It hasn’t come exactly as a bolt from the blue, but even longtime security practitioners have been taken aback by how fast and furious the spread of ransomware has been. I’ll admit up front that I haven’t conducted an exhaustive review of the “2016 Security Predictions” articles that came out late last year–for one thing, there are way too many, and for another, they contain a lot of the same material–but I don’t think that in general they elevated the specter of ransomware to the level it (unfortunately) merits.
In case you’re visiting from another planet or have been in a cryogenic freeze and haven’t become familiar with it already, ransomware is a specific kind of malware that essentially holds your data hostage until you pay a ransom. It’s your actual data and it’s actual money, and the scourge is spreading rapidly. It’s worth knowing a little about how it works, and what you can do to reduce your risk of being ripped off.
There are many variants, but they all work on the same general principle: when the ransomware agent is installed on a machine (obviously without your knowledge or consent), it begins encrypting your files using a private key held only by the entity controlling the ransomware. When it has encrypted the data, it displays a message to you indicating that your files have been encrypted and that the only way to get the key to decrypt them is to pay the ransom. Instructions are given for how to do that. Some variants will also delete files permanently, one or a few at a time, on a regular basis, to give you incentive to act quickly. In any event, you have only a limited time to act before the files become permanently unavailable. The ransom payment buys the key to decrypt the files.
It can affect many different kinds of machines and many different kinds of files–and it’s not just cat pictures and tax returns, either. Several hospitals have been hit, and have chosen to pay the ransom, lest the loss of critical files put patients (and/or the hospital itself) at risk.
It’s never a good idea to be complacent about any security risk, but the virulence, reach, and risk posed by ransomware really should command your attention and action. Here are steps you can and should take to protect yourself.
- Make regular backups to an external, secure location. This could be a network drive, a cloud service, or a combination. One of the easiest ways to defeat ransomware is to clean the infection, wipe the encrypted files, and then restore a clean backup. It’s important to perform regular backups, and, if you restore the most recent backup, perform an immediate scan to make sure the ransomware agent itself wasn’t backed up–if it was, you’ll need to wipe the system again and go back to an earlier image. Do be aware, too, that some ransomware variants can encrypt anywhere that your computer has write access–so do some research to ensure that you can put the backup images out of the ransomware’s reach.
- Keep defenses up to date. You should be running a reputable antivirus from one of the big vendors (though if you are a Symantec/Norton user, be aware that some very serious vulnerabilities have been discovered in those products; look for fixes from Symantec’s site). Most AV/anti-malware products are updating signatures for ransomware variants at a reasonably good rate.
- Catch those phish. Phishing is a leading vector for the spread of ransomware. One ransomware family has been using phishing emails with phony “invoice” attachments. And a particularly pernicious type of phish feigns have been sent to you by yourself–many of us email things to ourselves for safekeeping, so it’s a plausible type of email. If you aren’t absolutely certain that the attachment really is what it purports to be, delete the email. Likewise for links; if you receive a link asking you to update account information, it’s safer to go directly to the institution’s site (by typing it into the browser) and then making the update if it really is required. If the update request was legitimate, no problem–and if it wasn’t, you may have saved yourself from a ransomware infection.
- Surf smart. Links in spam or phishing emails aren’t the only vectors to unsafe sites–sites which could infect you with ransomware via drive-by download. You may want to know all about that one weird trick, but think before you click. One good practice, whether on email or the web, is to look carefully at domain names. Many criminals use look-alike domains, with hard-to-spot typos of legitimate domains, to trick victims into clicking.
- Protect your phones and tablets, too. Mobile ransomware is a thing, and a phone gives you another vector for infection–a malicious link sent via text message. Just as with email, treat any such link with suspicion. If it appears to come from your bank, for example, the right way to investigate is to initiate a brand new session from your mobile browser instead of clicking the link in the text.
- If you’re in charge of an organizational network, use technology wisely–don’t hesitate to deploy available tools. There are excellent products for network and host firewall/IPS, email security, web security, etc. Appliances and cloud services aren’t magic bullets, so you must view them as necessary but not sufficient. Having said that, they can certainly help reduce risk, especially when used in conjunction with other practices such as patch and backup discipline, user education, and good threat hunting and incident response procedures.
An unchecked ransomware infection can wreck more than your whole day–it can actually endanger lives, as the hospital cases have shown. If you are responsible for critical systems that affect people’s livelihoods or even their safety, you owe it to yourself and to them to take steps ahead of time to cut your risk, and to be able to respond effectively if an infection does occur. Don’t fund criminals–thwart them instead.
[su_box title=”About Tim Helming” style=”noise” box_color=”#336588″][short_info id=’84617′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.