The Risk of Ransomware by Mark Chimley
It seemed apt to write my first post here on a topic which is becoming increasingly important for businesses: the risk of ransomware.
Just as a perpetrator may hold a physical person or thing to ransom, the same applies to a company's data assets and information. Documents, images and other files are encrypted by ransomware using a key that is only held by the attacker.
A ransom demand is then made for release of the key so that the victim's files can be decrypted. As with many cyber attacks against businesses or individuals, the mechanism used to mount a ransomware attack is usually through infection of the victim's computer systems with some type of malicious software.
In 2013 I wrote a paper for Trend Micro where I examined the use of cryptography in malicious software. I borrowed the term cryptovirology as a title for my paper from the work of Yung and Young at Cryptovirology.com. The term attempts to meld cryptography with computer viruses. It is perhaps a little inaccurate since a computer virus is a specific piece of software which propagates itself by copying its executable code into another application. Trojans and worms are other types of malicious software with different characteristics and malware - as a shortened version of malicious software - is now the accepted general term.
In my cryptovirology paper I determined three principle uses of cryptography in malware. The first use is in the process of obfuscation. The way that AV tools (that's AV for anti-virus so probably should be renamed AM for anti-malware!) detect known types of malware is to look for a signature in the code. The signature is a (broadly) unique piece of the code which can be used to identify and distinguish that specific piece of software. Malware authors attempt to defeat detection by obfuscating (modifying the appearance) of the code using dynamic packers based on cryptographic functions.
A second use of cryptography by malware is in communications to command and control servers. Many pieces of malware need to communicate back to a host computer controlled by the attacker. They do this to receive instructions or to send the results of their actions, perhaps stealing information or security credentials such as passwords. The communication channels between malware instances and their host servers are typically encrypted to prevent analysis and detection by internet security companies and researchers.
When I wrote my Cryptovirology paper in 2013 the third use of cryptography in malware - to hold data to ransom - was something which had occurred in the past but wasn't a popular criminal activity at the time. With the increasing use of cryptography in many areas of computing it was fairly clear that all three examples of cryptovirology would likely see increasing use in the future. That prediction has certainly been realised in the case of ransomware.
The Effects on Business
Ransomware criminals are increasingly targeting businesses rather than individuals. This is probably because businesses often suffer a greater impact as a result of an attack and are more likely to pay the ransom. An individual may have many precious photographs stored on devices but these are likely to be stored in cloud services too. Data on individuals' local devices is often quite ephemeral and thus not of sufficient value to warrant paying for its return. For a business, however, its information - and the continued availability of it - can be crucial to the company's commercial activity.
In a recent case a hairdressers in Cheltenham, UK was the victim of a ransomware attack in which all the data on their computers, including their backups, was encrypted and held to ransom.
At best, a ransomware attack may result in an operational delay whilst everything is restored. Depending on the severity of the attack and the information security measures the business has in place, the effects could be lot greater:
- the cost of paying the ransom itself
- the risk of decryption not occurring after the ransom is paid
- further infections
- professional service costs to deal with the attack
- conforming with regulatory disclosure
- the damage to business reputation and customer confidence
So, how can businesses protect themselves against ransomware? The first steps are through the standard cyber security mantra: updates, AV software and backups. By applying all operating system and application updates you reduce the opportunities for malware to exploit vulnerabilities in installed software. All AV and internet security vendors are working hard to ensure their customers are protected from the burgeoning numbers of ransomware so make sure you have AV software installed and that it is kept up to date. By far the most important measure to protect against ransomware is a reliable backup. Whilst many types of ransomware will also try to encrypt your backups too (as in the case highlighted above) a regular set of backups in a separate network or offsite location will usually be out of reach of local ransomware infections. Once your local base systems are cleaned and restored, your data can be recovered from your most recent (clean) backup.
Whilst some ransomware is well-designed - so you'll have no options other than rely on your backups or pay the ransom - the general rise in prevalence of ransomware means that there are plenty of copycat attackers aiming to cash in on this criminal market. This means that some ransomware infections can be recovered using decryption tools. It's generally safest to use decryption tools provided by your AV vendor and these are certainly worth a try before considering paying the ransom if you don't have a reliable backup available.
Prevention is always better than a cure so businesses should do what they can to avoid being attacked in the first place. Always be wary of opening email attachments. Make sure the sender is genuine and trusted and that your AV software scans the file before you open it. This should be an automatic feature of your AV software. Never click on a link in an email before checking the underlying destination in the link. In many cases you can just hover your cursor over the link to see the real destination displayed, perhaps at the bottom of the screen.
Whilst email is till a major conduit for malware, attackers are increasingly using drive-by techniques on the web. Compromised websites and adverts can be a source of infection when browsing the web. The highest risk is when you're using the Internet Explorer web browser on a Windows desktop or laptop. Research indicates that it is safer to perform general web browsing and internet searches using either Android or IoS mobile devices. This is due to the way these system run applications (such as web browsers) in contained environments. Using a mobile device not connected to your network and on which you have no critical business data means you can separate your general internet activities from other business functions and data.
By Mark Chimley
Information Assurance Architect and Cyber Security Consultant
cyberinfo website: http://www.cyberinfo.biz/
To be featured or find out more:
e-mail us on email@example.com
call us on 0845 643 5375
or contact Janice on Linkedin
First published on Company Connecting October 2016