Russ Harvey Consulting - Computer and Internet Services

Ransomware

Holding Your Digital Life for Ransom

What is Ransomware? | Preparing for Recovery | Resources | History

Ransomware encrypts your data and holds it hostage

What is Ransomware?

Ransomware is a form of malware that encrypts your most valuable data files (documents, financial data, letters, photos, music and everything else) then demands a ransom for the encryption key.

Ransomware makes all your files inaccessible, then extorts money with the promise to provide a recovery key once you do.

There is no guarantee that you'll get your data back if you pay the ransom, but payment encourages future attacks. Your best bet is to be prepared for recovery.

Ransomware is more about manipulating vulnerabilities in human psychology than the adversary's technological sophistication. — James Scott

Video: How Not to be a Ransomware Victim

 

Don't Pay the Ransom

If you are the victim of a ransomware attack, how do you respond?

First of all, do not pay the ransom.

Paying the ransom should be your last option as it will only encourage future development of ransomware and more frequent attacks by labelling you as an easy target and someone that is unprepared.

It also is increasingly common that you won't get your data back even after paying.

[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back. — Forbes
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000. — ZDNet

As inconvenient as it is, your best bet is to tighten your security (educate yourself and others about the warning signs) and restore your files from a recent backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy. — Kaspersky

Ransomware Facts

Some facts about ransomware:

  • Ransomware is a special sort of malware infection that encrypts your entire computer then holds it for ransom.
  • The encryption key can be destroyed if you attempt recovery without paying the ransom.
  • Paying the ransom is no guarantee of recovery. You're dealing with thieves, not honest businessmen.
  • Without income, this sort of malware will die off.
  • Anti-ransomware software is available and should be a part of your security suite.

Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.

[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business. — TechRepublic
The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report. — TechRepublic

PC Magazine's The best ransomware protection provides an excellent overview of ransomware as well as assessing various solutions:

Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.

Cities, hospitals and other government services have been the targets of ransomware. Even though their tax bases have been hit hard by the COVID-19 crisis, they are now facing the threat of confidential information being released.

These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).

There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game. — Erich Kron

Ransomware-as-a-Service

A recent release is called RedBoot, named because, when infected, your computer boots to a red screen with white text that tells you your files have been encrypted with instructions to email an address with your ransom payment.

This was the first of a wave of ransomware-as-a-service, a commercial product that will make it available to virtually anyone to use.

This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine. — TechRepublic

IoT and Ransomware

Criminals are starting to look at cloud services for future ransomware attacks because data is moving to the cloud — because that's where the “money” is.

The future of ransomware could be even grimmer with the Internet of Things (IoT).

Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more.

Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk. — IoT for All
It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working. — Bruce Schneier

No Plans for IoT Security

Security has not even been considered in the rapidly expanding list of products that form the Internet of Things and is probably not even possible to implement post-manufacturer.

If you're fed up with paying to protect your computer, can you imagine if you're faced with the possibility of paying a ransom for your IoT devices or throwing them away?

Return to top

Preparing for Recovery

Prevention isn't easy and the only reliable recovery is to wipe your hard drive and recover files via a RECENT secure offline backup (cloud-based storage and always-connected backup devices can be infected if your computer is compromised).

The main thing is to avoid any risky behaviour and to prepare as best you can to recover.

  1. Use a reputable security software.
  2. Use an Anti-Ransomware software.
  3. Backup your data.
  4. Exercise good judgment.
  5. Implement employee education programs (Business).
  6. Only use secure networks.
  7. ZoneAlarm
As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly…. [A]n effective privileged access management solution using a zero trust approach is key to preventing bad actors from accessing critical systems, infrastructure and sensitive data. — TechRepublic

Here's some keys to preparing your computer(s) and data for recovery:

  • Ensure that your computer(s) are fully patched as quickly as possible to avoid infection where possible.
  • Use secure passwords and change the default passwords for equipment like your router.
  • Create and maintain a regular complete backup of your critical data files (irreplaceable documents, photos, media downloads, etc.).
  • Use a USB-based hard drive not permanently connected to the computer, storing that drive in a secure location when not backing up or restoring files.
  • Regularly backup current (in-use) files on a thumb drive (removing the drive from the computer when backups aren't in process).
  • Be wary of clicking on attachments in emails without scanning them first.
  • If you have any doubts about whether an email is legitimate, don't click on any links, especially if the email is unexpected (e.g. a “notice” from FedEx). Report it to your IT department or resource (or delete it on your own computer)
  • Avoid downloading or watching videos on unknown pages. Facebook is famous for obscuring the destination of links on their site and for fake news links. Don't go there.
  • Ensure that you don't allow people to use your computer unsupervised and particularly don't allow them to download and install software. This is especially true for your children.
  • If you must have a "guest" computer, keep it unconnected from your network and don't provide Administrator privileges to the account they're using.

You should also increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.

Winning the War on Ransomware

See Trustwave's Winning the War on Ransomware infographic (below).

Winning the war on ransomware infographic from Trustwave -- click for larger image.

Ransomware Resources

 

Ransomware History

CryptoLocker Started it All

CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.

CryptoLocker spread through ad networks but ransomware can be spread via email or TOR networks.

New Variations

While the botnets distributing CryptoLocker have been stopped, it has since morphed into new variations such as CryptoWall, CoinVault, TorrentLocker and Cerber which don't respond to CryptoLocker solutions.

Bad Rabbit

Bad Rabbit appears to be moving ransomware into the low-rent district. Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9. The initial 0.05 bitcoin ransom (approximately US$285) has a deadline after which the price goes up. The hacker regains over 30 times his investment on the first sale. Where's the incentive to go legit?

Locky Ransomware

The Locky Ransomware is a rapidly evolving ransomware that was initially distributed via infected emails with infected .doc “invoices” attached that included macros that initiated the download of the ransomware and encrypted your files but has also used fake updates for Adobe Flash to spread its payload.

Ransomware has evolved over time.

Computers are infected automatically, with viruses that spread over the internet.

 

Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.

 

Customer service is important; people need to know they'll get their files back once they pay.
Bruce Schneier

IBM revealed that 70% of businesses infected with ransomware have paid the ransom. Individuals are much less likely to do so (they abandoned their lost data) except for financial data.

The WannaCry ransomware was patched by Microsoft in advance of the attack (even for XP) yet there were disasters. In Europe one infection was released that looked like an update to a popular accounting software.

Many organizations can take a long time testing to ensure that a patch won't create issues in their networks, yet this sort of infection is evolving so quickly there is no longer that luxury.

Any weakness in the network or the equipment attached can be exploited.

People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP. — SC Media

Vulnerable software (especially on legacy Windows computers or vulnerable personal devices) can be the pathway in which other computers on your network are infected.

Digital CoronaVirus

The Digital CoronaVirus sends out emails promising relief from the pandemic from the U.S. Federal Reserve or similar institutions. Instead the user installs both ransomware and Infostealer, a program that grabs passwords from browsers, installed games (e.g. Steam), communication software (e.g. Skype), FTP and VPN credentials.

Like most ransomware, the threat attempts to delete local backups and shadow files before encrypting the users data.

Learning More

Related Resources

Related resources on this site:

or check the resources index.


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/ransomware.html
Updated: September 4, 2021