Get the latest best-practice stories, news and white papers straight to your mailbox
As featured in DisruptiveViews
The current obsession with collecting as much data as possible, from whatever source, for the purposes of business analysis and improving customer experience will hopefully give way to a more focused approach on data that really matters.
In the meantime, the wholesale collection of data and its storage presents an enormous problem for businesses because it opens the door for criminals adept at cybercrime to collect information either for the purposes of corporate espionage, fraudulent activity or resale.
Of even greater concern is the rise in ransomware activity. The implanting of malicious code via something as simple as an email or instant message and the subsequent demands for payment by bitcoin gets the criminals instant results with little chance of being caught.
No target is too big or too small and current protection software is not able to detect or prevent most attacks. Many individuals, businesses and even hospitals are being targeted and with virtually no means of protection there will be further and more widespread disruption.
There is nothing about ransomware that is clever or appealing unless you are a criminal. It is pure blackmail of the most obnoxious kind. Maybe not worse than kidnapping of loved ones with the subsequent ransom notes and payment demands, this version prevents access to our next most valuable and cherished asset – our personal data.
Like its insidious predecessor, the malicious computer virus, ransomware will, in time, be tamed. Maybe. But in the meantime it will cause mayhem, heartache and financial distress to many thousands. The ransomware market has ballooned quickly, reported TechRepublic’s Michael Kassner, from a $400,000 annual haul in 2012, to nearly $18 million in 2015. The average ransom—the sweet spot of affordability for individuals and SMBs—is between $300 and $500, often paid in cash vouchers or Bitcoin.
But the nightmare is only just beginning. Late last year we saw the emergence of ransomware-as-a-service or RaaS. I kid you not! Business Insider reported that RaaS was “designed to be so user-friendly that it could be deployed by anyone with little cyber know-how. These agents simply download the virus either for free or a nominal fee, set a ransom and payment deadline, and attempt to trick someone into infecting his or her computer. If the victim pays up, the original author gets a cut — around 5% to 20% — and the rest goes to the ‘script kiddie’ who deployed the attack.”
Oh great, now we are experiencing the results of this multi-level marketing for ransomware, and it’s only going to get worse. A more detailed report on the source of RaaS by Flashpoint claims most of the RaaS activities emanate from Russia and that from the ransomware affiliate perspective, such campaigns have significantly lowered the barriers for entry for low-tier Russian cybercriminals. It concludes that “ransomware revenue amounts are not as glamorous and fruitful as they are often publicly reported. Average ransomware crime bosses make only $90,000 per year on average. The Flashpoint findings “dispute the common perceptions of cybercriminals as being larger-than-life, smart, well off, unreachable, undoxable, and unstoppable.”
That’s hardly comforting for those that have already been held to ransom or soon will be. However, in the absence of tools that offer total protection at this time the following general advice from Imperva may be of assistance.
“A few simple monitoring rules on a file share can prevent malware from encrypting your data:
- Look for the “HELP_DECRYPT” les—every read, write, or access action on this le discloses the infection.
- Look for temporary les that are being created and deleted cyclically from a certain computer. One or two is reasonable, but more than that requires immediate intervention.
Note: These steps could be automated using technologies such as File Activity Monitoring.”
“If your files are encrypted, there is currently no way to obtain the private key to decrypt the les without paying the ransom. Since the malware overwrites the original le with the encrypted version and even deletes the volume shadow copies, the only reliable way to restore the le is to recover from a backup. The best way to protect yourself is to have a regularly updated backup of all your important data. It will minimize any damage this malware might cause.”
In this document, Imperva outlines exactly how ransomware works. It is a compelling and informative read.