Ransomware

A few years ago, this word didn’t even exist. Today, it’s possible most people with a computer have at least heard of it, and some have even fallen victim.

What is ransomware? It can take several forms, the most common of which currently is to encrypt your files then send you a message like the one below requiring you to pay a sum of money in order to receive the decryption key.

Ransomware Example

(Image from https://securingtomorrow.mcafee.com/mcafee-labs/locky-ransomware-rampage-javascript-downloader/)

Ransomware can come from many places: social engineering attacks (link), infected removable media like USB drives or malicious/compromised websites. Ransomware tends to mutate (that is, change frequently with new versions released) faster than many vendors can keep up, meaning that the threat landscape changes literally daily. Traditional defenses like antivirus, while certainly crucial, are sometimes ineffective at preventing all the different possible strains.

So what happens with ransomware? Well, your files become unusable as the ransomware renders them encrypted – this is made much worse if the ransomware spreads to something like a shared file server. Once that happens, one of three things will follow:

  1. You pay the ransom. The amount varies, sometimes it is a few hundred dollars, sometimes it can be tens of thousands or even more.
  2. You wipe the affected systems and restore from clean backups. Failing that, you may have to start all over and lose the data that was encrypted.
  3. You can attempt to have it decrypted outside the ransomer’s channel. Alasdair works with a partner who can sometimes accomplish this, but it is sadly a fairly rare occurrence that this is possible.

What can Alasdair do? While we can’t un-ransomware systems, we can assist with:

  • Post-attack analysis: helping to determine what happened, what the attack vector was and even reverse-engineering any ransomware found
  • Evaluate residual risk: once the ransomware has passed (it was paid or restoration occurred), there is likely to be residual risk. After all, the ransomware got in somehow; an evaluation of the controls or lack thereof will help identify weak points within the infrastructure that contribute to such attacks
  • Reducing social engineering risks (link): Since many forms of ransomware spread via social engineering vectors like email, educating staff in how to avoid such threats can substantially reduce the likelihood of future attacks
  • Penetration testing: evaluate your baseline risk to attack and determine what needs to be shored up to reduce your risk

While no one can be completely assured they won’t be a victim, Alasdair can help reduce the likelihood. We’re happy to talk with you about options, whether you’ve already been a victim or just want to do as much as possible to avoid it.

Sidebar: Other Forms of Ransom

We have seen instances where the ransom is not to decrypt some data, it is to prevent its release. This type of attack preys on the nature of sensitive data in your organization, whether it’s customer lists, intellectual property or regulated data. Attackers know such data has value, and often demand extortion fees to keep from releasing it, and these fees often make traditional ransomware fees seem like pocket change.

This puts organizations in a VERY precarious predicament: there is NO guarantee that paying the ransom prevents release of the information. On the other hand, in some cases, the chance that it might not be released is sufficient reason to gamble and an organization ends up paying it. We’ve seen this be successful as many times as it has failed, honestly. There is no good solution.

Like ransomware itself, it is often too late once the theft has happened, but it’s NEVER too late to keep it from happening again. Alasdair can help in the same ways as with traditional ransomware: reducing your risk by evaluation and recommendation of controls specific to your organization.