Ever get the sinking feeling that something has just gone horribly wrong? That innocuous pop-up screen informs you that all your precious data is now "protected." Upon inspection, all of your files might have a new extension on them, like '.mp3' and are completely unusable. It's likely that you've become the latest victim of ransomware and now have a new "business partner" holding your data hostage for a ransom.
That's right, the criminals want to sell you back your own data that you've worked so hard to create. They're even so kind as to allow you to decrypt a couple files for free to prove they are trustworthy new "partners." The question that begs to be asked is whether you have implemented proper security controls to protect yourself or will you be paying a ransom to your new "partner" to retrieve that data?
This type of attack has been around for a while, but has recently become more prevalent with the proliferation of anonymous payment channels like bitcoin. New variants of Cryptolocker, Lockey, Teslacrypt, and other ransomware malware are getting tougher to detect. Traditional AV and spam/web filters are being bypassed easily. Antivirus is easily defeated by many variants of ransomware (and other malware), even when the signature files are current.
Simply, these criminals no longer need to be sophisticated. There are ransomware as a service (RaaS) sites that one can simply build a package and deploy. The RaaS site will test the package against the major vendors of AV and guarantee the code will bypass detection. They will also manage the encryption key storage and ransom payment processing (taking a cut for themselves of course).
Many times, it is the user's local documents and folders that are encrypted. If the machine is on a corporate network and has write access to large shared drives/folders, those files are at risk as well. Typical lack of tight security measures in file shares provides for a large opportunity for the malware to compromise many critical business files.
Most attack vectors are drive-by "malvertising" or phishing campaigns. Malicious ads are placed by the criminals on commonly accessed websites. Unbeknownst to the user surfing the web, the mere act of landing on a page that loads a malicious ad, will compromise his/her computer. The malware takes advantage of vulnerabilities in Java, Adobe, or other common apps to gain access to the system and implant their software to download and initiate the encryption process.
Even the FBI has said that, if your data is not recoverable from a backup, your only way to get your data back may be to pay the ransom, although they don't encourage it. Many organizations have had to do just that, to the tune of thousands to tens of thousands of dollars. Rest assured that the rise of this ransomware activity will continue and become even more aggressive.
The time is NOW to be prepared for this, and there are a number of steps you can take such as:
- Most importantly, ensure you have good and regular backups;
- Regularly patch or remove, if possible, any Java or Adobe Flash software from your systems;
- Patch your operating system on a regular/monthly basis;
- Review and limit user access to shared folders - make sure only those users that need access have it; and
- Lastly, did I mention to have good and regular backups?
We will continue to look at this issue in more detail and investigate the reasons why ransomware will become THE Information Security event of 2016 in an upcoming blog post.
Be careful, it is a dangerous world out there!
If you have any questions regarding the ransomware or any other data security issues, please contact us at firstname.lastname@example.org.
David Greenwell is the Manager of CISO Services and delivers on managed security services and client remediation consulting. David has managed, consulted, designed, and implemented networks for all sized businesses and government/military agencies. He is focus on network architecture, data center operations, and security solutions. He is a 37 year veteran of InfoTech and is a founding member of CompliancePoint.