Ransomware is a cyber-attack term that all of us have been reading about almost daily in the press. Yes, it is real. Yes, it is destructive. And yes, it is very, very expensive to repair. There is one thing, however, that the main stream press gets wrong in just about every story. They always manage to sneak into the paragraph that “The Spacely’s Sprockets Company network was hacked by ransomware…” but that isn’t really the case. Ransomware is opportunistic in that it looks for exploitable connections open to the Internet by scanning lists of IP addresses instead of directly targeting a specific company or institution in order to break in. Ransomware also targets individuals inside company’s through social engineering. Emails with links to ‘more information’ or similar links in dodgy websites. And no, dodgy does not mean only porn sites!
Ransomware scans through all the disk drives on your computer, encrypting your data files and demanding a payout in return for the key to reverse the encryption. Unless you have uninfected backups, you will have no choice but to pay the ransom to get back the files that have been locked. This is because any attempt to break the encryption without the using the properly generated de-encryption key sent to you by the bad guys after they receive your payment will trigger the ransomware to delete the encryption key the bad guys need to generate the key that will reverse the encryption.
Ransomware wouldn’t exist if it weren’t a lucrative pastime. Most of the ransom demands are on the order of 1 Bitcoin per encrypted machine, which is approximately $1500.00USD. This adds up quickly if a large company has 1000 encrypted workstations or servers to $1.5Million. On a properly configured and secured network, there is almost no risk of a targeted, hacking style, attack. The risk comes from insiders who are too quick to trust links. Your first line of defense are frequent backups. Of course, I’m not so out of touch to think that most people actually backup their workstations. So, your second line of defense is to be aware that people you don’t know are not going to send you emails with links to invoices or refunds or anything. If you don’t recognize the sender, contact your IT Security department. They will (or should!) have the tools to evaluate the threat level. Better to be safe than sorry!
The second level of threat comes from the way ransomware propagates itself once it is on a machine inside the network. After granting itself administrator privileges and disabling any programs you have installed that might be used to defeat it, it casually looks around the network and invades any workstations that responds to its queries. Alternatively, they target a servers where once they are in, they can create and modify accounts and have access to everything on the network.
A ransomware attack in Europe used a Dropbox link. It only takes one click on that link to infect a workstation and a victim has just 24 hours to pay the ransom in Bitcoin before the encryption becomes permanent. It’s called the “Pacman” ransomware, suggesting something eating up all files. Besides the ransomware, the code includes a keylogger and has “kill process” capabilities that disables Windows O/S functions like taskmgr, cmd, regedit and more. Europe is often struck first before attacks in the US, so it’s just a matter of time. The attack is focused on a small vertical and is fully automated. This particular variation is targeting chiropractors in Denmark, but next time, it can be targeted for your company. This attack arrived as an email in perfect Danish from a potential new patient who explains they are moving into the area, have bad neck and back problems, and are looking for a new therapist. The new patient has conveniently provided links to his MRI and CT scans on Dropbox, hoping that the reader will click on the link to see the scans. One click is all it takes and you’re affected.
If you work for a company, your IT Security people are (hopefully) doing what they can, but you must remain vigilant and don’t click on anything that is even the least bit suspicious. If you are a consumer with a single computer, a small home network, or part of a small business that may not have an IT Department, then you should take more precautions. First, most individual attacks will attempt to invade your computer through a phishing attack, so think before you click. Do you know the sender of the email? If not, delete it. If you do recognize the sender but weren’t expecting an email from them or the email is out of character for that sender, contact them and determine whether or not it’s from them. Trust your email SPAM filter. If an email landed there, there is probably a good reason why. You may wish to check the email header which discloses much information that is otherwise hidden. For example, the email may say it’s from your bank, but the header record may show it was sent from ‘firstname.lastname@example.org’. So unless you want to send a lot of money to a guy named Johan in Romania, delete it.
Technical outfits have developed security software that is proving effective to prevent ransomware from installing itself on your computer but it is a preventative approach. If you have been hit by ransomware, there is little they or anyone else can do to fix things, other than the ransomware crooks themselves.No Comments on Ransomware. Are YOU at Risk?