10 Points Plan against Ransomware
You have heard about Cryptolocker Infection over the news? In this article you can learn more about this type of malware and receive tips and suggestions on how to protect your company against Ransomware. Reading time 5 minutes.
What is Ransomware?
Over the past few years, we have witnessed the trend of private users being blackmailed by hackers. More recently, companies experienced the spread of various ransomware Trojans such as CryptoLocker.
This family of software is designed to encrypt data and files by creating a private-public key pair. The data is nearly impossible to decrypt without knowing the private key that is – best case – stored on the attacker’s server until the ransom is paid.
In many cases however, the ransom has been paid and the attackers still do not hand over the key to the victims, who are left without their money and files.
Advances in encryption technology and the simplicity of hiding one’s identities have led to a widespread use.
There are “providers” offering criminals “Ransomware as a Service”. Extortionists use these services anonymously via the “darknet” without their own technical expertise to blackmail companies or to harm them.
The rise and fall of Cryptolocker
The current wave of ransomware threats began at the end of 2013 with what is arguably the best known ransomware family – CryptoLocker. In May 2014, the CryptoLocker Trojan horse was eliminated due to a joint operation by enforcement and security authorities. This was achieved mainly thanks to levering out the GameOver Zeus network, which was one of the most important distribution channels.
Although the original CryptoLocker Trojan has been eliminated, we still see imitations of it. At the same time, many other families of ransomware have appeared. The most productive ones are CTBLocker, CryptoWall, TorrentLocker, and recently also TeslaCrypt. Irrespective of their various names, they share the same objective: extort money from their victims in return for the supposed decryption of their data and files.
Why is Ransomware such a severe danger?
These attackers pose a considerable threat for several reasons:
- They use cunning techniques to bypass security software. This often leads to the creation of Zero-Day Malware. This means that the Trojan horse is unknown to security experts and cannot be identified as a risk by security software.
- Security experts observe that encrypted data is sometimes non-recoverable. However, many victims report that decryption is not performed, even if the ransom has been paid. It is therefore not recommended to meet the hacker’s demands.
- Hackers are largely unknown to security authorities through the use of the Tor network and virtual currencies such as Bitcoin.
- The attacks are mostly targeted at users in more prosperous countries – by 2015, 50% of all CTBLocker attacks targeted the US and 35% Europe.
- At the end of 2014, a new family of ransomware particularly for companies was released, the SynoLocker. The SynoLocker is designed to encrypt mass storage and network attached storage (NAS). This tendency to target “big fish” is already apparent and advances rapidly.
What we will see in the future?
The use of ransomware is on the rise. In the first quarter of 2015, we observed an increase of 165%. McAfee Labs researchers identified more than 4 million copies of ransomware in Q2 of the same year, of which 1.2 million were new. A recent report from SonicWall identified over 638 million ransomware attacks in 2016 – an overwhelming increase over previous years.
The big fish
Attackers choose their victims with deliberation. The current focus is on companies from transport & logistics, the financial and public sector, as well as pharmaceuticals and healthcare.
10 points checklist
|Latest anti-virus and security software
|Patching servers, closing vulnerabilities
|User Awareness Training for Trojan horse & phishing emails
|Business Impact Analysis for IT Services
|Assessing known risks, planning measures to close security gaps
|Backup by replication with Zerto (real disaster recovery)
|Definition of server groups that form an IT service together
|Creating a documentation / emergency manual
|Recovery and failover tests
|Practice, practice, practice
How can we protect ourselves from attacks?
As cybercriminals use increasingly intelligent methods for their attacks, the necessity to protect oneself is growing.
The starting point is always a suitable up-to-date anti-virus and security software. Because of Zero-Day Malware this does not necessarily guarantee protection, but protection is not possible without it.
User education is an important issue as well, as many Trojans gain initial access to systems through links in (often official looking) phishing emails. Nevertheless, people make mistakes so that additional protective layers are required.
Server patches protect IT against known security vulnerabilities. Companies not doing patches open their gates to attackers.
Backing up your data is crucial. But a backup is not an end in itself. The goal of a backup is to restore contaminated or lost data. Actually, even more – after an attack IT services have regain availability quickly. However, often the interval between backups is so lengthy that when systems become infected, data of several months is lost.
Reduction of hazard
Still we have to accept that prevention is not always possible and therefore we must try to reduce the threat as far as possible.
Suppose you are he unfortunate victim of a ransomware attack. Your files are locked, you’re breaking a sweat… Your last backup could be from last night, last week or maybe last month? How much data is at stake, is lost? How much does this cost? How will the public perceive your inability to counteract this threat? What happens if all your publicly available services are offline while you try to fix the problem? How much time will it take to put them back into operation?