Russ Harvey Consulting - Computer and Internet Services

Ransomware

Holding your digital life for ransom

What is Ransomware? | Preparing for Recovery | Resources | History

A laptop computer displaying a red background with a pirate flag logo on top signifying that the computer has been targeted by ransomware.
The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware.

 

This trend became apparent in mid-2021 when the payment rate dropped to 46% after previously being 85% at the start of 2019.

 

According to Coveware, the reason for this continual drop is multifaceted, including better preparedness by organizations, a lack of trust towards cybercriminals promising not to publish stolen data, and legal pressure in some regions where paying a ransom is illegal.

 

Coveware suggests that if national bans were imposed in the U.S. or other highly-targeted countries, companies would most likely stop reporting these incidents to the authorities and deal with their problem using shady service providers as intermediaries.
BleepingComputer

What is Ransomware?

Ransomware is a specialized form of malware that encrypts your computer then demands a ransom for the encryption key.

This makes all your files (documents, financial data, letters, photos, music, etc.) inaccessible, then displays a message with the promise to provide a recovery key once you pay the ransom.

Payment specifies Bitcoin or other crypto-currencies so the transaction is untraceable. If the recovery key doesn't work, there are no refunds.

How It Spreads

Organized crime and “state actors” (foreign governments) use their huge technical and financial resources to develop ransomware then offer it to small-scale criminals (ransomware as a service) to ensure rapid distribution.

Like all malware, you can get infected from many sources including:

If your security software isn't up to the task, your computer will become useless and your data will be encrypted.

Ransomware Facts

Some facts about ransomware:

The good news is that ransomware files can be decrypted:
  • Tools (paid or free) can be obtained to decrypt ransomware.
  • Ransomware recovery specialists can be hired to perform the decryption and system recovery.
The bad news is that decryption often doesn't work, so the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process.
eSecurity Planet
Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later — which is why you need to protect against ransomware.
Acronis

 

Computers are infected automatically, with viruses that spread over the internet.

 

Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.

 

Customer service is important; people need to know they'll get their files back once they pay.
Bruce Schneier

DON'T Pay the Ransom

Paying the ransom should be your last option.

Studies indicate that paying the ransom demonstrates that you aren't prepared, making you a prime target in the future.

A successful ransomware attack isn't one that encrypts your files, but one where the attacker gets paid.

 

That means the best thing you as an individual, but especially big corporations, can do to stem the spread of ransomware is keep your wallets closed.

 

It will be painful, but we cannot trust crooks to return access to our systems and data, nor can we keep rewarding them for their crimes.
PCMag
The prevailing wisdom from cybersecurity experts is that trying to negotiate with ransomware hackers is a bad idea, but on December 30, 2020, one victim broke the rules and gave it a shot.

 

After agreeing on an expedited payment, the hackers accepted the offer -- a stunning 94.7% reduction from their initial demand.
PCMag

Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.

Payment Doesn't Guarantee Anything

There is no guarantee that you'll get your data back even after paying.

[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back.
Forbes

If your confidential data was taken in a data breach which was masked by the ransomware attack, paying the ransom won't resolve the fact that your data was leaked.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
ZDNET

Costs to Businesses

The costs to businesses are very high.

The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report.
TechRepublic
[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business.
TechRepublic

Tighten Security

As inconvenient as it is, your best bet is to tighten your security (educate yourself and your employees about the warning signs) and be prepared to restore your files from a secure backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
Kaspersky

The Economic Realities

It is unfortunate that many corporate boards fail to adequately finance their security staff. Much like avoiding insurance payments, this is false economy. When disaster strikes, the blame should be put where it belongs: in the corporate boardroom.

Governments Attractive Targets

Cities, hospitals and other government services are prime targets for ransomware.

Even though government tax bases have been hit hard by the COVID-19 crisis, they are now facing the threat of confidential information being released.

There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game.
Erich Kron

These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).

Ransomware-as-a-Service

Ransomware-as-a-service is a commercial product sourced on the dark web making ransomware available to virtually anyone to use.

This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine.
TechRepublic

The criminal organization provides support for payments, decryptions, etc. in return for a cut of the proceeds.

Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of businesses are likely to pay up — and how to collect the money without being caught.
Phillip Hallam-Baker

Return to top

Preparing for Recovery

Prevention isn't easy and the only you can be sure you're safe is to wipe your hard drive then recover your files via a RECENT secure backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
Kaspersky

Prevention

Preventing a ransomware attack is a combination of knowledge and education backed up by security software.

You and everyone with access to your computer(s) needs to learn to recognize the signs of malware and phishing:

Securing your computers and networks includes ensuring that no one can commit identity theft or gain access via the “forgot my password” recovery methods.

ZDNET's 11 Steps

These 11 suggestions will help to prepare:

  1. Make sure your antivirus software is up to date
  2. Understand what's happening across the network
  3. Scan and filter emails before they reach your users
  4. Have a plan for how to respond to a ransomware attack, and test it
  5. Think very long and hard before you pay a ransom
  6. Understand what your most important data is and create an effective backup strategy
  7. Understand what's connected to your network
  8. Make it harder to roam across your networks
  9. Train staff to recognise suspicious emails
  10. Change default passwords across all access points
  11. Apply software patches to keep systems up to date
  12. ZDNET

Preventing Physical Threats

The first step is to ensure the physical safety of your computers, equipment and data. Develop policies regarding employee and guest access.

While there are sneaky methods for getting around even “air-gapped” computers, most users will not be the focus for such attacks.

Preventing External Threats

Once you've ensured that your hardware and data is as secure as possible, train your employees to recognize and respond appropriately to any threat.

When in Doubt

If you have any doubts about an email, don't click on any links. Report it to your IT department or support resource.

Be cautious of sensitive instructions received via email, especially if it involved large financial transactions. Call the department head to verify legitimacy.

Managing Outside Users

The use of the company network and Internet should be restricted to company business.

Home Offices

If you have a home office, don't allow people to use your computer unsupervised. The rules for company computers also apply.

Because this office is in your home, other family members and visitors may not respect the need for security like they would in a regular office.

Backup Your Data

Other than prevention, reliable backups are one of your best defenses in case something goes wrong, including ransomware attacks.

Verify Backups on Safe Media

Ransomware now attacks backup software and devices to ensure you don't have that recovery option.

You want to ensure that you have all your files backed up onto safe media and continuously verify the integrity of those backups before you need them.

As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly….
TechRepublic

Always-connected Devices Vulnerable

Internal drives or always-connected USB drives (such as Western Digital My Book drives) are subject to being infected at the same time as your computer.

If a backup device is connected to the infected computer or its network, it is likely that the backups on that drive will be corrupted if infected with ransomware.

If you are using external drives that are continually connected, ensure that they are powered off when not actively backing up your data. If there is no power switch, unplug the USB cable or power supply.

Cloud Backups Vulnerable

Cloud-based storage provides an excellent recovery option in case physical backup drives are damaged or stolen.

However, cloud services like OneDrive, iCloud and DropBox can be hacked (strong passwords are essential).

Avoid using an automatic login to your cloud service because this makes it easy for either ransomware or anyone with access to your computer to damage or delete your backups.

Keep Backups Current

Any data that is changed or created after your last backup is unrecoverable unless you make other arrangements.

Take precautions like saving changed or new files onto a thumb drive as soon as changes are made to them. These files can overwrite older versions once the backup is restored.

Preparing for Recovery

Don't delay. Once you've been hit by ransomware, your options are limited and it is unlikely that you or your business will recover unscathed.

It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.
eSecurity Planet

Here's some keys to preparing your computer(s) and data for recovery:

Increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.

Restoring Data After a Ransomware Attack

Before you restore your data, you need to ensure that your recovery is not corrupted by remaining security issues.

Preparing Your Computer

As with any malware infection, leaving any residual of the malware will defeat the next steps. If you're unsure, get professional help in ensuring your computer is clean.

How your proceed depends upon which is more critical: speed or security.

The More Secure Install

Performing the Restore

Once your computer has been prepared and you're sure it is secure, proceed with restoring the data from the backups. Only restore program settings if you're certain they are not compromised.

Do not use your computer during the restore process to avoid external threats that can compromise the data being restored.

Run a Security Scan

Once the restore process is complete, run a full security scan to ensure that no malware or other threats remain on your computer.

This process may determine that some of the restored files are corrupt. If your security software cannot repair these infections, delete the files.

Winning the War on Ransomware

See Trustwave's Winning the War on Ransomware infographic (below). Pay attention to the checklist for resistance, rescue and recovery.

Winning the war on ransomware infographic from Trustwave -- click for larger image.

Ransomware Resources

These additional resources can help you develop policies to prevent ransomware (prevention is best) or seek out recovery solutions.

Canadian Government

The Canadian government provides some guidance on preventing ransomware from gaining a foothold in your business but the information can also be useful for individuals.

Prevention

It is better to prevent ransomware in the first place.

Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. It detected all our real-world ransomware samples, though its recovery system missed some files.
PCMag

Recovery

You can try these recovery tools but it would be advisable to bring in expert help than to muddle through a process you don't understand.

Older Ransomware

These recovery tools relate to older ransomware variants. Modern ransomware is not so easy to recover from.

Return to top

Ransomware History

Ransomware was largely made possible by the development of crypto-currencies that allow untraceable payments.

CryptoLocker Started it All

CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.

CryptoLocker spread through ad networks but other ransomware was spread via email or TOR networks.

Newer Variations

While the botnets distributing CryptoLocker have been stopped, it has since morphed into newer variations (CryptoWall, CoinVault, TorrentLocker and Cerber) which don't respond to CryptoLocker solutions.

Bad Rabbit

Bad Rabbit moved ransomware into the low-rent district.

Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9.

The hacker regains over 30 times his investment on the first sale.

The 0.05 bitcoin ransom (approx. $3,200) increases after a deadline.

Evolving Ransomware

Ransomware has evolved over time.

Locky Ransomware

The Locky Ransomware was initially distributed via malicious emails. Attached “invoices” used macros that initiated the ransomware download which encrypted your files.

It later used fake Adobe Flash updates to spread its payload.

We Were Unprepared

Microsoft patched the vulnerabilities that permitted WannaCry ransomware in advance of the attack (even for XP)

Still there were disasters. One in Europe looked like an update to a popular accounting software.

Testing Delays

Many organizations engaged in lengthy tests to ensure that a patch won't create issues in their networks.

Ransomware is evolving so quickly we no longer have that luxury.

The Weakest Link

Any weakness in the network or the equipment attached can be exploited.

People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP.
— SC Media

Vulnerable software (especially on legacy Windows computers or vulnerable personal devices) can be the pathway in which other computers on your network are infected.

Legacy systems need to be disconnected from the Internet as well as networks.

Digital CoronaVirus

The pandemic brought a resurgence of ransomware. People were working from home, away from their technical support, often on home equipment unprepared for the business world.

The Digital CoronaVirus sent out emails promising pandemic relief from the from the U.S. Federal Reserve or similar institutions.

Instead, the user installs both ransomware and Infostealer, a program that grabs passwords from browsers, installed games (e.g., Steam), communication software (e.g., Skype), FTP and VPN credentials.

Like most ransomware, the threat attempts to delete local backups and shadow files before encrypting the users data, emphasizing the need for offline backups.

IoT and Ransomware

Criminals are starting to look at cloud services for future ransomware attacks because data is moving to the cloud — because that's where the “money” is.

The future of ransomware could be even grimmer with the Internet of Things (IoT).

Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more. They have failed to provide security in order to keep costs down.

Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk.
IoT for All
It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
Bruce Schneier

No Plans for IoT Security

Security has not even been considered in the rapidly expanding list of IoT products and is probably not even possible to implement post-manufacturer.

Learning More

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/ransomware.html
Updated: January 29, 2024