Taking the Sting Out of Ransomware

istock 000045867650 small 5.12

In December of 2014, the entire police department of Tewksbury, Mass., just outside of Boston, got held up by the data equivalent of gunpoint. It happened when malicious code infected the department’s computer system, encrypted critical files to effectively hold them hostage, and then demanded payment to an anonymous thief to return them.

It was just one example of a rising tide of such cyber-attacks employing malware known as ransomware.

Cyber Muggings

Unlike other cybersecurity breaches, which often are designed to remain undetected while hackers collect valuable or potentially embarrassing data from organizations and individuals, ransomware attacks typically hit fast and hard.  State-of-the-art ransomware encrypts both the victim’s files and the key needed to restore them with the Advanced Encryption Standard (AES) that is impossible to break, according to Frank Jablonski, Vice President for Global Product Marketing at leading hybrid cloud data protection provider Acronis. “If you are not prepared, there’s really nothing you can do about it after it happens,” he says. “If you send them the payment they may or may not release your files.”

And ransomware isn’t going away any time soon, reports the FBI. The law enforcement agency cites a rise in the ransomware cases it is seeing, and has stepped up efforts to combat it. Paying is not a guaranteed solution.”

How It Works

Contributing to the increase in attacks is the expanding availability of off-the-shelf ransomware on the black market. Along with CryptoWall, ransomware with names like TorrentLocker, CTB-Locker, and TeslaCrypt, gets distributed via attachments to email spam and through so-called exploit kits, which run on nefarious Web servers to find vulnerabilities on the computers that connect to them. Cybercriminals may purchase source code from developers for distribution, or may share a percentage of profits using a ransomware-as-a-service model.

Once downloaded, ransomware installs itself on a victim’s machine and connects with a command and control server to generate a unique encryption key. It then sets about creating encrypted copies of targeted file types, such as documents and images. After generating a list of the encrypted files, the software deletes the originals, and offers them up for ransom. Ransom notes typically demand about $500 in hard-to-trace Bitcoin currency, via a popup window. “If you really value your data,” Tewksbury Police Chief Timothy Sheehan read on his computer on December 8, 2014, “then we suggest you do not waste valuable time searching for other solutions because they do not exist.”

Ransomware often applies pressure to get victims to pay up quickly. Four or five days following the attack, the ransom money required to decrypt files may double. Ransom notes can include “helpful” links to exchanges for victims to turn dollars or other local currency into Bitcoin, and offer the ability to decrypt a sample file for free to prove that the perpetrator can actually restore all of the victim’s files if paid.

Fending Off Attacks

Good security software and hardware is an important first line of defense against ransomware, but there is only one sure way to defeat an attack after it has occurred, and it’s simple, says Jablonski: Backup all your data to a secure location.

Jablonski advises backing up not just important files, but the entire contents of each drive, including applications and operating systems in the form of full image backups. “The reason we advocate full image is because it captures everything you have on your disk so that you can wipe the entire disk clean and start from scratch all over again with your backed up image.” Even if the ransomware has somehow made it to your latest backup, Jablonski explains, you can still restore your systems to a point before the ransomware took over, and—forewarned—delete it before it can do any harm.

But backups, too, are vulnerable to attack if they are connected to infected machines. For that reason, Jablonski advises isolating backups from the systems they protect. “The best way to do it is actually to have that backup in the cloud as part of your protection,” he says. “If you only backup local to your system, the ransomware can grab that too. If you have it up in the cloud, there’s a disconnect there, and it can’t get to it.”

While backup can help an organization recover from an attack, Jablonski advises remaining vigilant to prevent attacks in the first place. “People are the weakest link,” he says. “You have to be very careful what you get in emails and what you click on.” For example, Jablonski suggests reading the URLs of links within emails to make sure they go where claimed. For IT departments and managers, regular reminders sent to employees keep them vigilant and fend off attacks.

Vulnerable Without Backup

Not even the aid of experts from state and federal law enforcement agencies and two separate private security firms could unscramble the encrypted files of the Tewksbury Police Department. And, without good backups available, the department ended up paying a $500 ransom to get its files back. Clearly it was an embarrassing situation for a law enforcement organization, charged with doing everything in its power to stop criminals rather than funding them.

By contrast, the City of Durham, NH, hit by a ransomware attack in February, 2016, was able to restore its encrypted files and avoid paying a ransom. The difference? A strong backup solution was in place well before the attack occurred. “When you have to pay it is when you don't have a backup,” City of Durham CIO Kerry Goode told local media. “We have good backups.”

If you’d like to learn more about how to stay protected against ransomware and other cyber-attacks, click here for an Infographic. You can also learn more by reading this ransomware use case, click here.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon