Ransomware

By now, most everyone has heard the term "ransomware" and that people, companies, and local governments have been getting hit with it. But what exactly is ransomware? 

Ransomware is a specific breed of malware that silently encrypts all the files on your computer.

After the encryption process is complete, then dire messages are displayed informing you that all your files are encrypted and that you must pay a ransom to get the decryption keys necessary to unlock them.

In this article, I'll lay out what this malware does, ways to reduce the likelihood of getting it, and ways to mitigate the damage if you do get it.

First Ransomware
 

The first recorded ransomware attack happened w-a-a-a-y back in 1989 and didn't involve the internet, which back then no one had even heard of. An AIDS researcher mailed some 20,000 floppy disks to other AIDS researchers all over the world containing what he claimed was information and a questionnaire on how to gauge an individual's risk of contracting AIDS. But also contained on the floppy was malware that would encrypt all the files on the victim's computer. The malware then demanded a $189 payment to be snail-mailed to a PO Box in Panama where upon a second floppy disk containing the decryption program would be mailed to the victim.

These Days...

Getting payment was always the achilles heel for ransomware creators. Accepting credit cards, checks, or wire transfers meant the criminal hacker needed a bank account -- not good. And receiving payment via gift cards* was impractical for larger ransoms. But once Bitcoin became a thing then ransomware really took-off. Bitcoin was a great way to receive absolutely irreversible payment of any size that was for all practical purposes anonymous. Bitcoin technically isn't anonymous at all, but that's another topic.

* Scams involving gift cards are an entire category of its own.

Ransomware generally gives you only a few days to pay up. If the bad guys think you're a home user, they may demand a relatively affordable few hundred dollars. But if they believe you're a business or government user, the sky's the limit. Demands in the six-digits are not uncommon.

 

Just in the past few weeks here in Florida (mid-2019), at least three city governments have been hit with ransomware: Riviera Beach, Lake City, and Key Biscayne. Country and worldwide, countless municipalities and companies of all sizes have been hit.

The ransomware encryption itself is industrial grade and bulletproof so trying to reverse engineer or brute-force the decryption is virtually impossible. Your only options are to pay up or restore your data from a good, recent backup. Paying is never a good idea because you're dealing with criminals, duh, and there's no guarantee your files will be decrypted if you do pay.

Even if you wanted to pay, setting up and funding a bitcoin wallet is not easy. Unless you're pretty savvy about these things, you'll almost certainly have to hire a pro to set it up or, more likely, hire an emergency responder that already has a bitcoin wallet set up just for paying such ransoms (on your behalf).

Like the Dinosaurs


So, in light of the above, unless you have good backups, your files are gone forever. If you're a business that is data-centric, that could be an Extinction Level Event. Just as an asteroid hitting the earth 66 million years ago killed all the dinosaurs, a data-centric business without backups is unlikely to survive a ransomware infection. By one estimate, some 60% of small businesses fail within six months of a cyber attack. For those that do survive, the costs borne from the attack can be enormous.

 

Scope of Infection

Once ransomware finds its way on your computer, most variants will scan your network for other computers and devices to infect. At the very least, it will infect any USB flash drives and hard drives (including backup drives*) that are connected to your computer and any open file server connections. i.e. Files visible to your computer but that live on a server.

If you're a company with multiple computers, then depending on the security situation, the ransomware code may invade those computers, possibly infecting every computer on the premises.


Avoiding Infection

(For more reading on malware in general, CLICK HERE)

Ransomware, like all malware, is spread via the usual transmission vectors, which are:
 

  1. Infected attachment to an email.  The email may be a bogus shipping notice, fax, resume, file shared through a Dropbox invite, etc. In this case, the attachment or file carries the malware. Even today, when people ought to know better, this is still the most common transmission vector.

  2. Downloading pirated software from the internet.

  3. Drive-by-download: Simply visiting an infected web site, e.g. from a google search, under the right circumstances can download malware to your computer, even if you don't click on anything.

  4. Drive-by-download via infected advertisement: Advertising networks, which display the ads we see on legitimate websites, are often targeted for infection. An infected ad displayed on an otherwise safe and legitimate website can infect your computer.


It's easy enough to avoid 1 and 2. Be very wary when opening emails and especially links and attachments in those emails. Most malware-infected emails are sent by people for whom English is not a native language. Such emails often bear the common hallmarks of bad spelling and punctuation, oddball phrasing, or just "aren't right" in some way. Then consider if you'd normally even receive such a message. The email may be from a friend whose account was hijacked. This happens all the time.

Avoiding 3 and 4 aren't as easy: Your main defense here is to be on the latest version of your operating system (Windows, usually), ensure you are receiving updates, and keep you anti-virus software updated. An ad-blocker can reduce the likelihood of #4 -- and you'll have a better browsing experience as well. I recommend uBlock Origin browser extension.

Mitigation

If you do become infected, the level of damage you suffer is determined largely by how well-prepared you were ahead of time. Your data can be lost for many reasons: Fire, flood, theft, hardware failure, etc. Some of the same precautions you'd take for these other insults apply to ransomware as well.

If you are backing up properly, then a ransomware infection shouldn't be any more than an (admittedly big) inconvenience. You might lose a day's worth of data and it may take a few days to clean-up the infection but it's unlikely to be a ruinous, catastrophic event. You'll certainly need professional help to perform such a recovery, but at least the pros you call will have something to recover from -- your good and current backups.

There are many considerations in setting up a proper, ransomware-resistant backup system. You cannot simply plug in a flash drive or hard drive and drag your files over. I can set up an automated, ransomware resistant backup system. I say "resistant", because nothing is a sure-thing. It's another layer of armor.

 

* This is why I recommend a backup rotation protocol whereby multiple (at least two) external hard drives are used to backup a computer (servers, usually). Only one backup hard drive is "hot" (plugged-in) at any given time and the rest are cold. The hard drive is swapped each day, a process that takes only a minute. I also recommend a backup product called Macrium Reflect, which has a feature to protect backup drives from ransomware infection.

The time to set up mitigating precautions is now, before it's needed.  That's the pre in precaution after all. Backing up and having anti-malware software in place is the cheapest insurance you can buy!​

More here on Wikipedia about the AIDS trojan.