What is ransomware?
Ransomware is a malicious software that encrypts data on a computer in order to extort money from the user before giving access to it. Once a workstation or server is infected, the workstation connects to a control server in the cloud to receive an encryption key that will be used to encrypt the data it will find on its way.
This is how the work begins, the virus loops to find files on the infected computer or elsewhere on the network (including servers). It is very difficult to see whether a ransomware is active on a workstation. Once the fraudulent work is finished, the ransomware replaces the wallpaper of the infected workstation with a message clearly notifying the user that “it has 72 hours to pay the ransom in order to be able to access its data again”.
The files will remain on disks and servers, but none will be accessible or functional, as they will all be encrypted at a very high level of security. Believe it or not, several decades would be necessary to decode the files, even with the most powerful computers available on the planet.
Its operation is very simple
You can receive an email with a file of an alleged invoice. As soon as you click on it to see what it is, the pirate who sends it accesses the system and blocks any access to that information. From that moment, pirates extort and threatens you in exchange for recovering data. Suddenly you will find that your service, your website or your computer is absolutely blocked, and only he can (cybercriminal responsible for the attack) free your data (after receiving payment).
Should you fear the ransomware for your business?
Ransomware is increasingly common in companies and businesses. It is mostly called “CryptoLocker”, “CryptoWall”, or “CryptoDefense”. Cybercriminals are redoubling their determination and ingenuity day after day to improve the effectiveness of their attacks, thus causing millions in damage to businesses all over the world.
Why is this phenomenon more and more frequent? Because these so-called cybercrime organizations generate millions of dollars each day through these piracy techniques. Several reports and studies reveal that many organizations and mafias are shifting from the illicit drug market to cyber criminality (mostly to ransomware) because it generates a lot of money and allows them to run their business on much less risk.
The terrible hijacking of your data
The technique has been literally remained in use for decades and usually consists of the hard disk encryption of the infected machine which makes it impossible to access services and data unless you have the key that protects that information.
Attacks that hijack our information have grown and has become a juicy form of income for cybercriminals. According to a McAfee study, such threats increased by 58% in the second quarter of 2016, and the way to inject this type of malware is as varied as the scenarios in which it is applied.
How do you get infected?
In the case of Cryptowall, which is analogous to other systems of this type, small files are installed in various key folders of your system’s application data directory, the start directory and even in some other directories with a random name that simply connects to a remote server controlled by the cybercriminal.
In the case of Cryptowall 4, they (cybercriminals) focus on the application data directory by creating a registry entry to load into every login. From there, the encryption tasks starts, which in Cryptowall 4 are especially harmful (here the AES encryption algorithm is usually used and each file has a different encryption that makes even two identical files look different if one looks at the encrypted contents).
In the case of Cryptowall 4, the file names are encrypted to make life even more complicated, and although each file may have a different encryption key, all of them can be decrypted with the same master key, one that is logically in possession of the cybercriminal and that is what you will get if you pay them ransom.
ENCRYPTION and BITCOINS as bases of attacks
To “free the data” you will need to make an electronic payment that is usually done with a system that is perfect for this field: bitcoins arrive as the medium preferred by cyber-attacks, since this type of transaction is not revocable and is very complicated to know who gets to receive that money on the other end.
Ransomware can be exploited practically by anyone with some technical basis, as malware developers have developed “tools” that precisely facilitate attempts to introduce ransomware on any machine. There are already well-known cases of ransomware. Systems like “Teslacrypt”, “TorrentLocker”, “Chickens Brothers” or the infamous “Cryptowall” have generated huge income for cybercriminals, year after year.
Prevention is your main ally against Ransomware
Usually, this type of attack happens while downloading a certain software that (under a legitimate appearance) hides a malicious code that is able to infiltrate your computer and take possession of all or part of its content. Usually, when an attack of this type occurs, your computer will display a message alerting that it has been externally operated and that it is necessary to pay a rescue amount in order to recover the data. These payments are usually made in Bitcoins, but of course, each “kidnapper” can opt for the currency of his choice.
But of course, in the case of falling into the claws of one of these attackers you can do very little efforts to save your data unless you are computer experts or a real hacker. When one of these attacks is carried out, it is usually done against victims with significant economic resources. For this reason, almost every day, attacks are carried out, usually against large corporations. In these attacks, they can hijack valuable information to force the payment, although it is not always guaranteed that the information will be recovered.
The best thing to avoid being the target of Ransomware or these attacks is certainly to avoid downloading certain types of files. These are usually those with extensions such as .exe, .doc, .xls, .src, or .vbs mainly, and when we say avoid downloading, we mean that you make sure that its source is legitimate.
One of the main source by which this type of document can be reached is by email, even if you have received a file from a known person. Be very careful, since much of this malicious software are able to forward these files by itself to through your contact list, in the same way, you should disable the automatic playback of contents of external storage devices.
Make sure you keep all the applications of your system updated because they are usually better prepared to avoid these attacks. Make backups of your data so that in the case of abduction of these files, you already have the same information elsewhere.
Tips to stay safe
The ransomware is a computer threat that kidnaps information that infects computers and demand a ransom amount to recover your data. This type of malicious code uses social engineering techniques and can affect both individuals and organizations. In recent days, ransomware gained relevance following the attack is known as “WannaCry”, suffered by more than 200,000 systems in 150 countries.
Most of the threats that exploit the systems used cheating techniques that seek to persuade the user to execute, open or access a code that manages to break the computer without being aware of what is happening. The vectors of ransomware propagation are the same as those of other traditional threats such as phishing, which means that email is the main scenario.
It is impossible to be 100% sure that your system will be free of threats, but you can take a series of steps to protect your system and your computers. First of all, always keep your applications and operating system updated.
That first basic rule should be complemented by the use of some type of antivirus that is updated and check your system regularly. Here the security solution makers try to compete with their own alternatives, but since attackers renew their techniques it is impossible to have the full guarantee that one or another solution will help you to protect your data.
Use common sense and avoid the download of suspected documents and files of suspicious senders, but as always one of the key methods to avoid problems later is to have backups of your data, and here you can help both cloud services and external storage systems that in fact do not connect to your computer at all times so that they are not affected.
There are other measures you can take such as the so-called “CryptoLocker Prevention Kit” that generates a series of group policies and that prevent ransomware from being installed in its usual directories. Beware of using the “Tor network” and “the deep web” where attacks are more frequent to which you should give access permissions only by the system administrator which you must deactivate after these operations.
Do not use public computers
On many occasions during traveling people often use public computers or computers that are at the hotel reception. If you are using these computers to navigate and visit websites where you do not have to enter credentials or exchange information, then it’s perfect, however, avoid to introduce your credentials from the bank, your email and even social networks, since you do not know how the network is structured nor if all the data that you exchange are being monitored and stored. Therefore, it is not advisable to use public computers if you are going to enter any type of credentials, nor to use it to download your photographs from the camera or other data.
Make a weekly backup of your data
The malware known as ransomware is becoming more popular, this type of malware encrypts all the files on the hard drive and later ask you for a rescue to recover them. For this reason, it is essential to make periodic backups, this way you can restore the backup and quickly recover all the files.
Do not install apps you do not know and read their permissions
With the popularization of smartphones, especially with Android, the appearance of malware applications is growing day after day. For this reason, it is recommended that you do not install unknown applications, and if you do, you should look carefully at their permissions since normally malware applications ask for much more permissions than the application is supposed to do in particular.
Install a security suite with built-in firewall
It is fundamental that the equipment that you are using has a security suite with built-in firewalls, as it will be the first barrier that the cybercriminals will have to cross to access your equipment. When you connect to public Wi-Fi networks, you do not know how the network architecture has been configured.
Navigate through HTTPS
If you have you are connecting to an insecure Wi-Fi network, you must make sure that you always navigate through HTTPS when you access your bank, email or social network, in this way all data will be encrypted and even if they (cybercriminals) capture the data, they will not be able to read it.
It is also very important to log out once you have finished because if a malicious user has captured your traffic and if he is able to decrypt it, he will be able to see the cookie session and will log in by pretending to be you. As an additional security measure, it is always advisable to connect via VPN to your home or use third-party services such as “Steganos” or “Comodo”, in this way you will protect the data that travels through the Internet.
Based on many recommendations, keep these points in mind to stay safe from ransomware:
- When receiving an email check if the sender is a known contact or if there is a reason to be sending that attachment: also not blindly rely on the shortened links.
- Show extensions for known file types. This is a good practice to identify possible executable files that want to impersonate another type of file.
- Update operating systems and applications to the latest available version. In the case of having a network, make sure that all the equipment have the security patches applied.
- Do not execute files of dubious origin that could arrive as attachments in emails. This recommendation also applies in the case of receiving a suspicious email from known contacts.
- Keep security solutions update so that you can optimize the detection of these threats.
- Perform periodic backups of the relevant information.
- If it is a company, it is also advisable to warn employees to be alert to this threat and not to execute files of suspicious origin.
In short, it is a matter of staying alert and applying good security practices without falling into despair. Moreover, in the case of being a victim, do not offer the payment asked by the attackers since there is no guarantee that you are going to get back the access to the archives. Paying the cybercriminals encourages the continuation of such lethal attacks.
Finally, as additional protection we strongly advise you without limiting yourself to adopt these good practices:
- Install additional protection software for email scanning, such as Microsoft Exchange Advanced Threat Protection.
- Perform preventive maintenance to keep all your equipment up-to-date (operating systems, software, firmware, etc.) to limit the entry of viruses and ransomware.
- Enable network policies to limit the propagation of such attacks (e.g., automatic discovery of common extensions when a ransomware appears, alerting the network administrator and automatically closing servers).
- Disable permission to run executable files in the “App Data” and “Local App Data”.
- Do not give administrators rights to users on their workstations.
- Enable the hidden extensions view for all users.
Why does not my antivirus or firewall protects me?
If you have a good antivirus and a good up-to-date firewall with an active security package, you will probably be protected from a very long list of ransomware of all kinds. However, malicious organizations have found a way to defeat these systems. Most security systems rely on a digital signature to detect viruses or attacks.
The hackers use a technique called polymorphous encryption allowing them to decline a virus in many variants and create hundreds of thousands of different signatures. This technique complicates the detection of malicious viruses or ransomware by current security systems.
What if my computer is infected?
You opened an attachment to an email and nothing happens? You think it may be a virus or a ransomware? The first reflex must be to disconnect the network wire very quickly and then turn off the computer immediately.
If you act very quickly, ransomware may not have the time to connect to the random servers to receive its encryption keys, which are critical to starting the encryption job. Call the network administrator immediately. He will be able to do the checks and the work necessary to remedy the situation.
It is therefore important to have a good local backup system, a backup in the cloud and above all, perform tests and simulations of data recovery at regular intervals. Why do these tests? Because most companies believe that their backup system works perfectly. When this kind of situation occurs, it is too late and it is then impossible to recover some or all of the data. One thing to note, 40% of companies do not recover from data loss.
Also remember that regardless of the type of backup, it is essential to have a daily monitoring system to see if the backup worked well. Even the best backup system available on the market today requires periodic checks and adjustments.
In conclusion, ransomware attacks can be very costly for you and your business. There are many elements that must be worked on to limit the possibility of such an attack, which is very often caused by the lack of vigilance of the users. Once the attack is launched, it is often too late and the best way to restore the situation is to have a good backup system monitored and tested regularly.