Understanding Ransomware

Ransomware is malicious software used by cybercriminals to lock users out of systems, including workstations, laptops, and servers, and to hold data hostage. Ransomware has been used to attack government agencies, hospitals, schools, law firms, small businesses, and individuals the world over.

Many different strains of ransomware exist – CryptoWall, CryptoLocker, TeslaCrypt, CryptoFortress, Jigsaw, and Petya are some of the most well-known – but they all employ the same basic tactics. After the file containing the malware finds its way onto a machine or into a system, it quietly begins encrypting all files using an encryption key known only to the attacker. Once the system has been completely encrypted, the user is frozen out of their machine or system, with only a notification that all of their files are encrypted, appearing on the screen. The notification also provides instructions for paying the attackers in order to obtain the encryption key to access their files. Mostly payment is requested in Bitcoins, the anonymous virtual currency. If the victim opts not to pay the ransom, the encryption key is destroyed and the files become all but impossible to restore. The encryption used in most versions of this attack is as strong as encryption used by financial institutions and credit card processors and is essentially unbreakable – even by the world’s most powerful supercomputers.

Ransomware has now become a tried and tested revenue stream for cybercriminals who deploy strains of the malware through infected email attachments and phony webpage links. Such attacks are often targeted at businesses, and although sometimes the sums requested can be large, more often they are set at a level to entice quick payment. Similarly, with payment conducted via Bitcoin, this all but guarantees that the perpetrator can’t be traced.  As a result many people are left feeling that they have no choice but to pay up for the key instead of losing their data. However, this is not always the end of the story.  Even once the files have been decrypted, the infected systems are likely still susceptible to a repeat attack, and may have been infected with other types of malware in addition to the ransomware.

Falling prey to ransomware is, however, preventable by following some important security measures. Data should be backed up regularly, preferably to an “offline” hard drive or server, so that if ransomware should find its way onto a system or network, the backup data has no chance of being infected. Without proper backups in place, ransomware forces its victims to make the choice between either losing their data for good or paying a sum of money to an anonymous attacker.

Organisations and businesses should patch and update machines routinely, maintain intrusion detection or prevention systems, and conduct regular network vulnerability and breach assessments. Likewise, individuals should keep their files backed up, their systems updated, and should never open attachments received from an unknown sender, or even those received unexpectedly from a known sender.

KRyS Global’s Forensic Technology Services team has the ability to proactively or defensibly assess the risks associated with cybercrime, to your business.  Our Cybercrime prevention services include both external and internal network data vulnerability testing and data breach assessment gap analysis.  Our qualified and highly trained team are on hand to address any queries or concerns you may have.