Protecting Yourself (and Your Organization) from Ransomware

Monday, April 04, 2016

Dan Lohrmann


The rise in ransomware has taken a dramatic turn for the worse so far in 2016.

Thousands of global businesses and consumers are becoming victims of hacking attacks leading to extortion. This very serious situation requires the immediate attention of everyone from PC owners to small businesses to the large governments.

Here’s the problem and what actions you must take now to protect yourself.

While media attention has focused on global terrorist incidents and the presidential primaries, a growing number of business emergencies caused by ransomware are sweeping the world. The risk of this situation escalating into a significant public- or private-sector crisis is growing. Immediate attention is necessary.

Ransomware metrics are surging in 2016. In my role at Security Mentor, I have spoken with dozens of business leaders who have come face-to-face with ransomware in the past few months, and the overall growth is simply staggering.

Furthermore, there is a silent group of people who never report ransomware to the authorities. Fearing reputation loss or not wanting to take the time, they just pay the ransom for “convenience.” Most get their data back — but some do not.

Once you are infected, bad things can happen quickly.

Here is a true story from 2014 from one user who was infected with a nasty type of ransomware called Cryptolocker. Note that the most important key to surviving a ransomware attack is having good backups of data. Here is an excerpt as to why this story has a happy ending:

“Because of this backup system, we were able to pinpoint a time before the Cryptolocker infection and restore our systems from that point...” 

For more actions to help mitigate ransomware risks, see the list actions needed later in this post.

Defining Ransomware

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.

First cases of ransomware infection were seen between the years 2005-2006 in Russia, but global growth has been significant in the past few years.

For the bad guys, ransomware is seen as a way to cut out the middle man in monetizing their hacking exploits, since there is no stealing and selling of sensitive data. Note that most data breach metrics don’t apply to ransomware, since the hackers are not actually stealing your data. They are just encrypting it.

Just in case you think you are immune to ransomware because you own an Apple Mac, think again. Ransomware that affects Macs was recently found; however, the Mac operating system (OS) was quickly patched before many people were impacted. Still, new forms of ransomware are likely that will impact all types of PCs.

It’s also clear that new forms of ransomware are becoming more sophisticated, because they also try to find and encrypt your backup data. As described here, Locky ransomware encrypts local files and attempts to encrypt unmapped network shares. Note: The same article describes how Locky can be installed via fake invoices.

Ransomware: What Actions Are Needed Now? 

Here’s what you should do now to help protect yourself.

First and foremost — BACK UP YOUR DATA! For home PC users, cloud storage is better than no backup, but you need to be careful that your connected backups may also be at risk. For example, I back up my home PC data files to an offline storage device.

For public- and private-sector enterprises, take some time to determine the best backup architecture. In Michigan, we used a mixture of backup tapes, cloud computing and other forms of backup storage when I was CSO and CTO from 2009 to 2014. No, this message is not new, but too many organizations do not have adequate backup solutions that protect them from ransomware.

I fully expect smarter next generations of ransomware to find and encrypt cloud backups — but that is another article (and argument) for another day. (For those who doubt this, see this Brian Krebs article on cloud data and ransomware. Still, cloud backups are better than no backups.)

Second, get trained on what to watch out for regarding phishing. Also, train your employees on tricks that the bad guys use to tempt us into becoming a victim. A little security awareness training never hurt anyone and keeping security top of mind could save you, and your organization, a major headache down the line.

Third, if you are a system’s administrator, consider these CSO magazine online tips. Also, there are admin features that you may want to disable, specifically review this advice on disabling VSSadmin.exec. Also, we can all take preventive measures to not get infected with ransomware in the first place. Don't forget basic good cyber hygiene steps, such as: keeping up-to-date antivirus software, limiting admin privileges, patching your current operating system (OS), ensuring segmented privilege accounts, etc.

Where Next?

Where is ransomware heading? Will the extortion costs rise? Will the impacts of not paying become more severe?

Answer: Almost certainly the answer is yes. Over the next two years, I expect to see some high-profile ransomware that affects a major government operation or global company. In this BBC article, Brian Krebs said:

"It's a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted.

"I also worry that these more deliberate attackers will take a bit more time to discern how much the data they've encrypted is really worth, and precisely how much the victim might be willing to pay to get it back."

In summary, I urge you to take the simple precautionary step of backing up your data to protect yourself against ransomware. Backups can also help in the event of a computer hardware failure, data corruption or during other operational incidents.

One final thought: You will sleep better knowing you have good system backups, even if you never encounter ransomware.

*A version of this article first appeared in Government Technology.

Possibly Related Articles:
Cloud Security Infosec Island Viruses & Malware General Phishing
Backups Ransomware Extortion Vulnerability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.