Over the past few years, ransomware has been increasing at an alarming rate, and according to various sources it is estimated that cybercriminals made around $1 billion in 2016. Hackers are becoming more sophisticated in getting access to your files and are becoming financially rewarded for extortion.
No more dark forum sales and transactions, ransomware forces clients to pay quickly, usually in a matter of days. Employee and consumer data are typically traded for bitcoins. So how can the average user mitigate the risk of becoming a victim with hijacked files, which are “held for ransom”?
Ransomware is a type of malware that infects your computer using similar, if not the same, means as Trojans, worms, or other types of viruses. It can be downloaded in an attachment or through clicking on a malicious link and then settles in your computer. It can also be installed silently in the background via exploit kits, such as Neutrino, a malvertising campaign.
Exploit kit use is now largely related to “mid-level operations of malvertising,” email providers claim, referring to the practice of injecting malicious code into online advertisements, often designed to exploit known vulnerabilities in web browsers to spread ransomware. Other vulnerabilities such as Adobe Flash Player has faced consecutive zero day exploits over the past years.
Recently, Flash Player makes attacks in the form of fake software updates to steal keychains on Apple products. Since it is such a commonality many people are used to receiving what seems like almost constant update alerts to fix security vulnerabilities found within Flash Player, hackers have taken advantage of this to create fake updates that deliver malware.
Most ransomware even has a pre-programmed time delay before they become “active” to make sure the source of the ransomware is harder to identify and counter. That's why, in the case of ransomware, users should mainly focus on prevention. Not getting infected by this deadly virus, is not an easy task.
What happens after the ransomware becomes active? Although there are different types of ransomware, most of them operate in a relatively straight-forward manner. The most known ransomware families include; Locky, Petya, Cerber, SamSam, and Jigsaw.
In most cases, you suddenly find yourself sitting in front of a computer that doesn't want to cooperate with you, whether by preventing you from accessing your operating system and/or your files by encrypting them. Next, a notification stating that your files have been encrypted and you can't access them until you pay the required ransom will appear. Sometimes the ransomware is disguised as some government entity, issuing you a fine for “illegal activities”, other times it's just plain and simple – “we have taken your files hostage, pay us this amount and you'll get them back.”
What happens when you are hacked?
Here is where many, including organizations, that are affected by ransomware make their first mistake: they are thinking about prolonging negotiations with the attackers, instead making a clear decision, to pay or not to pay. Whether the victim believes it to be a government entity or not, they typically give in to the demands and pay.
Sadly, there is no guarantee whatsoever that your files will be accessible again after you pay the fine, or that the attack or ransom request will not be repeated. In such an event, it is crucial that the proper steps are taken to mitigate the compromise. Often this is when professional incident response firms become involved.
It is important to keep in mind that often ransomware software fails to decrypt the data, and it is not an enterprise tested application with quality assurance. This is why preventing such a scenario from happening is paramount. Visiting suspicious websites, clicking on links you do not trust, opening attachments in emails that seem suspicious or received from strangers are all tactics attackers use. Extra attention and care while engaging in online activities is your best bet against these attacks.
Being mindful
So, what (else) can you do – besides not clicking on fake websites, watching compromised flash videos and malicious links? Here are a few tips on how to avoid or at least significantly reduce the risk of being a ransomware victim:
- Scan malicious emails and web content before they reach your environment. There are many solutions that provide such services, and an incident response team can assist you to select the right one.
- Reinforce perimeter protection and detection. Ensure that your perimeter protection devices can identify malicious content, and your response team can verify proper remediation.
- Protect your assets on endpoints, computers and servers. Use a high-quality endpoint protection solution and keep it up-to-date to mitigate web danger. Install an extension in your browser which warns you of known fraudulent sites or suspicious ones that don't use security certificates or other security measures. Adding a pop-up blocker into your browser is another simple preventative measure that can be taken.
- Detonate every container carrying malware infected data. When data arrives to your network, sandboxing and analytics can provide early warnings for signs of potential intent to compromise. Backup your important files (ideally all of your files) regularly. That way, even if you become ransomware's latest victim, you won't lose as much data, if any at all.
- When ransomware is successful, investigate if any other data has been taken, and if you could be liable for a potential sensitive data compromise.
- Have an incident response team ready to detect and investigate any ransomware attacks.
Now that you know what to expect and how to defend, detect and remediate yourselves against the threat of ransomware, it’s time to revisit your security measures, maturity and posture. This includes both the good and bad habits, to ensure you are up-to-date in today's fast-paced digital world with the right tools and team on your side.
Have firms conduct digital forensic investigations when ransomware breaches your enterprise. Another great advantage of having access to a highly skilled incident response team as part of your annual Incident Response retainer is the ability to practice mock ransomware exercise attacks with your team. In regards to web-based application ransomware attacks, such as SamSam, most incident response firms will offer web application security assessments to test the risk of your organizations applications being exposed.