Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. It is typically spread through phishing emails that contain malicious attachments and drive-by downloading. If you think you are safe because you are very careful what you click on, be aware that drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. In other words, you don’t have to click, you just need to visit or receive an instant message.
What is Ransomeware
Security researchers estimate that, as of April 2014, Cryptolocker, a form of ransomware, had infected more than 234,000 computers, with approximately half of those in the United States. One estimate indicates that more than $27 million in ransom payments were made in just the first two months since Cryptolocker emerged. Those who didn’t pay, end up reinstalling their computers and losing all of their files!
Experience First Hand
We experienced this issue first hand when a user within our company received an email from LinkedIn.com! The user clicked on the article pushed out by LinkedIn and the page contained a drive-by zero-day infection which got right past our firewall and locked up the end users computer. Within 15 minutes our firewall vendor pushed down a patch but, it was too late. Below is the image that was displayed on the employees computer that was locked up.
We ended up re-installing the computer. Our incident response system confirmed that no other user in the company had received the same email or clicked the same link.
“Over 70% of all security problems are caused by internal staff” Ian Campbell – Value Retail
If you don’t care about what the person next to clicks on, consider the fact that this type of malware can also encrypt files on shared network files and removable media. In other words, even if you didn’t click on the link that installed the ransomware, the person who did could prevent you from doing your job because you need access to the shared files that are locked up.
“A hacker who has researched and targeted an organisation will almost certainly find their way in. Organisations need to put in place security controls, but best practice is also about monitoring threats and responding appropriately when attacks happen. The challenge for an IT leader is to have an appropriate response strategy,” James Nunn-Price, partner and cyber lead at Deloitte.
It gets worse, these types of Ransomware programs often also infect the computer with something like GameOver Zeus which has multiple uses:
- Locally harvest credentials for online services
- Participate in DDoS attacks
- Sending spam to tens of thousands of users
Protection from Ransomware
If you are looking for protection from ransomware, I wish I could suggest something easy like “make sure anti-virus is up to date” or that you have two factor authentication in place. The truth is, these strategies probably won’t help when the infection involves zero-day and the user has already “two factored” onto the network.
Do this right away:
- Make sure most end users only have read only access to network shares
- Make sure you have off-line backups of critical files
“Organisations must be absolutely clear about how they respond to an attack, and need to understand what has happened before they make announcements and claim a threat has been detained” Lisa Kelly
Make sure you also have an incident response system in place to track down where the infection came from and who else received it.