The Ransomware Epidemic and What You Can Do
Ransomware is an epidemic today based on an insidious piece of malware that cyber-criminals
use to extort money from you by holding your computer or computer files for ransom, demanding
payment from you to get them back. Unfortunately Ransomware is quickly becoming an increasingly
popular way for malware authors to extort money from companies and consumers alike.
Should this trend be allowed to continue, Ransomware will soon affect IoT devices; cars and
ICS nd SCADA systems as well as just computer endpoints. There are several ways Ransomware can
get onto someone's computer but most result from a social engineering tactic or using software
vulnerabilities to silently install on a victim's machine.
Since last year and even before then, malware authors have sent waves of spam emails
targeting various groups. There is no geographical limit on who can be affected, and while
initially emails were targeting individual end users, then small to medium businesses, now
the enterprise is the ripe target.
In addition to phishing and spear-phishing social engineering, Ransomware also spreads
via remote desktop ports. Ransomware also affects files that are accessible on mapped drives
including external hard drives such as USB thumb drives, external drives, or folders on the
network or in the Cloud. If you have a OneDrive folder on your computer, those files can be
affected and then synchronized with the Cloud versions.
No one can say with any accurate certainty how much malware of this type is in the wild.
As much of it exists in unopened emails and many infections go unreported, it is difficult
The impact to those who were affected are that data files have been encrypted and the
end user is forced to decide, based on a ticking clock, whether to pay the ransom or lose the
data forever. Files affected are typically popular data formats such as Office files, music,
PDF and other popular data files. More sophisticated strains remove computer "shadow copies"
which would otherwise allow the user to revert to an earlier point in time. In addition, computer
"restore points" are being destroyed as well as backup files that are accessible.
The way the process is managed by the criminal is they have a Command and Control server
that holds the private key for the user's files. They apply a timer to the destruction of
the private key, and the demands and countdown timer are displayed on the user's screen with
a warning that the private key will be destroyed at the end of the countdown unless the ransom
is paid. The files themselves continue to exist on the computer, but they are encrypted,
inaccessible even to brute force.
In many cases, the end user simply pays the ransom, seeing no way out. The FBI recommends
against paying the ransom. By paying the ransom, you are funding further activity of this kind
and there is no guarantee that you will get any of your files back. In addition, the cyber-security
industry is getting better at dealing with Ransomware. At least one major anti-malware vendor
has released a "decryptor" product in the past week. It remains to be seen, however, just how
effective this tool will be.
What you Should Do Now
There are multiple perspectives to be considered. The individual wants their files back.
At the company level, they want the files back and assets to be protected. At the enterprise
level they want all of the above and must be able to demonstrate the performance of due diligence
in preventing others from becoming infected from anything that was deployed or sent from the
company to protect them from the mass torts that will inevitably strike in the not so distant
Generally speaking, once encrypted, it is unlikely the files themselves can be unencrypted.
The best tactic, therefore is prevention.