Blog
Ransomware and Your Business
By Diana Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP
Ransomware is in the news lately with attacks on Norsk Hydro, multiple cities in Florida, Baltimore and Atlanta, not to mention the numerous hospitals that have been hit.
These attacks have cost companies like Norsk an estimated $45 million due to lost revenues and the cost to restore and recover their IT department. The cost to the two cities in Florida is estimated to be $1.1 million and the tally continues to grow.
Ransomware is short for ransom malware and has been around since the late 1980s, but is now gaining in popularity from bad actors. The software typically prevents users from accessing their system or personal files and then will demand a payment to restore the user’s access to their data.
In the late 1980s, payment could be made via email, but this has changed and the writers are now demanding payments via credit card payments or cryptocurrency.
Today, this malware typically works in one of two modes, either denying access to the data or encrypting it.
Ransomware comes in three main types:
- Scareware
- Screen Lockers
- Encrypting ransomware
With Scareware, the user will see pop-up messages saying that a virus has been discovered and the user has to pay to eliminate the issue, however, doing nothing will typically result in being bombarded with pop-ups to the point that system may be unusable, but the user’s files are typically okay and have not been affected.
Screen Lockers on the other hand are more damaging as the device is frozen, or the user is locked out. These have been seen with warnings from very official looking warnings from either the FBI or the U.S. Department of Justice (DoJ), stating the device has been used for illegal activity (porn, cybercrimes, etc.) and a fine must be paid. One must remember this is not how the FBI or DoJ would go about handling these issues.
Encrypting ransomware is probably the worst case as it grabs files and begins encrypting them. Once this happens, unless you pay the ransom to the criminals, the files are gone. Worse yet, even if you pay the ransom, one may never get the files back.
So how does one protect themselves from Ransomware? Consensus is to prevent it before it happens. The methods used to prevent an infection are far from perfect and typically require a skilled or technical user to deal with them.
What are the legal issues associated with Ransomware?
There are numerous legal issues with Ransomware, the largest being that the criminal request payment be made via Bitcoin. Not many people or organizations keep Bitcoin handy and need to purchase them from an online source. This typically happens using a credit card. This creates an additional risk for the user has most Bitcoin vendor sites have been hacked.
Laws in various countries treat Bitcoin differently and in some the Bitcoin maybe considered property (U.S.) and therefore taxable to the buyer. Users or corporations that decide to pay the demands of the criminal may run afoul of the laws in their jurisdiction. This is especially true in the U.S.
eDiscovery is also in jeopardy as the collection and preservation of the data can or may be called into question. To date, there have been no known cases, it may only be a matter of time until the normal custody of the data is called into question.
This link provides an excellent description of some of the issues associated with Ransomware: https://jolt.richmond.edu/volume23_annualsurvey_sherer/
Recommendations
We recommend that users:
- Purchase software that will both block ransomware and has features that will shield the PC from threats. Spend the extra $50 to $100 per user to prevent an even larger payout. Buy one that gives you detection, response and remediation capabilities. There are several on the market.
- Regularly back up the data on their systems (use cloud storage (if you have access) or a USB (remember to remove or disconnect the device). In a corporate environment, it is not recommended that files (especially confidential or sensitive files be kept on hard drives).
- Patch systems (firmware and software regularly). WannaCry leveraged a loophole in the Microsoft operating system to infect users who by-passed the patch became infected. Similarly, Petya infected the MBR on Windows system. While patching may seem bothersome, it can prevent some malware.
- Stay current with what is happening.
- Educate users on the ways that the malware can enter the system. Teach yourself and users how to spot malware, suspicious websites, scams, etc.
- Do not pay the ransom (authors opinion only).
Conclusion
Ransomware is not going to go away. We have seen it since the late 1980s and we are currently seeing it being spread to other operating systems. Sorry MAC users, you are not protected from this one. The authors are leveraging old trojans and attack methods in new ways
As cybersecurity professionals we need to be more diligent in patching, staying current on what is happening and educating ourselves and users.