Ransomware is a type of malware with a name that describes itself well: The sophisticated software uses email attachments...
and malicious websites to automatically encrypt files, with the perpetrators demanding a ransom or payment for the key to decrypt them.
Ransomware mitigation has become a big concern for companies, because ransomware is easier to profit from than hacking credit card details or banking information and selling it on the black market. The variations of ransomware share several common factors: Payment has to be made via hard-to-trace cryptocurrency, like bitcoin or a prepaid debit card; the hacker uses anonymizing technology, such as the Tor network; and there is usually a deadline that payment has to be made. For example, a victim will be provided a 96-hour countdown timer to pay the ransom, with step-by-step instructions explaining how to pay the money with bitcoins or a prepaid debit card.
There have been several well-known cases of ransomware:
- CryptoWall is designed to infect computers using Microsoft Windows.
- CryptoLocker and CTB Locker used stronger encryption techniques and gave victims a chance to decrypt some of their data for free to demonstrate that paying up really will work.
- Simplocker encrypts files on smartphones.
- SamSam targets business servers.
- CryptXXX bundles many different types of attacks together, including password-sniffing keyloggers and a botnet installer. It also looks through an infected system for bitcoins.
For victims of ransomware, it can be extremely difficult to get their data back without paying the ransom. Unfortunately, if they do pay, they're supporting the hacker's research and development. Paying money to cybercriminals just helps them to invest more resources in the development of new types of ransomware. Paying off ransomware also raises ethical questions, because it gives these cybercriminals incentive and shows them, in this case, crime does pay.
As data becomes increasingly valuable, it's important for companies to develop ransomware mitigation tactics. The stakes are certainly much higher: When ransomware struck Los Angeles-based Hollywood Presbyterian Medical Center in February, the hospital's main medical records system was made largely unusable for close to 10 days, and some patients had to be relocated to other hospitals. Another hospital in Germany that had medical records frozen by ransomware had to postpone several high-risk surgeries for safety reasons. Another concern is whether ransomware can make hospitals' medical devices unusable, because these are often a target for computer viruses. The attack on the Hollywood Presbyterian Medical Center created serious medical concerns for some patients, while the hackers made $17,000 in bitcoins.
Ransomware mitigation and prevention
Adhering to a two-pronged approach that complies with a set of cybersecurity standards for dealing with ransomware is the best method for prevention, detection and mitigation of this dangerous malware. This two-pronged approach should be set in place simultaneously.
Prong one of this ransomware protection strategy includes ransomware prevention, mitigation and detection techniques. Companies should follow standard cybersecurity practices by keeping software updated and patched correctly, while using a behavior-based antivirus technology that has a strong reputation for intrusion detection and prevention. Backing up data on an external hard drive or using a cloud service could reduce the effects of ransomware if an infection occurs.
Social engineering is one of the tactics cybercriminals use to perform reconnaissance on their victims, and it is one of the most common ways computers are infected with ransomware. As a result, educating personnel on how to detect phishing campaigns, suspicious websites and other scams are necessary steps to ransomware prevention. In other words, employees must pay close attention to what they click and what they install. Finally, make content scanning and filtering on mail servers a standard practice, because inbound emails could contain known threats or include nefarious attachments that should be blocked.
Paying the ransom
The second prong may seem counterintuitive to what cybersecurity experts might advise, but paying the ransom for the sake of business continuity could prove beneficial in a fast-paced business setting where time is money. It also may be easiest and quickest way to recover from a ransomware attack. As stated previously, paying may encourage the cybercriminal, but if the first prong fails, there may be little choice left. Paying the ransom should be considered for the sake of time, money and business reputation. Paying for restored access prevents loss of productivity during downtime and may actually defray the cost of the ransom.
There is some recent evidence that indicates a very high percentage of infected businesses could not access their data for at least two days following a ransomware outbreak, and other businesses lost access for five days or more. For businesses that go through the process of recovering from a ransomware attack, traditional backup usually loses weeks of work due to lost files, plus a day or more of downtime while computers are wiped, reimaged and reinstalled.
One of the best ways to achieve compliance with these ransomware prevention strategies would be to build a digital currency stockpile to help mitigate the devastation following a ransomware attack. If the decision is to pay the ransom, then the organization should pay in bitcoins and should never pay with their credit cards or financial account information. Even when paying with bitcoins or currency vouchers, the organization should not pay with their credit cards or financial account information. If no alternative exists, then the card or account used to pay should be frozen or closed immediately after the transaction to prevent cascading breaches.
Currently, payment is a necessary last-resort consideration once attacked. But, of course, the best method of dealing with ransomware, as it is with other rapidly evolving cybersecurity threats, is prevention.
About the author: Daniel Allen is president of N2 Cyber Security Consultants & N2 Connected Vehicle Technology, LLC. He holds a master's degree in cybersecurity and information assurance and is a research fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks.
Summer 2016: The season of ransomware
As the number of hospital ransomware attacks climbs, HHS releases guidance
Bitdefender develops ransomware vaccine