Datanapping Alert: Ransomware holds your most critical files hostage

Cyber attackers have grown much more sophisticated – and a great deal more mercenary – over the years. Once upon a time, most malware was written with the objective of having a perverted type of amusement. Malicious code authors enjoyed wreaking havoc and destroying others’ data and operating systems in the same way vandals enjoy taking a baseball bat to strangers’ mailboxes just for the “fun” of it.

Today, more and more malware is designed not just to cost you time and headaches and the money required to rebuild your system or recreate your files, but to put cold hard cash in the pockets of those who create and distribute the malware. Ways to do that range from phishing sites aimed at stealing bank account and credit card information to scamware that tugs at your heartstrings and cons you into donating to the attacker’s favorite “charity”: him/herself.  An increasingly popular and particularly insidious form of malware-for-profit is the phenomenon appropriately known as ransomware.

Ransomware doesn’t erase your data; it just locks it up so that you can’t access it. Then, like any money-motivated kidnapper, it demands payment in return for the release of your files. There are several varieties, some of which encrypt the hostage files, and others that lock up the entire system in various ways, such as by editing the master boot record or changing settings to the Windows shell.

SC Magazine recently reported on a ransomware scheme that is thought to have infected close to 350,000 systems and may have collected $70,000 or more in Bitcoins from its victims. This particular incarnation sends emails that lure recipients into downloading a .zip file from Dropbox. The executable contained in the file installs CryptoWall, which is one of a number of the encrypting type of ransomeware (others include CryptoLocker and CryptoDefense). CryptoWall uses 2048 bit encryption to deny users access to their own files and asks for $500 in Bitcoins (which doubles if you don’t pay it quickly enough).

Bitcoin is an open source payment system that functions like digital currency and those who use it are not identified by name, making it more difficult to track illegal transactions, although the transactions are not completely anonymous.

In most ransomware cases, the encryption key is stored on the attacker’s computer, so there is no easy way to unlock your files. There are data retrieval services that might be able to recover some of your lost files, but they’re expensive and there are no guarantees of success. 2048 bit encryption, such as that used by CryptoWall, is a standard today for protecting sensitive data and is very secure. That’s a good thing when you’re using it to protect your own data, but not so good when someone else is using it to keep your data away from you.

Of course, having your data taken hostage is not nearly as traumatic as having a loved one kidnapped, but it can be frustrating at the very least, and in the case of sensitive information, company trade secrets and such, could threaten the future of the company even if you have backups of the information, since the attacker has control and has the ability to decrypt the files and possibly distribute them to the public or to competitors.

So, if all else fails, should you pay the ransom? Even if you do, there’s no assurance that the attackers will really send the decryption key or that it will work; in fact, there have been many cases where the victims paid up and never heard from the malware authors again. These people are criminals; there’s no reason to think you can trust them to keep their words – and paying just encourages them to prey on more victims. Unlike with a real-world kidnapping, they aren’t risking a murder charge if they just take your money and leave you in the lurch.

The takeaway here is obvious: Your best bet when going up against datanappers is not to get into the situation in the first place. That means:

• User education to make workers aware of the ransomware threat and the ways in which it can be distributed.
• Usage policies that prohibit opening files from untrusted email attachments or downloading files from untrusted web sources or cloud storage service accounts.
• Anti-virus and anti-malware, kept up to date with the latest definitions.
• Storage of important files on centralized file servers, not on individual hard drives or personally owned devices.
• Backups of all important files on a regular basis to multiple locations.

Ransomware is just one of the many threats that we have to deal with as the protectors of our networks and the systems that reside on them. As always, a multi-faceted in-depth defense strategy is needed to keep your data from being nabbed by the bad guys.