Every day, all over the world, ordinary people are becoming victims of extortion subjected by ransomware authors whose work is made easy by lack of knowledge.
It’s no different in South Africa, where companies and average computer users are becoming victims. In the past 12 months, specialist managed IT security services vendor, Securicom has been commissioned to help more than 20 companies out of ransom situations. In 2014, Securicom assisted three companies to recover from ransomware attacks.
Ransomware is a type of malware that effectively encrypts data and either prevents or limits users from accessing their systems. Victims are forced to either lose their data or pay a ransom through online payment methods to get it back. Computers can be infected with ransomware through a variety of ways. The malware can be downloaded unwitting by users when they visit malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered as attachments in spam emails.
“Recently there has been an increase in the number of ransomware threats doing the rounds. These attacks are financially motivated and generally hijack a whole computer or its data until a demand for payment is satisfied,” says Richard Broeke, an IT security specialist at Securicom, who says a director of a local company recently sought assistance from Securicom after the data on his laptop was taken ransom; including personal information as well as confidential client and financial information.
“New variants of ransomware are emerging all the time. What we mostly see is the malware entering a system via email. In the case of the director, it was disguised in a rather legitimate looking invoice that once opened, locked up the files on the laptop. In fact, this is one of the most common ways that ransomware is proliferated. People shouldn’t open statements, invoices and remittance advice documents from people or email addresses they don’t know.
“Admittedly, curiosity and naivety often takes over. This makes end-user education an important part of protecting companies and people, and their money from ransomware attacks.”
While Ransomlock Trojans have for the most part dominated the threat landscape over the past few years, cybercriminals increasingly using Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and lock) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims (Symantec).
A Ransomcrypt Trojan that often rears its head is TelsaCrypt, a trojan that targets computers with specific games installed. Although newer variants also infect systems without the games installed. Another relative newcomer is Cryptolocker, which encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them–all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms, which make it almost impossible to decrypt the files without the cryptographic key.
Should companies or people who have fallen victim pay?
“No way,” says Broeke. “This just helps criminals fund further research and development to improve and streamline their extortion activities. Ignorance in terms of avoiding ransomware, as well escaping a ransom situation is fuelling the fire. If one of the systems in your IT environment fall victim, rather seek expert assistance to contain the infection and protect against further damage across the network.
“If your organisation has been maintaining a routine schedule of backups, there are ways to restore files without succumbing to ransom demands. If not, things are more complicated but either way, get expert help,” he stresses.
He adds that, when it comes to ransomware, prevention is always better than cure. End user awareness of the scourge as well as effective endpoint security on all endpoints in an environment is essential for keeping data safe.
“You can’t rely on outdated security technologies or those which aren’t properly monitored. Have your network scanned for vulnerabilities and make sure that the necessary capabilities of your endpoint security are switched on. Some of these are optional but are needed for identifying and stopping ransomware.”