The evolving ransomware landscape

Ransomware is growing in scope and sophistication – and that’s bad news for IT security pros.

Ransomware is a rapidly proliferating form of malware that attacks PCs and mobile devices. The software encrypts files on desktop and laptop computers and prevents smart phone users from being able to access their apps. Victims are presented with a message – which can range from hostile to downright friendly – informing them that their data is unusable and telling them how to make a payment to get the decryption key. Payments may range from a few hundred dollars to $10,000, and are typically made in the form of untraceable currency like gift cards or Bitcoin. Learn more about common variants here.

Costs are going up, too. Intermedia’s 2016 Crypto-Ransomware study found that 61% of infected employees were locked out of their files for three days or more. Business downtime and recovery costs can quickly outstrip the ransom’s demanded payment.

New strains

Most ransomware is delivered via spam or phishing emails, which trick victims into clicking on malicious links or attachments that download and execute code. However, a new strain called RAA has recently emerged that launches an executable file to interpret the email’s JavaScript attachment. Once that happens, the payload is triggered. RAA methodically encrypts the victim’s files, beginning with the most recently used, and presents a ransom demand of $250. To add insult to injury, it also installs password-stealing malware called Pony on the infected computer. Pony then uses the host to launch infections on other PCs on a network.

Mobile ransomware is also on the rise, with instances up fourfold this year, according to some estimates. A new family called Fusob targets Android devices, blocking all access to the device and demanding a ransom payment of between $100 and $200. Because Fusob masquerades as a multimedia player for porn videos, it adds an embarrassment factor that deters victims from reporting infections.

Mobile ransomware authors are also getting smarter about how they lure victims and inflict damage. A new strain called CryptXXX infects computers by injecting code into unpatched Joomla! and WordPress servers, which together account for nearly 80% of content management systems on the web.

Satana encrypts the Windows master boot record, rendering the machine useless. Users have to scramble to find another computer to make the ransom payment.

Attackers are also targeting what has long been the best defense against ransomware: frequent backups. Some new strains search for backup copies on connected file servers or in automatic backups. That doesn’t mean backup is irrelevant, however. In most cases ransomware can be defeated with an operating system reimaging or a system wipe-and-reinstall combined with a file restore.

The other most-effective form of defense is user education about spam, phishing and just generally being careful where you click. A test conducted by CBS news and Intel last year found that a staggering 80% of participants fell for at least one of a series of fake phishing emails that were sent to them. Users need to know that clicking on links or attachments – even from sources they trust – can be devastating. Email security filters can now catch the most common malicious file signatures. An even better approach is to use secure file shares and never to click on attachments or email links at all.

The good news is that defeating ransomware doesn’t have to be expensive or complicated. Common sense is an excellent deterrent.

Paul Gillin writes, speaks and trains marketers and corporate executives to think like publishers. Gillin specializes in social media for B2B companies. He is a veteran technology journalist with more than 25 years of editorial leadership experience. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2016 IDG Communications, Inc.