One computer in the office has a warning that it is being
held ransom, “Provide 500 bitcoins to unlock the system”, is the message
emblazoned on the screen. Any computer that requested data from the original
would fall prey to the malware, which is now spreading through the office. The
IT department had already been notified and the tech is running through the
office unplugging data cables trying to isolate the attack. No, this isn’t a mega corporation. It
was a less than 100 employee accounting firm.
An automotive service center with less than 20 employees had
a similar experience. The office manager starts the computers for the day and she
sees a message that her computer has been locked. Pay up if you want the decryption
key. An ordinary Joe is surfing the net when a warning appears on his monitor
that all of his photographs have been encrypted. If he wants to have access
ever again, he’ll need to pay $1200.
Ransomware has been in the news lately. More than likely
you’ve heard the stories of hospitals, police departments, or large
corporations having their computers locked and given a price to pay to have
them set free. Or the more common terminology, held for ransom. But cybercriminals are not just
targeting institutions or corporations. As security features are improved, the
criminals move on to more vulnerable prey. Any size business or any person can
fall victim. Yes, the bigger fish will offer a more lucrative payday, but stack
enough pennies and eventually you will have a dollar.
Definition and history
Ransomware is a type of malware that infects a computer or
network preventing users from accessing the system until a ransom is paid for
the decrypt key. There are two kinds. The first is called “locker” which locks
the user’s computer. The second and more sophisticated is called a Crytovirus,
which targets specific files (Photos, personal, financial), encrypting them
until a ransom is paid. Ransom payment is usually requested in the form of the
electronic currency Bitcoin. (Bitcoin converts to roughly $575 U.S. dollars)
Symantec estimates that over 60% of the malware detected is of the cryptovirus
variety and the average ransom paid in the U.S. is $300.
The Symantec white paper, Evolution of Ransomware, August
2015, gives this chronology of ransomware appearances: The first ransomware
appeared in 1989, but wasn’t that effective due in large part to the lack of
the Internet. Crypto ransomware came on the scene in 2005. As each version was
detected and defended against, the writers would learn from mistakes and
rewrite the code to make the malware more resistant to computer security
features. In 2008, the criminals began secreting the malware in the form of
fake antivirus programs. The programs would appear to scan and identify
problems and then ask the user for up to $100 to fix the fake problems. In
2011, cybercriminals moved away from the antivirus attacks and began completely
disabling the victim’s computers. Criminals then stopped mimicking anti virus
problems and jumped to directly locking the computer using a law enforcement
warning style of hoax. This was so effective that law enforcement themed
ransomware became quite popular between 2012 and 2014.
Like most malware, ransomware is delivered via an attachment
to an email. The user clicks on the legitimate looking file and the malicious
code is delivered. However, as users became savvier to suspicious emails and
clicking on attachments, malware developers have learned to hide their code in
websites. Either bogus sites setup for the purpose of delivering malware or
within legitimate sites. Once the malware infects a computer it begins encrypting
files. If the infected computer is attached to a network the malware spreads as
that computer interacts with the network.
On the FBI website, FBI Cyber Division Assistant Director
James Trainor writes, “These criminals have evolved over time and now bypass
the need for an individual to click on a link. They do this by seeding
legitimate websites with malicious code, taking advantage of unpatched software
on end-user computers.”
Who is vulnerable?
Institutions, government agencies, big or small business,
even personal computers can be targeted or infected. Some attacks are targeted and
some are just malware creator’s phishing for victims. For most small business and individuals it is the latter.
Anyone or any business can be victimized. As with identity fraud it is not a
matter of if but when. The world is so electronically social that malware gets
passed around like a rhinovirus. Eventually, someone close to you will be
victimized or you yourself.
Smaller businesses and individuals are more susceptible due
to a lack of computer knowledge and access to technical support. They also lack
an effective backup system. Files being held ransom or the threat of a fake
criminal charge coupled with the lack of technical support make personal
computers users more likely to pay.
The FBI, Internet Crime Complaint Center (IC3) reports that
while companies and organizations are the primary targets, the IC3 continues to
receive reports from individuals. According to reports to the IC3, most
individuals are told that their personal/financial information
or photos will be publicly released if a bitcoin ransom is not paid within a
certain timeframe. Ransom amounts range from $250 to $1,200.
Prevention
For business and individuals alike one of the main defenses
is education. Know what the dangers are and be prepared. Businesses need to
educate their employees on the tactics of cyber criminals and how to react if
they feel they have been victims. After providing education and training, some
companies will send their own “suspicious” emails to employees. The emails will
look legit enough with the guise of signing up for training or providing
personal information for system updates. However, each email will have the telltale
signs of phishing that was thoroughly explained to employees. The IT department
will monitor how many fall for the trick and how many reported it. Then they
will provide further training and education to the employees.
The FBI confirms that ransomware has been around for several
years. But there was an increase in 2015 with incidents still on the rise in
2016 due to lack of preparedness and protection. The FBI doesn’t support paying
a ransom. Cyber Division Assistant Director James Trainor said, “Paying a
ransom doesn’t guarantee an organization that it will get its data back—we’ve
seen cases where organizations never got a decryption key after having paid the
ransom. Paying a ransom not only emboldens current cyber criminals to target
more organizations, it also offers an incentive for other criminals to get
involved in this type of illegal activity. And finally, by paying a ransom, an
organization might inadvertently be funding other illicit activity associated
with criminals.”
What the FBI does recommend is prevention and a business
continuity plan. The FBI website offers the below tips for businesses and individuals when dealing with a ransomware threat:
Prevention Efforts
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.Disable macro scripts from office files transmitted over e-mail. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business Continuity Efforts
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
At the very least, educate your employees and have a
conversation with whoever manages your computer system. At home, resist the
urge to fall for “click bait” and pay attention to where you’re surfing. As for
your smartphone? Don’t be lulled into a false sense of security. Your phone is
a connected device. Someone, somewhere is figuring out a way to get in.