Imagine you have to leave your home on account of an emergency. There’s no one but your faithful nanny to take care of your house and your baby in your absence. You place your trust in your nanny and leave for the emergency only to return and find yourself locked out of your house with your child at the mercy of the nanny. The nanny would only let you in if you coughed up a million dollars.
Now imagine the same scenario but with your prized computer. You click on a mail that promises you extra security against malware only to be hoodwinked by it, leaving your computer locked down by the application. The rogue application would let go of your system only if you paid a ransom for it.
Mode of propagation
The initial attack is disguised as an email warning you of malicious activity arising from your system. It could be about a security breach or compromised photos or bank account hacks. Such emails or notifications are meant to set up unsuspecting users and gain access to their systems. Gullible users end up downloading files which allow malicious code to run on their PCs.
In case of ransomware, the payload is an application designed to lock or restrict the system until payment is made. The payload typically attacks the windows shell and even modifies the master boot record and the partition table to prevent the operating system from booting until appropriate repairs are made.
Certain ransomware do not encrypt your system. Instead, they lock you out and ask you to send premium rate SMSes or international calls to receive unlock codes. These attacks trick the user by posing as necessary steps for reactivation of operating systems or for cleansing the systems due to infestation of malware.
This ransomware comprised a 2048 bit encryption key pair and was used to encrypt a whitelist of specific file extensions. It threatened users to pay and obtain decryption keys within three days or either lose the private key permanently or obtain the decryption key at a higher price. Nearly $3 million was extorted from users on account of CryptoLocker
A malware known as Reveton posed as a federal warning stating that the system was locked on account of illegal activities such as child pornography or downloading pirated software. In order to unlock their systems, users had to pay ‘fines’ in the form of e-vouchers, bitcoins or through prepaid cash services. The ransomware first surfaced in 2012 and a syndicate accused of spreading Reveton was arrested in 2013.
Countering Ransomware in the Enterprise
- User behavior is often the reason behind at least 58% of data theft incidents according to a report by Clearswift. The risk increases exponentially with the new wave of operational dependencies that include enterprise mobility, and the concept of the extended enterprise.
- Organizations need to instill a culture of prudent behavior in updating application versions, promote hygienic browsing habits and revise internal data sharing and BYOD policies. Employees must be trained to avoid clicking suspicious or unverifiable links, downloading unauthorized software or torrents or clicking on obscure attachments. Safe browsing goes a long way in keeping malware at bay.
- Ransomware attacks are commonly perpetrated by obtaining an encryption key from a server that is online. Monitoring this traffic using a combination of tools and manual interpretation is the best way to thwart encryption attempts.
Always make sure one set of incremental back-ups are automated and available on the cloud. This can help recovery of data that could have been encrypted after the infection up until the detection.
- Regular system updates and patches will also hold your devices in good stead. This ensures adequate ironing out of flaws in one’s operating system or applications and firewall.
- Ransomware is big business. Enterprises can keep themselves out of harm’s way through safe practices and sufficient protection of critical files.
Talk to Aleph Tav Technologies to gain cognizance of hidden threats in your enterprise assets.