What is Ransomware?
Cyber security threats and attacks are always evolving. Viruses, worms, trojan horses, spyware, adware and scareware have all been around for a long time. One type of malware, however, has been grabbing headlines and creating headaches for users and IT professionals alike: ransomware.
Ransomware is defined as a type of malware that creates a restriction of some type on the user’s computer. In order to remove the restriction, the user must pay a ransom. This form of crimeware is unique in that it tries to coerce the user into directly paying the criminal––effectively turning the malware itself into a way for the attacker to profit. Over the past five years, ransomware has become more and more widespread because of the initial success of cybercriminals in convincing victims to pay to recover their files.
Hackers often use trojan horses to spread ransomware. A trojan horse (or simply, “trojan”) is any program which disguises itself in order to get a user to install or execute it. Trojans often masquerade as system or software updates, macros or other software add-ons. In reality, they carry malicious payloads that can have any number of undesirable effects: giving the hacker privileges on the computer via a “backdoor”; destroying files or corrupting disks; taking control over computing resources to use some or all of them as part of a “botnet”; or even stealing personally identifiable information like name, address, credit card information or other sensitive data directly or by “keylogging”. In the case of ransomware, the trojan hides the malicious code and tricks the user into executing it. The ransomware then is able to infect the host computer (and possibly all mounted disks and network shares).
Notorious ransomware like Cryptolocker, CryptoWall and Locky all work in similar ways. These three widespread exploits all attack files on the victim’s computer and encrypt them with a private key known only to the hacker. This makes the files useless to the victim; they can no longer access the contents without the key. To obtain the key and decrypt the files, the victim must follow the criminal’s instructions to make payment and obtain the decoder.
How is Ransomware Spread?
Ransomware can be distributed through the same vehicles as other malware: software downloads from websites, attachments to emails, and even malicious ads (known as “malvertising”) delivered over online ad networks.
What Can You Do?
Even today’s sophisticated malware protection can be circumvented by ransomware. The best approach to security is multi-layered and requires vigilance from both IT professionals and their end users.
- Always keep backups. Data can’t be recovered if it isn’t backed up. Have a strategy in place that covers every user, device and file.
- Lock down administrative rights. Don’t give users administration rights, even on their own machines, unless it’s absolutely necessary.
- Stay up to date. Keep systems and apps current with the latest patches to avoid exploits that rely on outdated code.
- Protect at the gateway. A UTM can block spam, viruses, and phishing attempts. It can also block “phone home” requests made by malware.
- Keep every endpoint protected. Gateway protection can’t help when users insert a rogue USB stick. Make sure every endpoint has complete, current security.
- If an email looks suspicious, it probably is. Teach users to trash emails that look like spam. Better yet, show them how to inspect email headers if they’re unsure of the sender.
- Don’t open attachments. Unless your users are absolutely, positively sure that they recognize both the sender and the file, it’s better to leave attachments alone. If they do open attachments, they should never enable macros or executables. Suggest other ways to share documents that require authentication and have built-in virus scanning.