All it takes is one click.
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC. Ransomware can prevent your operating system from loading, block files by encrypting them, and stop applications from running.
Ransomware can be extremely damaging to the company or even the individual depending on what the data is stored on the computer. Often the ransomware will claim you have done something illegal on your computer, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
The number ransomware attacks are on the rise.
Ransomware is on the rise because people are paying the ransom (never do that), which gives the hackers the money to create even more. Here are a few examples of ransomware:
- CryptoLocker – Encrypting ransomware reappeared in September 2013 with a trojan known as CryptoLocker, which generated a 2048-bit RSA key pair—uploaded in turn to a command-and-control server, and used to encrypt files using a whitelist of specific file extensions. The malware threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the trojan considered CryptoLocker extremely difficult to repair.
- KeRanger is the first malware and ransomware on the OS X operating system. It encrypts the Mac user’s files then demands a sum of one Bitcoin to decrypt the files. It appeared on March 2016. There is an executable in the .DMG that is disguised as a Rich Text File. The virus sleeps for three days, then starts to encrypt the files. It adds a text document for instructions on how to decrypt the files.
- RSA4096 is a type of ransomware to encrypt personal computers and connected devices. It first appeared in 2015 and like all malware uses the 2 key system of public and private keys. Like all other ransomware decryption requires purchasing private keys using Bitcoins bought through brokers in the Dark web of which there is no guarantee payment results in obtaining those keys. There are variants of this virus’ of which most are unbreakable. Depending on the variant it adds various extensions to your files together with the ransom note. The only method to recover from such an attack is through restoring files from an external disc or purchasing Bitcoins.
- Petya is actually very clever with the way it goes about locking up a computer. After it is installed, the system will spontaneously reboot. Instead of booting normally, the computer loads what appears to be a system CHKDSK. As one would expect, this screen makes it very clear that shutting off the PC in the middle of this operation would be a very bad idea. That’s all just a smokescreen, though. In reality, Petya is using disk-level encryption to lock the system down. The PC’s master boot record has already been compromised at this point, so shutting down won’t do any good.
Hackers may demand that you pay a ransom.
Do not pay the ransom!
- Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place. Paying the ransom can actually increase the likelyhood that you will be directly targeted for additional extortion attempts.
- Remove the impacted system from the network and remove the threat.
- With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.
- Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
An Estimated $5 million is being extorted from victims per year.
According to Symantec, this is how criminals make money on the scheme. In the month-long period the experts studied one specific attack in more detail. 2.9 per cent of compromised users paid out. This may seem like a small percentage, but it pays off for the criminals:
- During the month 68,000 computers were infected: the equivalent of 5,700 every day
- Ransomware typically charges between $60 to $200 or even $1000’s to unlock the computer
- On a single day, 2.9 per cent or 168 users paid the ransomware, permitting the criminals to potentially earn$33,600; which means the criminals could have made up to $394,000 in one month.
However, given the number of different malware variants and criminal gangs operating ransomware attacks, an estimated $5 million is being extorted from victims per year.
You may not be able to recover your data with the latest ransomware versions.
There are earlier variants of these threats that simply hid the ransomed files, left copies of the original files with the Volume Shadow Copy service or left copies of the private encryption keys locally or in memory. It is certainly worth the effort of researching the details of the variant you encountered to see if there are options for you, but for the majority of instances, these options are no longer the case as the threat writers have updated their methods using the funds from earlier rounds of extortion.
What can I do to protect a computer from ransomware?
- Install, configure and maintain an endpoint security solution – With the endpoint being the final line of defense from any threat, a multi-faceted security solution should be employed. This solution should have protections for not just file based threats, but should also include download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.
- Education Users – One of the primary vectors of these threats is “Spear Phishing” attempts, where an unsolicited e-mail will come from an unknown sender with an attachment that is then executed. Educating your users as to proper handling of unknown or suspicious files is crucial.
- Employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
- Maintain a current patch level for any operating systems and applications that have known vulnerabilities.
- Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
- Deploy and maintain a comprehensive backup solution. The fastest way to regain access to your critical files is to have a backup of your data.
Unfortunately most computer users do not have these countermeasures in place. Start protecting your computer network from ransomware today. To find out more about ransomware and IT security, contact us today online or by calling (904) 701-0000. Don’t get caught by surprise.