Mobile Critters: Part 3. Ransomware
Ransomware is a term that has been striking fear into the hearts of IT Departments and Information Security teams across the globe for nearly two decades.
What is Ransomware and how it works
Ransomware is a product of the push to monetize malware and hacking tools from the early days of the internet. Many early viruses were disruptive or affected productivity, but it wasn’t until the mid-2000’s that cybercriminals started to use the encryption capabilities inherent in computing to hold data to ransom.
As with many forms of malware, Ransomware is named quite literally – an infected computer will have the data on its hard drives encrypted using a strong algorithm, with the decryption key known only to the attacker. The attacker holds the data to ransom until the victim pays them a fee, after which the attacker will, in theory, provide the key to decrypt the data.
Ransomware also has a further trick up its sleeve once it has infected a computer – it starts actively hunting for other devices on the network to infect. Looking for other machines with open ports or known vulnerabilities, it will attempt to traverse the network and spread itself out to further machines and encrypt those too.
What did Wannacry and NotPetya teach us?
As we saw with Wannacry and NotPetya, computers across the globe and across thousands of different companies can be affected in a very short space of time. An organization can find itself with hundreds or thousands of infected and encrypted machines in a matter of minutes.
While ransomware is often extremely efficient at finding targets and taking hold, in practice, this doesn’t always work out for either the attacker or the victim. The ransom fee for decryption can range from a few hundred to several thousand dollars per machine, usually payable in Bitcoin. Many individual victims simply can’t afford to pay that much to get their data back, and it may be cheaper for them to rebuild or replace the laptop while rueing the loss of any data that may have been on it.
Similarly, if a large organization finds themselves facing hundreds of thousands, or even millions of dollars in ransom fees to get their computer systems back, it may be more cost-effective to try to restore the system from backups rather than pay the ransom.
“Even if the victim chooses to pay the ransom, there is no guarantee that the data will be recovered. Many strains of ransomware are poorly written, and decryption keys sometimes don’t work. Similarly, once an attacker has their ransom money, there’s no reason for them to play nicely and send the decryption key at all, leaving the victim poorer and without their data.” – Oshri Asher, Kaymera CEO.
Basic rules of protecting yourself from Ransomware
Ransomware truly is a test of resiliency and business continuity capabilities. With strong backup & restoration systems in place, and with well-segregated systems that restrict the ability of ransomware to traverse the network, the impact can be kept limited and recovery to a working system can be achieved. Ensuring firewalls are well configured, having good up-to-date anti-malware software, and well-patched systems all help limit the ability of malware to hold you to ransom.