Latest-generation ransomware can permanently encrypt business files, unless you pay to free them. Tom Davison, technical director for Check Point looks at how ransomware is on the rise, and how firms can defend their data against being taken hostage
‘Your money or your life’ was a phrase favoured by the highwaymen of the 18th century. But while masked criminals on horseback robbing stagecoach passengers may be a thing of the past, the notion of holding valued items for ransom is still prevalent. Today, cybercriminals use malware known as ransomware to demand ‘your money or your files’, extorting businesses by holding their PCs or data hostage and demanding financial payment for their release.
Like most malware, ransomware can originate from opening a malicious attachment in an email, clicking on a deceptive pop-up, or simply visiting a compromised website. It threatens businesses in one of two ways: locking a user’s screen or file encryption. Lock-screen ransomware, as the name suggests, causes a PC to freeze while displaying a message with the criminal’s ransom demand, rendering the computer useless until the malware is removed. While this is a nuisance for users, it’s survivable because it typically affects a single PC, and is relatively easy to remove.
File encryption ransomware, on the other hand, is quickly emerging as a genuine threat to businesses because of its ability to permanently lock users out of their files and data – not only on individual PCs, but across organisations’ entire networks. Using encryption to scramble data until the ransom is paid, this type of ransomware attack has seen a 200% increase in Q3 of 2013, compared to the first half of the year. What’s more, the attacks have been focused on small and medium-sized firms, using CryptoLocker, one of the most destructive and malicious strains of ransomware ever seen.
Since being identified in late summer 2013, CryptoLocker has targeted over a million computers. Once activated on a user’s PC, CryptoLocker searches all folders and drives that can be accessed from the infected computer, including networked back-up drives on company servers. It then starts scrambling those files using virtually uncrackable 2048-bit encryption. The files will remain scrambled unless the business pays a ransom to those behind the attack in order to release the decryption key – assuming, of course, the criminals actually supply the key when paid. Without exaggeration, this loss of intellectual property and confidential data has catastrophic implications.
Defending against ransomware
So what can businesses do to protect themselves against these new, aggressive types of ransomware? As a first step, it’s important that organizations implement basic security best practices recommended to protect computers from any other type of malware:
- Ensure anti-virus software is updated with the latest signatures
- Ensure operating system and application software patches are up to date
- Install a two-way firewall on every user’s PC
- Educate users about social engineering techniques, especially involving unknown attachments arriving in unsolicited emails
However, these measures do not offer complete protection against attacks. It’s all too easy for an employee to inadvertently click on an email attachment, triggering an infection. It’s also relatively easy for criminals behind a ransomware scam to make small adjustments to the malware code, enabling it to bypass current antivirus signature detection, in turn leaving businesses vulnerable.
Better protection with sandboxing
To defend against new exploits that may not be detected by conventional anti-virus solutions, a new security technique makes it possible to isolate malicious files before they enter the network so that accidental infection does not occur.
Without impacting the flow of business, this technology,emulation, opens suspect files arriving by email and inspects their contents in a virtualized environment known as a ‘sandbox.’ In the sandbox, the file is monitored for any unusual behaviour in real time, such as attempts to make abnormal registry changes, actions or network connections. If the file’s behaviour is found to be suspicious or malicious, it is blocked and quarantined, preventing any possible infection before it can reach the network – or users’ email inboxes – and nullifying the risk of it causing damage. Furthermore, new cloud-based emulation services can deliver this protective capability to almost any organisation, of any size, with minimal set-up needs.
Businesses should consider taking these extra precautions to ensure they don’t fall prey to cybercriminals who need only a sliver of security weakness to get into the network and hold company assets hostage. With the potential to capture all of a company’s files and data in an instant, ransomware poses a significant threat that organisations should take seriously.