The internet is fraught with peril these days, but nothing strikes more fear into the hearts of users and IT security pros than the prospect of ransomware. Here, then, is a comprehensive look at ransomware, both how to prevent it and what to do if you become one of its unfortunate victims.
What is ransomware?
The ransomware concept is relatively simple: Malware is installed covertly on a system, after which it executes a cryptovirology attack that silently encrypts valuable files on the system. It may also spread around a corporate network, infecting servers and other endpoints that it finds. It then demands that a ransom be paid promptly, usually in Bitcoins, to access the key needed to decrypt the files. Often the ransom price goes up after an initial period (usually 72 hours), and there is no guarantee that the key will be supplied if the ransom is paid.
Ransomware often frequently contains extraction capabilities that can steal critical information like user names and password, so stopping ransomware is serious business.
You'll know you've become a ransomware victim if your desktop has been taken over by a message like this:
"!!! IMPORTANT INFORMATION !!! All of your files are encrypted with RSA-2048 and AES-128 ciphers."
Ransomware has been growing at an exponential rate. A Malwarebytes-Osterman Research survey of the U.S., UK, Canada and Germany last August found that ransomware had hit nearly 40% of organizations in the previous year – and more than 40% of those victims paid the ransom.
That report also found that:
- 46% of attacks originated from email
- Healthcare and financial services were the industries hit most often by ransomware
- 63% of affected organizations lost more than a day of downtime fixing endpoints
- 3.5% of organizations said lives were at stake because of the attack
- U.S. organizations were the most attacked, with 80% suffering a cyber attack in the last year and more than half hit by ransomware
- Canadian organizations paid the most often (75% of the time) and the most money (65% of ransom payments were between $1,000 and $50,000); 82% of those that didn't pay lost files.
Instances of ransomware in exploit kits grew 259% in the five months before the report, Osterman found. One reason for this rise is that ransomware attacks are proving lucrative for criminals. In 2015, just $24 million was paid in ransom to unlock files, while an estimated $1 billion was paid out by individuals and organizations around the world in 2016, according to a report by Herjavec Group, a Canadian cybersecurity company.
The amounts demanded by ransomware vary. The average ransom demand in 2016 was for $679, according to Symantec. But some criminals target specific organizations with ransomware, tailoring their ransom demands according to the resources of their chosen victim. For example, when San Francisco's Municipal Transport Agency was attacked in November 2016, a ransom of about $70,000 in Bitcoin was demanded to decrypt its systems.
How ransomware works
The most common way for criminals to infect an organization is by sending an email with a malicious link or attachment that an employee clicks on unwittingly to initiate an attack. These may be emails sent to millions of potential victims, or targeted emails sent to a specific person in a particular organization. Ransomware now comprises 97% of phishing emails, according to PhishMe, which noted that Locky was the most common ransomware executable, placing it alongside 2013's CryptoLocker among the most infamous of ransomware strains, and in May 2017 the WannaCry ransomware strain quickly infected well over 100,000 computers and spawned other variants. See Common Types of Ransomware for more information on ransomware variants.
Locky typically arrives via an email attachment that prompts you to enable macros. If you do, your desktop will look like this:
Locky desktop takeover (Source: Sophos)
The email attack vector makes ransomware a difficult problem to stop. This kind of attack, which relies on enticing an employee to take a specific action, is almost impossible to prevent if the attacker is determined. Even relatively sophisticated users can be fooled in to clicking on an invoice they are expecting, or a photograph which is ostensibly from someone they know, or a document that appears to have come from their boss.
That means that while every effort should be made to prevent a ransomware attack from succeeding, organizations should prepare for the worst and ensure that all necessary steps are taken to minimize the possible impact.
There are number of steps organizations can take to prevent ransomware, with varying degrees of effectiveness.
- Increase awareness with staff training: Raising awareness about ransomware by educating staff about the dangers of clicking on attachments or links in emails is clearly important as a baseline security measure. But it only takes one employee to lower their guard on one occasion for an organization to be compromised, and for that reason staff training should not be relied on. There is plenty of evidence to suggest that the effects of a training session wear off over time, but companies such as PhishMe provide technology to help keep employees on their toes by sending them simulated malicious emails on an ongoing basis; if an employee clicks on a simulated malicious link, they get feedback to help ensure that they don't fall victim to a similar email again.
- Use an effective spam filter: Cybercriminals send millions of malicious untargeted emails to organizations, but an effective spam filter that is continuously updated from a cloud-based threat intelligence center can prevent more than 99% of these from ever reaching employees' desktops.
- Configure desktops to show file extensions: Employees should be trained not to double-click on executable files with a .exe extension. However, Windows hides file extensions by default, allowing a malicious executable such as "evil.doc.exe" to appear to be a Word document called "evil.doc". Ensuring that extensions are always displayed can go a long way to countering that kind of threat.
- Restrict the use of elevated privileges: Ransomware can only encrypt files that are accessible to a particular user on their system – unless it includes code that can elevate a user's privileges as part of the attack, which is where patching comes in.
- Patch software promptly: It's a basic security precaution to ensure that all software is updated with the latest security patches, but it's worth reiterating because a security risk report from HP in 2016 found that 44% of successful ransomware attacks were caused by software that had not been patched for between two and four years. Privilege escalation is often possible by exploiting known but unpatched vulnerabilities. The 2017 WannaCry strain took advantage of an unpatched Microsoft Windows vulnerability (MS17-010).
Enterprise security systems can play an important role in preventing ransomware attacks. Here are some important capabilities that your security software (which includes next-generation firewalls, email gateway security software, data loss prevention systems and endpoint anti-virus software) should provide:
- Preventing users from visiting malicious web pages: Security software should be able to unmask URLs so users know what page they are visiting and retrieve a risk/reputation rating and preview of the target page. Known malicious sites can then be blocked.
- Blocking ransomware files: Security software linked to a cloud-based threat intelligence network can block known malicious files. Unknown files can be intercepted and uploaded to the cloud to be sandboxed and analyzed, and then given a threat rating or blocked.
- Preventing suspicious activity: Anti-virus endpoint software should block known malicious files, but products that offer heuristic analysis can also spot and prevent ransomware-like behavior in unrecognized files. In particular, most ransomware uses Windows' own encryption DLLs, so effective security software will block calls to these DLLs by untrusted applications, or request confirmation from the user that an encryption operation has been requested.
- Monitoring for mass modifications: File integrity monitoring capabilities can detect changes to system files and the registry. This can be used to block applications that attempt to create or modify large numbers of files or change their names.
- Detecting anomalous behavior Data Loss Prevention systems can create dummy files that should never be accessed or backed up. If these files are accessed, they can trigger an alarm that a possible ransomware attack is taking place.
Anti-ransomware software vendors
PhishMe and Wombat Security are two vendors offering anti-ransomware solutions. A number of other security vendors offer products covering everything from email and network security to intrusion detection and prevention and threat intelligence tools.
A partial list of products for IT buyers to evaluate:
- Symantec Endpoint Protection and Symantec Messaging Gateway
- Cisco Email Security and Cisco Ransomware Defense
- Kaspersky Security Solutions for Enterprise
- McAfee Web Gateway, Threat Defense, VirusScan and Network Security
- Proofpoint Enterprise Protection
- Check Point Application Control, Threat Emulation and Anti-Bot
There are also a number of anti-ransomware tools aimed at the consumer market.
If you've already been hit by ransomware, you probably came to this section first, but once you've solved your immediate problem, you need to consider the steps and tools you will need to prevent a recurrence. Fool me once, as they say.
Here are some steps that might help if you are a ransomware victim:
- Backups: The primary way that organizations recover after being hit by ransomware is by restoring systems from backups. However, restoring all systems can take days, and changes since the last backup before the attack will be lost. But investigate thoroughly so you know when your data was tampered with so you can make sure you restore from an unaffected backup instance. For more on data backup and ransomware, see Beyond the Backup: Defending Against Ransomware.
- Version restores: In some cases it may be possible to restore files on individual systems using a built-in file versioning service like Windows Volume Shadow Copy. This keeps the version history of all files on a drive and makes it possible to "go back in time" to restore them to their unencrypted state. However, newer ransomware variants are able disable this capability so it cannot be relied upon.
- Decryption tools: In some ransomware variants, the encryption process has not been competently implemented, providing an opportunity for data to be recovered. For example the Linux.Encoder1 ransomware has a flaw in the way the encryption key is generated, allowing the key to be derived from a file's timestamp. Security firm Bitdefender has released a decryption tool that automatically generates the keys and decrypts files.
More recently, Kaspersky Labs has discovered a flaw in the Xpan ransomware and will provide help decrypting files. (The company has not released a decryption tool, perhaps to avoid alerting the ransomware authors to the flaw in their encryption implementation.)
The No More Ransom project, a collaboration between the Dutch National Police, Europol, Intel Security, and Kaspersky, has also collected 160,000 known ransomware decryption keys and provides a set of four tools which automatically decrypt files encrypted by some ransomware variants.
There are also a number of free decryption tools out there that could help you get your data back; Avast lists several.
- Pay the ransom: The elephant in the room during any discussion about ransomware is whether an organization may face the least disruption and financial loss by giving in to the demands of the criminals and paying the ransom. In some cases, it may seem like the only option to prevent a company from going out of business.
It's a decision that can only be made by organizations on a case by case basis, but don't forget:
- Paying criminals makes future attacks are more likely
- There is no guarantee that paying the ransom will lead to all (or indeed any) files being successfully decrypted and systems working normally
If you do decide that paying the ransom is the only option to prevent going out of business, then you are not alone: Malwarebytes and Osterman found that more than 40% of enterprises hit by ransomware paid the attackers in order to retrieve their data.