What would it mean if you lost all of your personal documents, such as your family photos, research or business records? How much would you pay to get them back? There’s a burgeoning form of cybercrime that hinges on the answers to these questions. Ransomware, a form of malware that locks up your files and demands a ransom for them to be released, is becoming increasingly prevalent and they’re targeting individuals as well as organisations. We take a deeper look at ransomware and what you can do to protect yourself from this threat.
Ransomware image from Shutterstock
Zubair Baig is a Senior Lecturer of Cyber-Security at Edith Cowan University and Nikolai Hampton is a Master of Cyber Security Candidate at Edith Cowan University
You have probably heard of viruses and malware. These dangerous pieces of software can make their way into your computer and wreak havoc. Malware authors are intent on stealing your data and disrupting the proper functioning of your digital devices. Then there is ransomware. This is crafted by cyber-criminals for extorting data from innocent users, and is rapidly becoming a threat to individuals, small business and corporate users alike.
Unlike malware, ransomware does not steal data. Rather, it holds it captive by encrypting files and then displaying a ransom note on the victim’s screen. It demands payment for the cyber-extortion and threatens obliteration of data otherwise.
While the concept of ransomware has existed for more than 20 years, it wasn’t until 2012 that several key technological advances aligned and allowed it to flourish.
Now ransomware has evolved. It combines file encryption, it uses “dark” networks to conceal the attacker, and uses (or, rather, misuses) cryptocurrencies, such as Bitcoin, to prevent law enforcement from tracing the ransom payment back to the attacker’s den.
For a small upfront cost and with low risk of getting caught, ransomware developers can net good returns: industry estimates range from 1,000% to 2,000% return on investment.
What’s driving ransomware proliferation?
Paying small ransom amounts is quite simply adding to the problem. If you don’t, you lose your data; if you do pay, then you contribute to a worsening problem.
Yet for ransomware creators, it’s a lucrative business. Industry figures vary greatly, but reports suggest that developers can earn more than US$1 million per year, which is enough to attract skilled programmers and engineers.
There have been many reports of Australian businesses paying ransoms. Even the authorities aren’t safe, with several police departments in the US having paid ransoms in order to recover files. And we’ve even seen reports that FBI experts have advised victims to “just pay the ransom” if they need their data.
Phases of a ransomware attack
The biggest concern with ransomware is the rate at which it is adapting to combat security protections. We recently examined the evolution of ransomware and found that ransomware developers are learning from their mistakes in previous versions. Each generation includes new features, and improved attack strategies.
We also found that over 80% of recent ransomware strains were using advanced security features that made them difficult to detect, and almost impossible to “crack”. Things don’t look good for end-users; ransomware is increasingly using advanced encryption, networking, evasion and payment technologies. The developers are also making fewer mistakes and writing “better” software.
It’s not a stretch to imagine a ransomware developer currently working on ways to attack even corporate databases, or versions that lay low while they identify all of your backup disks.
How to protect yourself
Recovering files from ransomware is impossible without the attacker’s approval, so you need to avoid data loss in the first place. The best thing you can do is practice good “digital hygiene”:
-
Don’t fall prey to social engineering or phishing, which is where an attacker attempts to have you reveal sensitive information to them. If you receive a suspicious email from your grandma or work colleagues, ask yourself whether it’s unusual before you click. If you’re not sure, contact the sender via a different medium, such as giving them a phone call, to cross-check
-
Don’t install any software, plugins or extensions unless you know they’re from a reputable source. If in doubt, ask and only rely on trusted download sources. And certainly don’t be tempted to pick up USB sticks found on your pathway
-
Update your software (comprising your operating system, web browser and other installed sofware) regularly to ensure you are always running the latest versions
-
Backup! Important documents need to be treated like valued possessions. Grab a hand full of USB keys and rotate your backups daily or weekly, and don’t leave USB keys plugged in (current malware strains can scan removable USB disks). Having multiple copies means the adversarial effort on holding you for ransom is pretty much worthless.
Ransomware is a very real threat. Its rapid growth is being driven by the low risk to attackers and good financial returns. We all need to stay ahead of the game. Let’s start now and be safe not sorry!
This article was originally published on The Conversation.
Comments
10 responses to “What Is Ransomware And How To Protect Your Precious Files From It”
AS a matter of interest, is having your backups on a NAS or even a backup drive, likely to be infected? What if the OS backup is made by Acronis, will that be affected?
I had a client that got infected by a cryptolocker variant recently, this one found and wrecked data on a NAS via a mapped drive letter, it obviously just looked for data on drives a: to z: (and probably more if it was really smart, did you know you can have a “[:” drive for example?). It wouldn’t take much more smarts to find any network shares that aren’t mapped as drive letters either, so the short answer is – any online data can be found and wrecked, you need to have an offline backup (unplugged, powered down) to be absolutely protected if cryptolocker hits you.
Bugger! Looks like I’m going to need a second, “Off Line” NAS then 🙁
My NAS can be set to automatically create “Snapshots” of other folders on the NAS. The Snapshots cannot be accessed by a standard user or the Windows file system, only by logging into the NAS with an admin password. I think that would make them safe from a cryptolocker.
As the other responses have mentioned if you have mapped the NAS to a drive, then it will be susceptible. However If you have it mapped to a UNC or IP address then the cryptovirus cannot target it, at the present time.
I would suggest having a password protected NAS drive as any open/shared/mapped network drives get hit by Cryptolocker across the network.
I work for a pharmacy IT company and we are getting on average 2 pharmacies a week hit by Cryptolocker and its variants. Most of the time the issue is that their C drive is shared and there’s no stopping it going across the network unless you have a good switch/firewall. But this is never the case.
We use Shadowprotect to take incremental images on password protected NAS drives and haven’t had the backups encrypted when properly secured.
Having a password on the share doesn’t protect you if the user that runs the cryptolocker is already logged into the share, false sense of security.
See my previous comment. The OS of the NAS makes the Snapshots but keeps them invisible from the Windows file system. You would lose the shared folders on the NAS, but not the Snapshots.
Oops my comment was meant to be a reply to Mixedemoticons,
But yeah you’re right if the windows user is logged onto the NAS/shared drive it will go over to it, however we never save credentials for the windows user.
Shadowprotect writes directly to the NAS – the credentials are saved in the software itself so the infection cannot access the drive.
We have several hundred customers using this setup and have not had one backup get hit by cryptolocker and its variants when configured correctly.
Had to deal with a ransomware incursion this morning. A coworker opened an infected email. Within 20 minutes it had encrypted every document on his machine and mapped server shares. It may have gone further afield if I hadn’t pulled his network cable out – and that was only after a frantic time trying to identify which of 500 people was the vector: I discovered the encryption on the server over half an hour before the countdown warning popped up on the infected machine.