Ransomware—it’s the rampant business wreaking havoc across the globe. With each week, there seems to be a new report about a company getting hit by ransomware, but what exactly makes these attacks so effective?
Cybercriminals first identify vulnerabilities that allow access to computer files and then encrypt all the information on those files so the owner is left without the ability to access them. Hackers hold their victims' files hostage until they agree to pay the ransom (which is paid in bitcoins) in exchange for the key to decrypt their now-encrypted files. This particular strategy aims to gain immediate profit.
In 2015, an advanced banking malware, Dridex, gained access to financial login information that was used to drain bank accounts across the U.S. and United Kingdom. Dridex tactics have influenced the growth of one of the most popular ransomware infections, the Locky Trojan. Not only does the Locky infection encrypt important data, it also searches for and erases Volume Shadow Copy files, a backup repository in Windows that victims might ordinarily use to try to restore their lost data. Locky is distributed through spam messages sent by the same botnet used to send the infamous Dridex malware. Furthermore, according to Kim Zetter's article for Wired, attackers use Locky to deny access to a server, locking out all workers and infecting anyone who tries to access the server. This allows the attacker to spread malware to even more machines.
But Locky is not the only ransomware predator in use today. Businesses must be aware that infections like Cryptowall and Teslacrypt are other ransomware families using tactics like phishing and malvertising to infect their target systems.
The flood of ransomware attacks has caused enough damage that both the U.S. and Canada governments’ have issued cyber alert warnings to alert businesses and their consumers of this cyber plague. Most ransomware victims are completely unaware of the attack until it’s too late. To help protect your computer and your networks from ransomware infection, here are some preventative tips, according to the US Department of Homeland Security and the Canadian Cyber Incident Response Centre:
Sometimes though, prevention isn’t enough, and ransomware sneaks its way through even the smallest vulnerabilities. So what if infection has already breached your server? If you can help it, do not pay the ransom. Obviously, this step is easier said than done, but as the alert warns, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
NakedSecurity has determined a few guidelines to follow in the event of a ransomware infection, such as utilizing a little guesswork to reconstruct a list of decryption keys yourself. But guesswork is only so reliable and the process increasingly more complicated. Thus, prevention tactics remain the best guard against attack as ransomware campaigns get even more creative.