Learn more about ransomware and how to protect against ransomware attacks in Data Protection 101, our series on the fundamentals of information security.
A Definition Of Ransomware
Ransomware is a form of malware that encrypts files on an infected device and holds them hostage until the user pays a ransom to the malware operators. Millions of dollars have been extorted through ransomware attacks, which date back to 1989 AIDS/PC Cyborg Trojan. Today, common strains of ransomware include Cryptolocker (isolated in 2014), Cryptowall, Locky, and Samas or Samsam.
How Ransomware Works
Ransomware usually enters devices as a Trojan, masquerading as a normal file that is downloaded intentionally or unintentionally by the user. Upon execution, ransomware begins encrypting the files on an infected device and typically displays a message informing the victim that their files can only be decrypted if a ransom is paid to the attackers. The user is goaded into paying the operators, who may or may not supply a code or program to decrypt the files. Failure to pay the ransom within the time frame provided can result in an increased ransom amount or deletion of the encrypted files. The most effective and dangerous types ransomware are those where only the creators of the program have access to the decryption key. Ransoms are typically paid in Bitcoin or other digital currencies that are difficult to trace.
Common Types Of Ransomware Strains
CryptoLocker was discovered on September 15, 2013 and is considered to be the first modern strain of ransomware. It was distributed through email attachments and botnets in order to encrypt files on Windows computers and any mounted drives. Even though CryptoLocker itself was easy to remove from infected devices, the files remained encrypted, and the only feasible way to access files was to pay the ransom requested by the cybercriminals. Payment for the decryption key was taken through Bitcoin or pre-paid cash vouchers. In May 2014, CryptoLocker was taken down by a team of government agencies, security companies, and researchers in Operation Tovar, which recovered the private encryption key used for decryption and rendered further distribution of the ransomware useless. It is estimated that a combined $3 million was extorted through the CryptoLocker attacks.
CryptoWallCryptoWall was discovered on June 19, 2014 and is not related to CryptoLocker in any way. It has gone through numerous releases with different names and has not yet been isolated. It was initially distributed through exploit kits and emails but has recently been connected with malicious ads and compromised websites as well. CryptoWall encrypts files and deletes any VSS or shadow copies to prevent data recovery. After infection, the computer displays a web page or text document that provides payment directions to the user.
Samas, which is perhaps the most destructive form of ransomware, was first discovered on December 9, 2015. The code for Samas is not particularly advanced, but the methods of distribution are more targeted than other attacks. Cybercriminals will first identify specific networks that have unpatched servers running JBoss enterprise products. Once gaining access, the operators will move laterally from the entry point to identify more hosts. The ransomware is deployed manually once enough systems have been breached. Like CryptoWall, Samas will delete shadow copies after encrypting the original files and demand payment in Bitcoin. Unlike previous strains, however, the majority of Samas attacks have focused on hospitals, schools, and other networks with troves of sensitive information that can be sold for even greater profits.
Discovered on February 16, 2016, Locky is one of the newest ransomware strains. Like most, it is distributed through malicious email attachments, encrypts files on the main computer and mounted devices, deletes shadow copies of original files, and demands a ransom in return for the decryption key. However, Locky is easily distinguishable from other types of ransomware because it renames all files with the .locky extension when it encrypts them (though it does not touch the C: drive). It also changes the computer’s desktop wallpaper to an image file displaying the ransom message that is impossible to overlook.
Best Practices for Ransomware Protection
There are a number of steps you can take in proactive ransomware protection:
- Back up your files regularly and frequently: having diligent data backup processes in place can limit the damage caused by a ransomware attack significantly, as encrypted data can be restored without paying a ransom.
- Complete operating system and any software updates as soon as possible: software updates typically contain patches for security vulnerabilities and should be installed as soon as they’re made available. Enable automatic updates whenever possible to streamline this process.
- Do not click on email attachments or links from unconfirmed sources: email is a popular medium for phishing attacks that distribute ransomware or other malware via infected attachments or links to malicious websites.
- Disable Autorun for all mounted devices: disabling autorun will prevent malware from being able to spread autonomously, an important step in containing malware should an infection occur.
- Disable macro content in Microsoft Office applications: in many cases ransomware is spread via infected Microsoft Office documents that contain malicious macros that will download and execute the malware once run. Disabling macros by default can help to prevent compromises even if an infected file is opened by a user.
- Disable remote desktop connections when possible: disabling this feature will prevent attackers or malware from being able to access users’ devices and files remotely.
- Only log in as an administrator for as long as necessary: limit administrator privileges and the use of admin accounts whenever possible to ensure that a user that has been compromised isn’t inadvertently granting administrative privileges to an attacker who has gained access to their account.
- Deploy security software to bolster ransomware protection: there are a variety of solutions that can help prevent ransomware infections. At the bare minimum, antivirus solutions and firewalls can help to block known, common malware strains. For additional protection, companies should consider endpoint detection and response and advanced threat protection solutions to improve ransomware detection and blocking capabilities, as well as application whitelisting solutions to block the execution of malicious code.
Finally, for end users and organizations alike, awareness and education are key to protecting against ransomware attacks. By educating yourself and your users on basic protection practices and keeping up with current security threats, you can mitigate the risk of ransomware and keep your data safe.