Managing Outside Users

The use of the company network and Internet should be restricted to company business.

  • Don't use company computers or networks for personal use including logging onto external networks, downloading files or posting on social media.
  • Don't use personal devices for company business.
  • If you must allow a “guest” access, keep it unconnected from your network (use a guest WiFi account).

Home Offices

If you have a home office, don't allow people to use your computer unsupervised. The rules for company computers also apply.

  • Lock your computer with a password when not in use.
  • Don't allow anyone to download and install software except for your tech support resource.
  • Don't allow your children to have access.

Because this office is in your home, other family members and visitors may not respect the need for security like they would in a regular office.

Backup Your Data

Other than prevention, reliable backups are one of your best defenses in case something goes wrong.

Newer ransomware attacks backup software and devices to ensure you don't have that recovery option.

An always-connected storage medium such as a USB drive or an automatic login to a remote storage facility leaves your backups vulnerable.

As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly…. — TechRepublic

You want to ensure that you have all your files backed up onto safe media and continuously verify the integrity of those backups before you need them.

  • Internal drives or always-connected USB drives (such as Western Digital My Book drives) are subject to being infected at the same time as your computer.
  • Cloud services like OneDrive, iCloud and DropBox can be hacked.
  • Backups can become corrupt or accidentally erased.
  • Incomplete backups result in lost data.
  • Technical issues during the restoring of data can result in the loss of data.

Any data that is changed or created after your last backup is unrecoverable unless you make other arrangements.

Take precautions like saving changed or new files onto a thumb drive as soon as changes are made to them. These files can overwrite older versions once the backup is restored.

Preparing for Recovery

Don't delay. Once you've been hit by ransomware, your options are limited and it is unlikely that you or your business will recover unscathed.

Here's some keys to preparing your computer(s) and data for recovery:

  • Ensure that your computer(s) are fully patched before restoring data to avoid zero-day threats.
  • Create and maintain regular scheduled backups of your critical data files (irreplaceable documents, photos, media, downloads, etc.).
  • Maintain a series of backups to provide redundancy in case of failure.
  • Use a removable device normally disconnected from the computer, storing that drive in a secure location when not backing up or restoring files.
  • Do not use your computer during backups.

Increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.

Restoring Data After a Ransomware Attack

Before you restore your data, you need to ensure that your recovery is not corrupted by remaining security issues.

Preparing Your Computer

As with any malware infection, leaving any residual of the malware will defeat the next steps. If you're unsure, get professional help in ensuring your computer is clean.

How your proceed depends upon which is more critical: speed or security.

  • If getting the computer up and running quickly is the priority, restore the data and programs (including settings) once the operating system is capable of restoring from the backups.
  • If the security of the restored computer and its data is more critical, install all programs and manually configure settings before restoring the data.

The More Secure Install

  • When installing the operating system (Windows, macOS, Linux, etc.), it is recommended that you delete all partitions, then let the operating system create new ones and format them.
  • Once the operating system is reinstalled, be sure to install all the available security updates to ensure that your computer(s) are fully patched to avoid infection by known zero-day threats.
  • Install your security software and be sure it is both current and all updates are installed.
  • Run a security scan on your system to ensure there are no remaining threats.
  • Reinstall all programs rather than restoring them via a backup. This won't restore settings, but will provide a better experience because old program remnants are not reintroduced.

Performing the Restore

Once your computer has been prepared and you're sure it is secure, proceed with restoring the data from the backups. Only restore program settings if you're certain they are not compromised.

Do not use your computer during the restore process to avoid external threats that can compromise that backup data.

Run a Security Scan

Once the restore process is complete, run a full security scan to ensure that no malware or other threats remain on your computer.

This process may determine that some of the restored files are corrupt. If your security software cannot repair these infections, delete the files.

Winning the War on Ransomware

See Trustwave's Winning the War on Ransomware infographic (below). Pay attention to the checklist for resistance, rescue and recovery.

Winning the war on ransomware infographic from Trustwave -- click for larger image.

Ransomware Resources

These additional resources can help you develop policies to prevent ransomware (prevention is best) or seek out recovery solutions.

Canadian Government

The Canadian government provides some guidance on preventing ransomware from gaining a foothold in your business but the information can also be useful for individuals.

Prevention

It is better to prevent ransomware in the first place.

Recovery

You can try these recovery tools but it would be advisable to bring in expert help than to muddle through a process you don't understand.

Older Ransomware

These recovery tools relate to older ransomware variants. Modern ransomware is not so easy to recover from.

 

Ransomware History

Ransomware was largely made possible by the development of crypto-currencies that allow untraceable payments.

CryptoLocker Started it All

CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.

CryptoLocker spread through ad networks but other ransomware was spread via email or TOR networks.

Newer Variations

While the botnets distributing CryptoLocker have been stopped, it has since morphed into newer variations (CryptoWall, CoinVault, TorrentLocker and Cerber) which don't respond to CryptoLocker solutions.

Bad Rabbit

Bad Rabbit moved ransomware into the low-rent district.

Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9.

The hacker regains over 30 times his investment on the first sale.

The 0.05 bitcoin ransom (approx. $3,200) increases after a deadline.

Evolving Ransomware

Ransomware has evolved over time.

Locky Ransomware

The Locky Ransomware was initially distributed via malicious emails. Attached “invoices” used macros that initiated the ransomware download which encrypted your files.

It later used fake Adobe Flash updates to spread its payload.

We Were Unprepared

Microsoft patched the vulnerabilities that permitted WannaCry ransomware in advance of the attack (even for XP)

Still there were disasters. One in Europe looked like an update to a popular accounting software.

Testing Delays

Many organizations engaged in lengthy tests to ensure that a patch won't create issues in their networks.

Ransomware is evolving so quickly we no longer have that luxury.

The Weakest Link

Any weakness in the network or the equipment attached can be exploited.

People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP. — SC Media

Vulnerable software (especially on legacy Windows computers or vulnerable personal devices) can be the pathway in which other computers on your network are infected.

Legacy systems need to be disconnected from the Internet as well as networks.

Digital CoronaVirus

The pandemic brought a resurgence of ransomware. People were working from home, away from their technical support, often on home equipment unprepared for the business world.

The Digital CoronaVirus sent out emails promising pandemic relief from the from the U.S. Federal Reserve or similar institutions.

Instead, the user installs both ransomware and Infostealer, a program that grabs passwords from browsers, installed games (e.g. Steam), communication software (e.g. Skype), FTP and VPN credentials.

Like most ransomware, the threat attempts to delete local backups and shadow files before encrypting the users data, emphasizing the need for offline backups.

IoT and Ransomware

Criminals are starting to look at cloud services for future ransomware attacks because data is moving to the cloud — because that's where the “money” is.

The future of ransomware could be even grimmer with the Internet of Things (IoT).

Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more. They have failed to provide security in order to keep costs down.

Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk. — IoT for All
It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working. — Bruce Schneier

No Plans for IoT Security

Security has not even been considered in the rapidly expanding list of IoT products and is probably not even possible to implement post-manufacturer.

Learning More

Related Resources

Related resources on this site:

or check the resources index.

Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/ransomware.html
Updated: January 15, 2022