Its become one of the most feared messages to hit computer screens.
A user or an entire organization suddenly finds their computers locked up or certain files inaccessible. A few minutes later, a message flashes on the screen: “If you want your data back alive, you’ll pay us $xx.”
It’s called ransomware and it’s occurring more rapidly than law enforcement and IT security teams can respond.
It happened in February 2016 to the Hollywood Presbyterian Medical Center in Los Angeles, which paid cyber criminals $17,000 to unlock its computers. It happened to the Horry County School District in South Carolina, which was forced to pay $10,000 after hackers locked up 60 percent of the district’s computers and encrypted district data. Ransomware has even hit police departments, such as a police computer in Swansea, Massachusetts that cost two Bitcoins (about $750) in ransom to unlock.
These are examples of fortunate victims; many individuals and businesses who pay the ransom don’t get back the use of their computers or access to their data.
The proliferation of ransomware in the last few years has been staggering. Anti-virus company, Malwarebytes, has reported that 60 percent of the infections its software encounters is ransomware. Similarly, ransomware infections detected by Enigma Software’s Spyhunter program jumped 158 percent between March and April of this year. Last year, the FBI’s Internet Crime Complaint Center received nearly 2,500 ransomware complaints, demanding a total of $25 million.
Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. It’s typically spread like most malware, through phishing emails that entice unsuspecting users to click on links to infected websites or to download attachments that contain the malware. It’s difficult to protect against because attackers can frequently alter it to circumvent anti-virus detection.
What differentiates malware from other common attacks is that the criminal isn’t after data like account numbers, Social Security numbers, or passwords. Ransomware viruses shut down a machine and force the victim to pay a ransom to get it running properly again.
It’s a far more efficient crime than standard hacking because it eliminates the work involved in selling stolen data. Ransomware hackers can get paid right away by the victims of their hacks, often in untraceable Bitcoin. The more users who pay the ransom, the more lucrative the crime becomes, and the more criminals it attracts.
The new players in the world of ransomware are bringing their ingenuity and creating more types of the malware. According to Mercury News Research, the number of types of ransomware totaled 16 by the end of 2014. Last year alone, 27 new types were detected, and already in the first quarter of 2016, another 15 families of ransomware have been added.
Last fall, Fox-IT identified what it considered the top three ransomware families: CryptoWall, CTB-Locker, and TorrentLocker.
CryptoWall uses an AES symmetric cryptography to encrypt the victim’s files and an RSA-2048 key to encrypt the AES key. Recent versions of CryptoWall host their command server on the Tor network to better hide them and also communicate with the malware on victim machines through several proxies. What makes CryptoWall even more dangerous is that its creators have established an affiliate program, offering a financial incentive to convince other criminals to buy the ransomware. CTB-Locker also has an affiliate program, while TorrentLocker can harvest email addresses from a victim and spam itself to those email addresses.
It’s not just computers anymore that are targets. A fairly new piece of ransomware disguised as a porn app, called Porn Droid, targets Android smartphones. Attackers are using the malware to lock phones and change PINs, then demand a $500 ransom from victims to regain access.
Homeland Security’s Computer Emergency Readiness Team (US-CERT) recommends the following preventive measures to protect against ransomware:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
- Do not follow unsolicited Web links in emails.