What is Ransomware and how to deal with it
Ransomware has been in the news a lot recently, and so it’s probably worth taking a little time to look at exactly what it is, how it works, and what you can do to keep yourself and your data safe.
In its purest form ransomware is the term for any form of malicious program designed to put you in a position where you have to pay money to be able to fully access your own data. It comes in various formats.
The most common form of ransomware is Crypto Ransomware. It automatically encrypts all the data on the machine it is running on and then sends a demand for payment to decrypt the affected files.
Less technologically sophisticated but just as destructive is the form of ransomware known as Locker Ransomware. This doesn’t encrypt individual files, but simply locks the user out of their machine, or out of specific applications such as their web browser.
Less common than either Crypto Ransomware or Locker Ransomware is fake antivirus software. This attempts to defraud users into paying for a program to clean non-existent viruses from their computer,
Examples of Ransomware
The most well-known example of a ransomware attack in recent times is the WannaCry attack. In May of 2017 it managed to infect almost a quarter of a million machines across 150 countries in less than a day. FedEx, the National Health Service, and Spain's Telefónica were all hit causing huge disruption and financial loss. The impact on the NHS alone was huge with somewhere in the region of 70,000 machines affected. These machines included medical scanners, operating theatre equipment, and blood product storage equipment. Operations were cancelled, and ambulances were diverted to other hospitals putting patients at genuine risk.
It is said to have been the most financially damaging ransomware attack in history with losses being predicted to reach as high as $4 billion according to cyber risk modelling firm Cyence.
Other examples of Ransomware that have had global impact are Cryptolocker, which is thought to have raised over $3 million in ransom demands before being shut down by the US Department of Justice. Fusob, which exclusively targets mobile devices, Petya which some argue is not technically ransomware as there is no way to unlock a system that has been infected, and Bad Rabbit which primarily affected machines in Russia and the Ukraine.
How does it work?
Crypto Ransomware is by far the most damaging, and from the point of view of the people behind it, lucrative form of ransomware. And because of this it is also the most common.
The first thing that must happen is that the user must inadvertently execute the malicious file activating the ransomware which contains a public encryption key. The malware then utilises the principles of hybrid encryption to both fully encrypt the victim’s data, and create a unique key for decryption. This happens extremely quickly. The ransomware “Chimera” encrypted one thousand files totalling 60Mb in eighteen seconds. CyptoWall is one of the slowest, taking a full sixteen minutes to do the same job.
Once this has been done a message is delivered to the victim, either on a popup window, or by changing the wallpaper of their desktop explaining how to pay for their files to be decrypted. This usually involves cryptocurrency such as Bitcoin, but some of the earliest incarnations demanded cash payments, or even Amazon vouchers.
Some forms of ransomware that do not utilise encryption have also been damaging. From looping popups of pornographic images that require a code to deactivate, to imitating Windows activation notices that encourage victims to call premium rate phone lines. Almost every feasible method of attack has been attempted at some stage.
How is it delivered?
The methods used by criminals to infect machines with ransomware are almost as varied and sophisticated as the forms the ransomware can take. The simplest and most common method of transmission is through phishing emails. A fraudulent email is sent to a user and is written in such a way as to encourage them to carry out a simple action. Viewing an image, downloading a document, and watching a video are all common approaches used to get someone to click on the malicious file and thereby execute the ransomware. These deliberately misleading files are known as Trojans.
Often phishing scams designed to deliver ransomware are not selective in any way and so these emails are generic ones that take the form of a friendly or business message and are sent out en-masse. But they can be much more personalised. These targeted phishing attacks tend to be known as spear-phishing emails and are much more focused on the person they are intended for. However, the end result is the same. A link is clicked and a malicious program is executed on a vulnerable computer. And once that has happened it is often too late.
If ransomware does infect and encrypt a computer then it is likely to spread to any other machines that are connected to it. For example if you back up a computer to an external drive, and that external drive is plugged in when the ransomware is activated then it will likely also encrypt the files on that drive effectively destroying both the computer and the back-up.
Some of the more recent more sophisticated ransomware programs have been self-replicating and have travelled from computer to computer on the same network without any user interaction once activated. The WannaCry worm which caused the attack on the NHS is a prime example of this. This also allows ransomware to travel on external hard drives and USB flash drives.
How can it be prevented?
Whilst spear-phishing emails are much harder to spot they are, thankfully, vastly less common. The simplest and most effective way to prevent people from inadvertently installing ransomware is through education.
For businesses it is vital that anyone and everyone that has access to the internet and email fully understands what is at stake with regard to ransomware. They need to understand how phishing scams work, and that if a file does not look exactly as they expect then they should treat it as suspicious and not open it.
Many anti-virus services also offer an email security option to attempt to detect emails that are not as they first appear. If you do not currently use software that does this then it is worth considering.
If you do not have security policies in place for the use of external drives then that is another thing to consider in order to improve your safety.
However the simplest and most effective method for preventing ransomware infection is to ensure that all software and operating systems are kept up-to-date, all security patches are installed, and vulnerabilities are closed. The majority of ransomware exploits known vulnerabilities and so if you do not have those vulnerabilities you are far less likely to be infected.
How can it be fixed?
If the worst comes to the worst and you find yourself victim to a ransomware attack it is important not to panic and make a knee-jerk reaction. Ransomware is designed to try to make you act quickly. There will be a sense of urgency in the messages, and they may even state that there is a rapidly looming deadline, after which you will no longer be able to recover your files.
Some ransomware is categorised as “Scareware” and is attempting to trick you into thinking that you have to pay without actually having done any serious damage. And even if that is not the case some ransomware has known design flaws and kill switches that can rapidly deal with any damage they have done.
However if after careful consideration you can say that the damage is genuine, and there is no obvious solution you are left with three choices:
1) Accept the damage and simply start again.
If we are talking about a personal computer this may be the simplest option. You will lose any files that have been affected, but you can simply format the drive and restore the computer to its original settings. However, this is not an option many people would choose to go for especially with machines that are used for business purposes.
2) Restore from a back up
If you are taking regular, comprehensive backups of the system then this is a good option. However, you need to bear two things in mind. Firstly, that it will likely take you longer than you think. In his recent interview with Wirehive, Jake Moore, from the Dorset Police Cyber Security Unit described a council who did this, and were without usable IT infrastructure for almost an entire week.
The second thing to bear in mind is that ransomware does not necessarily work as soon as it is downloaded. A delay can be programmed into the software meaning that if you restore to a back-up from a few hours before the encryption occurred then you may simply be restoring the malware as well as the file structure.
3) Pay the money
The price demanded for decryption is usually carefully calculated to seem like a price that is likely worth paying, to the point that many businesses now carry funds in Bitcoin for this express purpose. However, paying up is no guarantee that encryption will happen as promised. And once the money has been transferred it is impossible to get it back.
For example, In 2016 servers at the University of Calgary in Canada were infected with Ransomware. They chose to pay to get a decryption key. The key cost them $20,000, and when it arrived it did not work quite as promised. It did not restore all the systems and files that had been damaged and left the IT staff at the university with the mammoth task of trying to restore their systems themselves.
And it doesn’t end there. If you do pay, and your file system is decrypted you are potentially marked down as a soft target. It won’t be long until you are affected again.
Unfortunately there isn’t a happy note to finish on. All we can do is to continue to caution people about the prevalence and proliferation of ransomware attacks and encourage businesses to educate themselves and their staffs on the risks
If you’d like to talk to someone about how you can protect your system from ransomware attacks then give us a call.