Monday, August 8, 2016

If you ever want to see your files again…





One computer in the office has a warning that it is being held ransom, “Provide 500 bitcoins to unlock the system”, is the message emblazoned on the screen. Any computer that requested data from the original would fall prey to the malware, which is now spreading through the office. The IT department had already been notified and the tech is running through the office unplugging data cables trying to isolate the attack.  No, this isn’t a mega corporation. It was a less than 100 employee accounting firm.

An automotive service center with less than 20 employees had a similar experience. The office manager starts the computers for the day and she sees a message that her computer has been locked. Pay up if you want the decryption key. An ordinary Joe is surfing the net when a warning appears on his monitor that all of his photographs have been encrypted. If he wants to have access ever again, he’ll need to pay $1200.

Ransomware has been in the news lately. More than likely you’ve heard the stories of hospitals, police departments, or large corporations having their computers locked and given a price to pay to have them set free. Or the more common terminology, held for ransom.  But cybercriminals are not just targeting institutions or corporations. As security features are improved, the criminals move on to more vulnerable prey. Any size business or any person can fall victim. Yes, the bigger fish will offer a more lucrative payday, but stack enough pennies and eventually you will have a dollar.

Definition and history

Ransomware is a type of malware that infects a computer or network preventing users from accessing the system until a ransom is paid for the decrypt key. There are two kinds. The first is called “locker” which locks the user’s computer. The second and more sophisticated is called a Crytovirus, which targets specific files (Photos, personal, financial), encrypting them until a ransom is paid. Ransom payment is usually requested in the form of the electronic currency Bitcoin. (Bitcoin converts to roughly $575 U.S. dollars) Symantec estimates that over 60% of the malware detected is of the cryptovirus variety and the average ransom paid in the U.S. is $300.

The Symantec white paper, Evolution of Ransomware, August 2015, gives this chronology of ransomware appearances: The first ransomware appeared in 1989, but wasn’t that effective due in large part to the lack of the Internet. Crypto ransomware came on the scene in 2005. As each version was detected and defended against, the writers would learn from mistakes and rewrite the code to make the malware more resistant to computer security features. In 2008, the criminals began secreting the malware in the form of fake antivirus programs. The programs would appear to scan and identify problems and then ask the user for up to $100 to fix the fake problems. In 2011, cybercriminals moved away from the antivirus attacks and began completely disabling the victim’s computers. Criminals then stopped mimicking anti virus problems and jumped to directly locking the computer using a law enforcement warning style of hoax. This was so effective that law enforcement themed ransomware became quite popular between 2012 and 2014.

Like most malware, ransomware is delivered via an attachment to an email. The user clicks on the legitimate looking file and the malicious code is delivered. However, as users became savvier to suspicious emails and clicking on attachments, malware developers have learned to hide their code in websites. Either bogus sites setup for the purpose of delivering malware or within legitimate sites. Once the malware infects a computer it begins encrypting files. If the infected computer is attached to a network the malware spreads as that computer interacts with the network.

On the FBI website, FBI Cyber Division Assistant Director James Trainor writes, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Who is vulnerable?

Institutions, government agencies, big or small business, even personal computers can be targeted or infected. Some attacks are targeted and some are just malware creator’s phishing for victims.  For most small business and individuals it is the latter. Anyone or any business can be victimized. As with identity fraud it is not a matter of if but when. The world is so electronically social that malware gets passed around like a rhinovirus. Eventually, someone close to you will be victimized or you yourself.

Smaller businesses and individuals are more susceptible due to a lack of computer knowledge and access to technical support. They also lack an effective backup system. Files being held ransom or the threat of a fake criminal charge coupled with the lack of technical support make personal computers users more likely to pay.

The FBI, Internet Crime Complaint Center (IC3) reports that while companies and organizations are the primary targets, the IC3 continues to receive reports from individuals. According to reports to the IC3, most individuals are told that their personal/financial information or photos will be publicly released if a bitcoin ransom is not paid within a certain timeframe. Ransom amounts range from $250 to $1,200.

Prevention

For business and individuals alike one of the main defenses is education. Know what the dangers are and be prepared. Businesses need to educate their employees on the tactics of cyber criminals and how to react if they feel they have been victims. After providing education and training, some companies will send their own “suspicious” emails to employees. The emails will look legit enough with the guise of signing up for training or providing personal information for system updates. However, each email will have the telltale signs of phishing that was thoroughly explained to employees. The IT department will monitor how many fall for the trick and how many reported it. Then they will provide further training and education to the employees.

The FBI confirms that ransomware has been around for several years. But there was an increase in 2015 with incidents still on the rise in 2016 due to lack of preparedness and protection. The FBI doesn’t support paying a ransom. Cyber Division Assistant Director James Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

What the FBI does recommend is prevention and a business continuity plan. The FBI website offers the below tips for businesses and individuals when dealing with a ransomware threat:

Prevention Efforts
  •  Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.Disable macro scripts from office files transmitted over e-mail. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

At the very least, educate your employees and have a conversation with whoever manages your computer system. At home, resist the urge to fall for “click bait” and pay attention to where you’re surfing. As for your smartphone? Don’t be lulled into a false sense of security. Your phone is a connected device. Someone, somewhere is figuring out a way to get in.

See our blog archive for other posts relating to security issues: