Ransomware: The smart person's guide

In the past, security threats often involved scraping information from systems that could be used for other crimes such as identity theft. Now, criminal organizations have proceeded to directly demanding money from victims by holding their devices—and data—hostage. This trend of ransomware, in which data is encrypted and victims are prompted to pay for the key, has been growing rapidly since late 2013.

TechRepublic's smart person's guide about ransomware is a quick introduction to this security threat, as well as a "living" guide that will be updated periodically as new exploits and defenses are developed.

SEE: Check out all of TechRepublic's smart person's guides

Executive summary

What is it? Ransomware is malware. The hackers demand payment, often via Bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
Why does it matter? Because of the ease of deploying ransomware, criminal organizations are increasingly relying on such attacks to generate profits.
Who does this affect? While home users have traditionally been the targets, healthcare and the public sector have been targeted with increasing frequency. Enterprises are more likely to have deep pockets from which to extract a ransom.
When is this happening? Ransomware has been an active and ongoing threat since September 2013.
How do I protect myself from a ransomware attack? A variety of tools developed in collaboration with law enforcement and security firms are available to decrypt your computer.

SEE: Cybersecurity ebook: The ransomware battle (Tech Pro Research)

What is ransomware?

More about IT Security

Governments and nation states are now officially training for cyberwarfare: An inside look

Europe, Canada, USA, Australia, and others are now running training exercises to prepare for the outbreak of cyberwar. Locked Shields is the largest simulation and we take you inside.

Ransomware is a subclass of malware that is characterized by holding device control—and therefore locally stored data—for a ransom, which is typically paid using virtual currencies such as Bitcoin, though often premium SMS messaging and prepaid credit cards are alternative options. Sophisticated ransomware attacks employ disk or file-level encryption, making it impossible to recover files without paying the ransom demanded by the hackers.

Historically, ransomware has invoked law enforcement to coerce victims into paying—displaying warnings such as the FBI logo and a message indicating that illegal file sharing has been detected. More recently, the authors of ransomware payloads clearly indicate that a device has simply been hacked.

Ransomware payloads are typically distributed on file-sharing networks, but have also been distributed as part of a malvertising campaign on the Zedo ad network, as well as through phishing emails that disguise the payload as maliciously crafted images or as executables attached to emails.

Additional resources:

Infographic: The 5 phases of a ransomware attack (TechRepublic)
Easy to carry out, difficult to fight against: Why ransomware is booming in 2016 (ZDNet)
New ransomware skips files, encrypts your whole hard drive (ZDNet)
Infographic and interview: The explosion of cybercrime and how to protect your business (TechRepublic)

Why does ransomware matter?

For criminal organizations, the use of ransomware provides a very straight line from development to profit, as the comparatively manual labor of identity theft requires more resources. As such, the burgeoning growth of ransomware can be attributed to the ease of deployment, and a high rate of return relative to the amount of effort put forth.

For IT professionals, the risk of ransomware extends beyond desktops and notebook workstations, but has historically included smartphones and other connected computing devices, such as Synology NAS products and Android TV devices. While home users were traditionally the targets of ransomware, business networks have been increasingly targeted by criminals. Additionally, servers have become high-profile targets for ransomware attackers, as unpatched software makes systems vulnerable.

Additional resources:

Skyrocketing Android ransomware has quadrupled over past year, says new report (TechRepublic)
Ransomware is now the biggest cybersecurity threat (ZDNet)
Throwing money at the problem? Security tech spending reaches $82bn a year (ZDNet)
CEOs' pay should be slashed if firms fail to protect against online attacks (ZDNet)
Create a security culture framework to protect against threats (Tech Pro Research)

Who does ransomware affect?

In particular, healthcare service providers have been explicitly targeted in recent ransomware attacks, as well as public sector employees. Less sophisticated ransomware attacks purport to be able to restore your files after payment, though in reality the files are deleted whether users pay or not.

Ransomware attacks are generally quite successful for criminal organizations, as victims often pay the ransom. Specifically targeted attacks may result in increasingly higher ransom demands, as attackers become more brazen in their attempts to extort money from victims.

Additional resources:

Ransomware rises to strike almost 40 percent of enterprise companies (ZDNet)
A troubling trajectory of malware and ransomware targeting OS X and iOS (TechRepublic)
Businesses beware: the 'industrial internet of things' is a prime target for cyberattacks (TechRepublic)
Cybersecurity spotlight: The critical labor shortage (Tech Pro Research)

When is ransomware happening?

While the first rudimentary ransomware attack dates back to 1989, the first widespread encrypting ransomware attack was CryptoLocker, which was deployed in September 2013. Originally, victims of CryptoLocker were held to a strict deadline to recover their files, though the authors later created a web service that can decrypt systems for which the deadline has passed at the hefty price of 10 BTC (at the time of publication, the USD equivalent of 10 Bitcoin, or BTC, is approximately $5,787).

While the original CryptoLocker authors are thought to have made about $3 million USD, imitators using the CryptoLocker name have appeared with increasing frequency. The FBI's Internet Crime Complaint Center estimates that between April 2014 and June 2015, victims of ransomware paid over $18 million USD to restore access to their devices.

Additional resources:

Ransomware's next target: Anything's that connected (CBS News)
Wildfire ransomware code cracked: Victims can now unlock encrypted files for free (ZDNet)
Ransomware 2.0 is around the corner and it's a massive threat to the enterprise (TechRepublic)
Ransomware-as-a-service allows wannabe hackers to cash-in on cyber extortion (ZDNet)
Ransomware-as-a-service is exploding: Be ready to pay (TechRepublic)
TeslaCrypt no more: Ransomware master decryption key released (ZDNet)
Why antivirus programs have become the problem, not the solution (TechRepublic)

How do I protect myself from a ransomware attack?

Ransomware is often spread in file-sharing networks or on websites that purport to provide direct downloads. Other traditional attack vectors have also been used, such as email attachments or malicious links. There are ways to protect against a potential infection. For enterprise workstation deployments, using Group Policy to prevent executing unknown programs is an effective security measure for ransomware and other types of malware.

For those who have been infected, the No More Ransom project—a collaboration between Europol, the Dutch National Police, Kaspersky Lab, and Intel Security—provides decryption tools for many widespread ransomware types.

Additional resources:

Kaspersky Lab offers free anti-ransomware tool for Windows (ZDNet)
This initiative wants to help ransomware victims decrypt their files for free (ZDNet)
Ransomware customer service: Negotiation is always on the table (ZDNet)
Ransomware: To pay or not to pay (TechRepublic)
How to avoid ransomware attacks: 10 tips (TechRepublic)
How to mitigate ransomware, DDoS attacks, and other cyber extortion threats (TechRepublic)
4 ways to reduce your chances of getting caught by malvertising (TechRepublic)
Video: Ransomware — How to defend yourself against it (CNET)

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

11 comments

32 people following

Newest | Oldest | Top Comments

jos Aug 31, 2016

To prevent, don't use Windows on the internet. I even use BSD when I don't trust things, but for the rest Linux!

Wishful One Aug 29, 2016

Have they ever caught the CryptoLocker authors? If so, when were they executed? That is the only way to deter this type of crime. It's time to figure out how to track these animals down.

mikef12 Aug 30, 2016

@Wishful One True enough. Since they are not often caught, killing computer criminals is the only possible deterrence.

edguy99 Aug 29, 2016

I found this article not helpful at all if providing useful ideas to prevent an infection. Furthermore, for those interested, the statement "For those who have been infected, the No More Ransom project .. provides decryption tools for many widespread ransomware types." is not true, you need the decryption key, so pay up or lose the computer.

This is an important topic and another more illuminating article concentrating on what needs to be done from a law enforcement angle to stop these types of attacts would be well worth it.

aw63 Aug 29, 2016

My solution is old school. Have all your data off-PC on HDDs that are NEVER connected to the internet. Make a copy of data you need when connected on another HDD and use that. You still run the risk of losing what you are working on but that is a lot less of a problem that having all your data compromised. Never connect your master HDD to the PC without first checking for malware. It is a bit tedious to do but seems to work.

TG2 Aug 29, 2016

@aw63 tedious and plainly wrong. A very false sense of security. All the ransomware people need to do, is hold off on triggering a few hours to a few days, and your zero day exploit, already exploited computer has then been making corrupted / infected backups.

You're taking the stance that the malware/ransomware writer isn't going to move on to killing your backups so that it makes it even harder for you to recover without payment. Or that once infected they instantly trigger their request. No, the true ransomware would lay in wait. Tiggered on some BS day or after they've got sufficient detail on who you or your company are so they can set their ransom demand appropriately.

What bothers me about this article is in the first block .. "holding device control—and therefore locally stored data—for a ransom". **ANY** data that is connected via share to that PC, be it an office file share, or previous versions of windows' $Admin shares are targets and therefore have potential to be owned.

You have to think like them, to realize the full extent of what they want to do, and what they WOULD do if they could. And the "if they could" is just a matter of time for a script kiddie ransomware attacker. Remember they aren't necessarily writing these things themselves, and someone skilled at combining payloads will try to get maximum coverage for maximum ransom request.

knuthf Aug 30, 2016

@TG2 @aw63 You are correct - but what about Mint or Ubuntu on a USB. If he is silly to run Windows he is stuck with the inherent insecurity of this OS, but I wonder if not Clam Av would find it. This is a clean OS, as the PC that is never connected, that you boot on the infected PC and then scan for malware. You can fix a modified disk, so this becomes bootable again with a new MBR and UEFI. NTFS is just another file system.

The article mentions Android and iOS and forget that these are Linux and Unix BSD. So only temporary files can be written from an Internet tool, and it is just to delete the browser cache after reboot - the /tmp will be wiped out on reboot. Should it be hiding in the cache, ClamAV will find it, unless it has been deleted when the browser cache was deleted. Any other place to store the files will require the user to give the admin password. All the malware that exists as "executable" images that can run, cannot run on Android and iOS. It just cannot be executed. But Flash can contain script even jpg can contain scrips now - and Java. But "/bin/bash $CACHE/Malware.jpg" will not even cause a fart. Let a tool like ClamAv find it, and take a look at the file as simple ASCI text - and see who the malware should report to. Report them to their ISP or registrar and get them denied access to the net much faster than a court that fines then and put them back on the street when the fine has been paid.

DAS01 Aug 30, 2016

@TG2 You have touched on a question I have been wondering about for a while, namely the effect on backups. I run daily backups (using the pro software of a managed service) which allows the restoration of previous backups.

The backups go to a remote server and to a local external HDD.

My question is, if I have run a backup after a ransomware attack, would the entire backup be 'screwed' (to use a technical term) or could I just restore from Attack Day -1?

And what if notice the attack and do not run a backup?

(Maybe these are naive questions but I have worried about this issue.)

JCitizen Aug 30, 2016

@DAS01 @TG2 Ransom-ware is capable of attacking backups, on networks and even cloud based files. The only way I've heard of, is to buy a cloud based backup company that claims to thwart such attacks like Carbonite - however I don't think they claim no infected file won't return with the restoration.

Probably the best defense it to go to bleepingcomputer and read their latest mitigations for this subject. They use to have system hacks that could prevent a successful attack in the first place. I haven't been there to read it in a while, as MBAM has been claiming they can stop any such attack before it can take over the system. Crypto-prevent was one of the earliest mitigations, and it used to be free at bleepingcomputer.

Seems to me there should easily be a way to simply block any user but the head administrator from doing encryption at all - but I'm not really knowledgeable enough to know what if any GP edits would do that.

If your Windows operating system has an app whitelist like that provided in Parental Controls, I'd think that would easily block any stage of modification by such attacks.

sarulon Aug 29, 2016

Hi,

I didn't find any guidance here how to prevent infection of ransomware, only basic description about ransomware and link to no more Ransome project, but you didn't mention that the project is useless against cerber-ransomware-operation

knuthf Aug 30, 2016

@sarulon 1. Get rid of Windows. 2. if you cannot, prepare a USB stick with Linux Mint or Ubuntu. You can boot from this. Then install utilities for scanning a disk for viruses - such as ClamAV. There are also tools to fix the boot block: MBR and EFI settings so these can be restored. Use a file viewing tool to see where the ransomware reported, and now you know who to ask to be denied access to the net - send it all to their REGISTRAR - see "Whois" - and "Traceroute" as evidence that the malware was aimed to them.

Most of this cannot happen on iOS or Android unless some serious mucking has been done and security violated by the user. But Kasperski needs somewhere to send their invoices: They don´t have a clue the same with all those that keep Windows as their prime market. ClamAV was made for Linux and is used by most Internet servers and comes in a paid version for Mac.