Ransomware has been a constant cyberthreat since the early 2000s, although the first acknowledged instance was as early as 1989 when a file-encrypting Trojan was distributed on compromised diskettes, coupled with demands for a $189 payment.
If you thought ransomware was a threat that only impacts technophobic grandmothers, reckless teenagers, and other home computer users, think again. According to Symantec’s Internet Security Threat Report 2019, ransomware distributors have shifted their focus to enterprises, with infections rising by 12 percent. Trend Micro’s Midyear Security Roundup Report showed a 77 percent increase in overall incidence of ransomware, in comparison to the second half of 2018.
Statistics like these are troubling, and made more so by news from Coveware, a ransomware recovery company, that the average ransom payment increased by 184 percent from the first to the second quarter this year (up to $36,295 from $12,762).
How ransomware works
As the name implies, the purpose of ransomware is to hold the data of businesses or individual hostage, by making it inaccessible to its owners, in hopes of extracting money or something else of value in exchange for releasing it. It’s usually distributed via phishing email or by “drive-by” downloads from compromised web sites, but can also be spread as attached files in social media or chat messages, or even over Remote Desktop Protocol (RDP) connections. It’s also possible for ransomware to spread over a network and impact all of an organization’s systems.
The malicious files are typically executables that may have been disguised by putting them in a .zip file or hiding the file extension. Once the malware is downloaded on to the victim computer by whatever means, it encrypts the data files it finds on the system, so that they can’t be accessed with out the crypto key that’s in the possession of the attacker. Paying the ransom might or might not result in the attacker providing the key to decrypt the files.
A ransomware attack can be costly beyond the amount of the ransom. It may take critical systems or the entire network down for hours, days, or even weeks, with resultant loss of business and negative impact on the company’s reputation. Sensitive data may be exposed; even if the attackers release it upon payment, they may harvest names, passwords, credit card and banking information or other data that they can use for identity theft or sell on the dark web. Irreplaceable data may be lost forever if the attacker doesn’t release it or has accidentally corrupted or erased the files in the encryption/decryption process.
Recent ransomware attacks
The past couple of months have seen waves of malware attacks in Spain, Germany, Canada and other areas that have companies both large and small scrambling to try to recover priceless data and keep businesses operational. These follow numerous such attacks on U.S. municipalities, healthcare facilities, and schools earlier this year.
Canadian governments and hospitals
In October, a number of cities in Ontario, Canada, were hit with ransomware attacks, and early November brought a sophisticated attack against the government network in Nunavut, which is Canada’s largest territory. This resulted in shutdown of part of the network, impacting governmental operations. The culprit appears to be DoppelPaymer, which has also victimized the Texas city of Edcouch, the Chilean Ministry of Agriculture, and others this past summer.
Meanwhile, a hospital in Toronto was victimized by another ransomware variant, Ryuk, in late September. Ryuk has reportedly been responsible for exhorting millions of dollars (USD) in ransom payments, including over a million from Florida cities that were targeted in June and July.
October brought a ransomware attack to multi-national automation tool maker Pilz, based in Germany, which affected its systems all over the world. All computers had to be disconnected from the network, and employees were without access to email, orders and delivery, and other computerized processes. This time, the “bad guy” was BitPaymer, a ransomware variant that’s closely related to DoppelPaymer. BitPaymer attacks generally target larger organizations with deeper pockets, and extract higher than average payments from their victims.
Back in August, another form of ransomware was being unleashed on Germany. It has been called GermanWiper. It’s a particularly nasty piece of malware because it overwrites files with random ones and zeros, rendering the data that was formerly stored on the disk to be virtually unrecoverable, even after the ransom is paid. Thus, unlike with other ransomware that only encrypts the files, the data is likely to be lost for good if the organization has made timely backups.
Attacks on Spanish businesses
As of the first week in November, a targeted ransomware attack in Spain is wreaking havoc as major IT service Everis and a radio broadcast company, SER, were hit by the attacks with demands for payments of as much as €750,000. The victim companies shut down their computers, and some other Spanish businesses reportedly did the same as a precautionary measure. This follows the September ransomware attacks on several Spanish city government offices. The ransomware variant in the current attacks in Spain had not been positively identified as of the time of this writing.
“Fake president” fake ransomware
In a new twist, another recent ransomware variant doesn’t even necessarily encrypt your files; instead it tries to persuade you to pay by locking the PC’s screen and tells the users the data will be lost if they don’t comply.
The name comes from the fact that the scam displays photos of U.S. president Donald Trump or Russian president Vladimir Putin on the alert screen. These are being distributed via spam email and possibly through fake ads on social media. Another variation on the theme is a screen locker malware that announced a “Donald Trump Error” that doesn’t actually encrypt files.
Protecting against ransomware
To avoid having your organization become a victim of ransomware, you need to take a two-pronged approach:
- Keep ransomware off your systems and out of your network by educating users on safe email and web surfing practices, disable running of macros in documents attached to email, restrict users from installing software and follow the “least privilege” principle, deploy access controls to restrict permissions to “read only” when possible, keep all operating systems, browsers, and other software up to date with security patches so attackers can’t exploit known vulnerabilities, and use antimalware solutions to detect malicious software.
- Mitigate the damage that can be done in case of a ransomware attack by deploying a backup system for all of your data and isolate backups from the network so they, too, don’t get encrypted by the ransomware. Keep copies off site. Test your backups regularly to ensure they can be restored properly. If you suspect a computer is infected, immediately unplug it from the network to prevent spread.
Antimalware programs and user education will also help protect against “fake” ransomware/screen lockers, which are distributed in the same ways. Also note that some of the common ransomware has been cracked by security researchers, so recovering some or all of your data may be possible via this route, depending on the type of ransomware. Decryption tools are available, as are a plethora of data recovery services that may be able to help.