Ransomware - is it just a matter of time before you are a victim?
Ransomware is a form of malicious software (malware) that disrupts the operation of IT systems at various levels and where a ransom is demanded in order to return systems back to their original state.
The disruption can take different forms but typically encrypting live files and folders and locking systems. There are over 50 known malware variants known ransomware with the more well-known being Cryptolocker and Locky.
The malware is normally delivered through email which has an infected attachment. The attachments are continuously being adapted making detection by software defences not 100% reliable. Once opened the attachment can infect the host PC and others very quickly. Cryptolocker seeks to encrypt files wherever they can be found including an online systems currently connected. In addition shadow copy services can be stopped and deleted, and other networked backups also encrypted. The impact can be significant ranging from total loss of data to disruption to a few files for a short period of time. The malware is indiscriminate and will encrypt files from households to global businesses if given the chance.
New files are introduced to the file system providing instructions on how to decrypt the files normally by paying a ransom of as little as £200 but if the attack was premeditated using spear-phishing then the ransom may be considerably higher. Whilst paying the ransom is not recommended as this only serves to perpetuate the problem if there is no other option it becomes a commercial rather than ethical decision. Generally the ransom will release the files by providing the decrypt key however, it is not unknown for the decrypt key not to be provided. In some instances the perpetrator has lost the details or the form of ransomware is poorly written and the decryption does not work at all.
The ability of anti-malware applications to decrypt files is improving especially as flaws in the malware used are discovered.
In the majority of cases the attack can be prevented although Zero Day attacks can be more difficult to defend against. There are a number of steps that can be taken to improve the systems' protection as follows: -
- Develop a robust backup process which includes an offline system with copies being retained over days and weeks and even months if required.
- Test backups actually work by undertaking test restores.
- Ensure that anti-malware and operating systems are always up-to-date.
- Set email systems to require a scan of attachments on opening.
- Remove admin rights from all users requiring software installation to be authorised - this applies to malware installation as well.
- Disable macros on opening of documents unless the source is registered as a trusted source.
- An ideal approach is to 'white list' applications and libraries preventing any other unauthorised code or application from running.
There are two key further points to consider: - i) create a business wide security culture by educating users of the dangers from Cyber threats and maintain the culture with regular updates and training; and ii) develop a plan of response so that the business knows how to respond to such an attack.