by Simon Walsh
Barely a day has gone by already this year without another ransomware incident hitting the headlines. These insidious malware campaigns, which typically lock users out of their machines until they pay up, are fast becoming the favourite way for cybercriminals to make money. In fact, some figures suggest ransomware comprised as much as half of all malware attacks last year. While this is an annoyance for consumers, the effects on businesses can be even worse – leading to serious service disruption and potentially major associated costs.
Know your ransomware
The term “ransomware” can refer to any type of malware which effectively holds the victim’s PC and/or data hostage until they pay a fee to gain normal access again. Some of the first discovered variants date back several years and would flash up persistent messages purporting to come from local law enforcement, requesting payment of a fine to unlock machines.
However, more recent examples dispense with the police message. This is nothing short of online extortion, where the user is given a limited amount of time to pay up – via difficult-to-trace Bitcoin or similar. Variants like CryptoWall and CryptoLocker have become notorious for applying strong encryption to victims’ data. While some of the gangs behind these threats will send a valid decryption key on payment, that isn’t the case for all.
Unfortunately, many users feel powerless to respond and so end up paying – attracting even more black hats to this kind of criminal enterprise. In fact, according to FBI stats released last June, CryptoWall managed to generate over $18m for its creators in a little over a year. That’s not a bad RoI for any business.
The malware can arrive in many forms: a malicious advert, phishing or spam email, or even malicious apps on unofficial stores. There’s no operating system today immune to this modern cyber threat. And the bad news for businesses is that it could take just one ill-advised click by an employee to infect entire systems. Lincolnshire council staff were forced to return to pen and paper recently after IT systems were taken suddenly offline, when an employee was tricked into opening a ransomware-laden email attachment. Elsewhere the effects have been even more serious. A hospital in Los Angeles and several in Germany were forced to pull the plug on IT systems this year for the same reason, disabling key equipment and disrupting patient care.
While the effects can be devastating, ransomware is not impossible to defend against. But preparation is everything and organisations should be looking primarily at prevention measures.
Our Smart Protection Network protects organisations from the ransomware threat by blocking access at key points of infection – detecting malicious sites, IP addresses, C&C servers, and email attachments.
The following products, powered by the Smart Protection Network, will help detect and delete ransomware variants:
- AntiRansomware Tool for Business Users
- OfficeScan (Endpoint Protection for Physical and Virtual Desktops)
- Deep Discovery
- Threat Cleaner for GOZ and CryptoLocker for 32-bit systems
- Threat Cleaner for GOZ and CryptoLocker for 64-bit systems
Home users might want to consider the following:
- AntiRansomware Tool for Home Users
- AntiRansomware Tool 3.0 with USB for Home Users
- Housecall (Free Online Virus and Spyware Scan)
- Trend Micro Titanium Internet Security (Advanced Protection for Consumers)
Here are a few top tips on how to protect your organisation from ransomware:
- Backup files regularly in case data can’t be recovered without paying a ransom
- Apply software patches as soon as they become available. Some ransomware targets known vulnerabilities
- Bookmark trusted websites and access these them via bookmarks to minimise the risk of following malicious links
- Download email attachments only from trusted sources and treat any unsolicited mail with caution
- Block potentially dangerous file types (exe, scr, cab etc.) from being delivered via email
- Scan systems regularly with up-to-date anti-malware tools
- Use Software Restriction Policies (configurable through Group Policy) to control the execution of certain programs, for example blocking executable files from running in the specific user-space areas that ransomware uses to launch itself in the first place.
- Last but certainly not least, user education is key to a pro-active defence. Users should always double-check who the email sender is, examine the content of the message (look for bad grammar, spelling mistakes and deliberately misspelled URLs and domains, e.g. trenbmicro.co.uk instead of trendmicro.co.uk) and refrain from clicking on links in the email