Introduction to Ransomware and Why You Should Be Concerned

The mere term of ‘cybercrime’ sends chills down the spines of every IT Department member.  It is the topic of discussion in closed door meetings, where only the strong dare attend, which include conversations of system reinforcement and watchful diligence. Cyber hacking has taken a different twist in the last few years with the introduction of a particularly nasty form called ‘ransomware’. These cyber criminals don’t try to hide the fact that they have attacked your system, instead they come forward in the form of blackmail that locks you out of your system and follows through with threats to expose your data to the world or an even worse condition: total destruction of the data. Ransomware recovery from an attack has become a dichotomy involving both a security alert and an embarrassment in the exposure of corporate vulnerability. If you haven’t been concerned before, you should be now, as this form of cyber hacking can happen where and when you least expect it.

What is Ransomware?

One of the latest forms of malware, ransomware, is a program that infiltrates a company’s data allowing programs, websites and internal networks to become infected. The attackers encrypt your system and hold the ‘key’ for decryption for ransom. This form of data kidnapping places the victim in a compromised position where the only vision of escape is to pay the extortion fees to enable access. The ransomware malware programs are recognized in the tech industry under a number of identifying general names, including: cryptoworm, crytovirus and cryptotrojan.  The underlying problem of this form of malware is that many of these attacks are not reported. The victims comply with the demands of the cyberhackers and may never know if there will be another potential attack. The need for ransomware professional services to review, validate and confirm the safety and security of a system, never occurs. Ransomware removal is serious business and the need to have a professional company is one that will help to ensure a safe and secure return to normal operations. Some of the more vicious forms of ransomware include: Cryptolocker, Crypt0L0cker, Cryptowall, CTB Locker, or Teslacrypt ransomware.

How Does Ransomware Happen?

The cyber criminals take full advantage of one of the weakest areas of any company: staff email and internet browsing. They have a number of approaches that can be taken, but one of the most popular is simply the delivery of an email with an attachment. In business, employees often receive emails from a number of different sources, with many that are not readily recognized. When the individual attempts to open the attachment, they find that it cannot be successfully opened and within a short amount of time he/she receives a ‘ransom note’ email or screen display indicating the data has been locked and encrypted with a demand for money in exchange for the decryption key. There is usually a preset date and time that the payment needs to be made with the threat that the key will be destroyed if the date is not met. Beyond email, an employee can also click within a website as well as a popup that has been infected with the ransomware, prompting a download.

Another method of attack includes notification to an individual from what appears to be the police. They are informed that there has been a discovery of illegal web information or unlicensed software on their computer and the victim is informed of the requirement to pay a fine via an electronic method.

One that sounds less harmful but is still a threat is that the cybercriminals encrypt the victim’s data and then waits for the individual to do an internet search, where they will sell anti-ransomware software from their e-commerce website.

Each approach takes advantage of the psychological aspect of the victim by preying on the discovered technology susceptibility and the perceived value of their proprietary data. The compromise becomes a blend of fear and embarrassment.

You Have Excellent System Security, So Why Should You Be Worried?

Cisco has held ransomware as a major concern and as reported in one of their blogs: “Ransomware continues to impact a large number of organizations and the malware continues to evolve….. The malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system. Without privilege escalation, attempting to turn off many enabled security features on the system is likely to fail.”

PC World’s Feb. 2015 edition demonstrated one of the newest changes that ransomware cyber hackers have taken. In their article they stated, “Ransomware authors continue improving file-encrypting programs and infection methods for Windows and Android, making these nightmarish attacks harder to avoid. The biggest ransomware threat for Windows users is CryptoWall, a sophisticated malware program that encrypts a wide range of files and demands that victims pay a ransom in Bitcoin cryptocurrency to recover them.”

In their 2014 Annual Security Report, Cisco listed some interesting information on the topic of malware:

“Research by Cisco TRAC/SIO during 2013 shows multipurpose Trojans were the most frequently encountered web-delivered malware, at 27 percent of the total encounters. Malicious scripts, such as exploits and iframes, were the second most frequently encountered category, at 23 percent. Data-theft Trojans, such as password stealers and backdoors, made up 22 percent of total web malware encounters, with downloader and dropper Trojans in fourth place at 17 percent of total encounters. The steady decline in unique malware hosts and IP addresses—a 30 percent decline between January 2013 and September 2013—suggests that malware is being concentrated in fewer hosts and fewer IP addresses. (Note: An IP address can serve websites for multiple domains.) As the number of hosts declines—even as malware remains steady—the value and reputation of these hosts becomes more important, since good hosts help criminals accomplish their goals.”

Some of the largest corporations around the world have long held the stance of high security for their internal systems, and yet we have seen companies such as SONY, the retail store Target and even the United States government facilities fall to the ‘evil genius’ exploits of hackers. The amount of time, effort and investment that was devoted to security did not supersede the in-depth knowledge of the cybercriminals. This type of analysis belongs to those companies, such as Proven Data Recovery, that specialize in recognizing potential weaknesses and working proactively to assist in current and future defense and ransomware removal.

What is the Cost of Ransomware?

The cyber hackers depend on an individual or company’s understanding of the value of their proprietary data. The fact that they have infiltrated a system with ease touches on the emotional sense of pride-of-system and opens the door to fear of information loss as well as the effect on their reputation. They make the assumption that the resolution will want to be accomplished in a fast and discreet manner so that exposure of a weakness will not be revealed.  The secondary level that the criminals rely on is knowing that a company has an intangible value on their proprietary data. No industry should consider themselves safe from cyber hacking. Beyond just the perception of blackmail payment (which is not advised), ransomware recovery is a process that requires intervention by a professional company. Belief in previous security firewalls will have been shaken to the core and the potential leak of the breach can place the prestige of a company at risk. In a report by MacAfee entitled: Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II, they included an annual cybercrime cost to the global economy at $400+ billion.

Taking Proactive Steps for Protection Against Ransomware

Norton by Symantec has a list of tips that can assist against the risk of ransomware, some of these include:

  • Use a reputable antivirus software and firewall and maintain updates.
  • Backup your system often either to an external hard drive or an online backup service. Should you come under attack, this will allow you to turn your computer off and start over with a new install.
  • Exercise caution with opening emails as well as the avoidance of suspicious websites.

Additional actions that you can take:

  • Educate staff and employees, especially those that work remotely. Keep them updated on ‘best practices’ for email and website browsing.
  • Establish a chain of reporting within the company for any suspicious activity, including emails received and/or distributed as well as an emergency procedure in case of threat. This can include a procedure to take the entire system down at a moment’s notice.
  • Encourage diligence within the IT and security staff of the company to be aware of all cyber hacking trends and changes.
  • Have the contact information for a professional ransomware data recovery company such as Proven Data Recovery on hand.
  • Have an internal security protocol set up for alerting authorities. The local police departments are not equipped to deal with any form of cyber hacking, but the FBI is set up to take potential action.

Steps to Take If You Have Been Assaulted with Ransomware:

  • Upon discovering that you are under siege from ransomware, turn your computer off and disconnect from the internet as well as any internal network connections to avoid further infection.

If you have crytolocker, cryptowall or teslacrypt ransomware:

  1. Perform an immediate shutdown of the computer without pressing the power button. If the power button is pressed it may corrupt some of the data it is in the process of being encrypted.
  2. Document any relevant information that is pertinent to the nature of the ransomware such as pop messages, name of the ransomware, etc.
  3. Do not attempt to remove the ransomware yourself. Ransomware data removal requires an expert and your actions could cause additional data damage.
  4. The final step is to contact a professional in the ransomware data removal and ransomware data recovery business, such as Proven Data Recovery. The 24/7 emergency services will bring a team of professionals at your disposal to do an analysis of the situation, evaluate the damage and work with the security and IT Departments for the next steps and ransomware removal.

Recommended Posts