Save the ransom: How being prepared and proactive foils the plot

By Bev Robb, IT consultant

Since the advent of CryptoLocker in 2013, file-encrypting ransomware has become a scourge on the cyberthreat landscape. Whether it is delivered via an email/phishing/spam campaign, a drive-by download, malvertising or a browser exploit kit. Those who are unprepared for this type of attack often pay the ransom or lose all their files. While those who are both prepared and proactive are able to escape the ransom and restore their files via backup.

Ransomware not only poses a threat risk to individuals, but also has stepped up its cyberextortion game to include organizations. Over the past two years, ransomware attacks have mushroomed. According to a recent Bromium report, ransomware variations have doubled every year since 2013—upping the cyber-extortion ante by a whopping 600 percent.

Understanding recent ransomware threats

Ransomware can spread via RDP ports that are left open to the Internet and mapped drives. This includes external backup drives, USB drives, Cloudstorage drives, mapped network folders.—any drive that contains a drive letter (E, F, G, and H) can be encrypted and held for ransom.

Two ransomware variants that have gained enormous press over the past year are:

1. CryptoWall: Ransomware that copies each file (using a pre-determined file extension list) on a computer (including all drives that are assigned a drive letter), then copies the encrypted file and deletes the original file from the hard drive. The primary purpose is to extract money (bitcoin) from the victim in exchange for a decryption key. It is most often spread via an attachment in email, a drive-by download, or malvertising. Cybercriminals include decryption instructions in the root of every directory in the form of three files: DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.htm and DECRYPT_INSTRUCTION.url.

2. TeslaCrypt is one of the most recent ransomware variants—delivered via exploit kits or as an obfuscated JavaScript email attachment may include the word “invoice”, “doc”, or “info” (with the addition of random characters). Upon opening the malicious attachment, the file downloads to the user’s computer and installs TeslaCrypt. TelsaCrypt 2.2 (latest version as of December 2015) encrypts user files and appends them with a .VVV extension. This malware creates two ransom messages regarding ransom payment instructions and how the victim can obtain the decryption key. Victims are instructed to download the TOR browser and told to visit a specific .onion address for further instructions. TeslaCrypt is available for purchase from underground Darknet marketplaces and forums.

Americans as targets

Senator Ron Wyden (D) of Oregon was so troubled about the spread of ransomware last month that he sent a letter to the FBI stating that “victims of ransomware attacks are reporting payments between $200 and $10,000 to get their personal or business-related data back.” Wyden was concerned that FBI officials was quoted in mainstream media saying that the bureau often advises people “just to pay the ransom.”

I also did a double-take on the FBI’s stance last year, since ransomware is one of the easier, rudimentary cyberthreats to deal with.

Wyden further elaborated: “I write today with great concern about the growing criminal practice of hacking Americans’ devices, encrypting their personal information and holding it for ransom through software commonly referred to as ransomware.” Wyden referenced CryptoWall’s financial loss to victims at more than $18 million with close to 1,000 complaints over a 14-month period.

Reactive vs proactive

In overall security planning it is wise to leave no stone unturned— digital vigilance is a must.

Keep all software updated—this includes the operating system, all software (including security applications/subscriptions), browsers, and browser plugins. Cybercriminals love leveraging system vulnerabilities.

In the ransomware chain, employees can be your best asset or your weakest link. If you have a click-happy employee, they probably are not aware that their behavior is placing the entire organization at risk. Monitoring client devices should enable an organization to address employee behavior that requires additional security training.

In terms of overall security (as stated above), you should keep your operating system, applications, and browsers updated. Always remember—nothing beats an offline backup strategy for dealing with the potential scourge of ransomware.

Having good solid, working backups is one of the most important choices that one can make. Maintaining more than one backup plan both offline and offsite, is crucial. Always check backups and test-restore on a regular basis—valid, working backups are part and parcel of the proactive process.

Since ransomware targets and encrypts visible files—including mapped network drives and network shares—utilizing an offline backup strategy ensures that your organization will not come to a grinding halt or have to cough up any bitcoins. Remember to always physically disconnect the hardware backup device from the network, after the backup is complete.

An offline backup plan strategy practically guarantees that your organization will be able to mitigate a ransomware attack—where you can simply wipe the system clean and reload. Having more than one backup strategy in your overall backup planning process is crucial and this includes backing up your offline backup too.

What is your strategy?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

About the Author: Power More