The Ransomware Epidemic: Why You Should Be More Concerned

The problem of ransomware isn’t getting better. Recent examples of wide-spread ransomware attacks, including CoinVault, CryptoLocker and others indicate that cybercriminals are increasing their use of these types of attacks. However, despite the increase in ransomware attacks, a recent Kaspersky Lab survey found that only 37% of companies consider ransomware a serious danger.

Mr. Altaf Halde, Managing Director - South Asia at Kaspersky Lab, provides his expertise on the growing trend of ransomware attacks, how a ransomware attack operates, consequences associated with paying the ransom and what companies can do to avoid being a victim.

1. What is ransomware?

Ransomware is a type of malware that is a digital mechanism for extortion. It is a type of software to block access to a computer system until a ransom is paid or to user or company data or both.CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker are all examples of ransomware.

2. Who are the victims of ransomware?

The average consumer and both large and small businesses can be victims of ransomware. Cybercriminals do not discriminate and often times are looking to impact as many users as possible to reap the highest financial gain.

3. How does a ransomware attack work?

A ransomware attack is typically delivered via an email that includes an attachment that could be an executable file, an archive or an image. Once the attachment is opened, the malware is deployed on the user’s system. Ransomware could also launch on a user’s machine by visiting a website that has planted malware. Once on the site, a user unknowingly executes unsafe script (sometimes by clicking a link or downloading a file) and the malware is deployed to the system.

When a computer user’s machine is infected, nothing visible happens right away. The malwareoperates in the background silently until the system or data locking mechanism is deployed and engaged. Cybercriminals are becoming more and more skilled at developing ransomware that can operate without being noticed, and they have many tools and techniques at their disposal to ensure that the ransomware isn’t discovered by the victim. Then a dialogue box appears, that notifies the user about the data lock and demands that a ransom be paid to get back access to the data.

When a user sees the dialogue box it is already too late to attempt to save data through security countermeasures. The cost demanded by cybercriminals during these attacks varies, but we have seen asking prices in the hundreds and sometimesthousands of dollars, to decrypt the victim’s data.

4. Could you provide an example of a ransomware attack?

One example is TorLocker. This ransomware starts its infection by decrypting its data section with a 256-bit AES key – an encryption mechanism that is nearly impossible to crack – and launching on the user’s system. The first four bytes of this key are used as a unique sample ID, added to the end of the encrypted files. Then the malware is copied to a temporary folder, and a registry key for that copy’s autorun is created. Next, the malware conducts the following:

1. It searches for and terminates the taskmgr.exe, regedit.exe, procexp.exe and procexp64.exe processes

2. Deletes all system recovery points

3. Encrypts the user’s Office documents, video and audio files, images, archives, databases, backup copies, virtual machine encryption keys, certificates and other files on all hard and network drives

4. Launches a dialogue box that demands that the user pay a ransom to decrypt the data

What’s troubling is that TorLocker infects each system in a unique way, so even if somehow a key to decrypt data is found, the key is not useful to decrypt data on other systems. The cybercriminals give users a certain number of days (typically 72 hours) to pay for a key to decrypt the data or their data will be lost. Cybercriminals typically offer many different payment methods, including Bitcoins and payment through third-party sites.

5. What are cybercriminals after when they execute a ransomware attack against a business?

A key motivation for cybercriminalsexecuting a ransomware attack is to extort money from victims; however, we are seeing that the average case of a ransomware attack against a business is quite damaging given that the target of an attack is typically the company’s intellectual property.

6. Are ransomware attacks against businesses growing?

Yes, because cybercriminalsare aware that organizations are more likely to pay the ransom as typically the data held captive is both sensitive and crucial for business to continue. We are also seeing that businesses are underestimating the dangers associated with ransomware. According to a recent Kaspersky Lab survey, only 37% of companies consider ransomware a serious danger. This is alarmingly low and indicates that businesses are not implementing proper security, leaving themselves vulnerable to these threats.

In addition, as cybercriminals realize that victims are often willing to pay for the release of their files, the prevalence and sophistication of ransomware and its variations are on the rise. For example, the first crypto malware used a symmetric-key algorithm, with the same key for encryption and decryption. Usually, with some help from anti-malware vendors, corrupted information could be successfully deciphered. Then, cybercriminals began to implement asymmetric cryptography algorithms that use two separate keys — public, to encrypt files, and private, which is needed for decryption.

One of the most recent and most dangerous pieces of ransomware, the previously mentioned CryptoLocker Trojan, also uses a public-key algorithm. After each computer is infected, it connects to the command-and-control server to download the public key, so another key, the private one, is accessible only to CryptoLocker’s authors. Usually the victim has no more than 72 hours to pay the ransom before their private key is deleted forever. It is impossible to decrypt any files without this key. Kaspersky Lab’s products successfully detect this Trojan and block the infection, but if the system is already infected, then nothing can be done with the corrupted files.

7. How prevalent are mobile ransomware attacks?

Mobile ransomware attacks are becoming much more prevalent. Mobile malware is moving toward monetization as more cybercriminals create malware capable of stealing and extorting money. In fact, the Kaspersky Lab Q1 Threat Report found that 23% of the new malware threats that were detected were created to steal or extort money. In addition, Trojan-Ransom malware demonstrated the highest growth rate of all mobile threats. The number of new samples detected in Q1 was 1,113, which is a 65% increase in the number of mobile ransomware samples in our collection.This is a dangerous trend since ransomware is designed to extort money, can damage personal data and block infected devices.

8. How do users prevent a ransomware attack? Is backup enough to protect the data against cybercriminals?

It is impossible to decipher files encrypted withproperly implemented and strong cryptography, so it is an important best practice toemploycomprehensive security together with a robust backup solution as part of a sound cybersecurity strategy.

In addition, some ransomware variants are smart enough to also encrypt every backup they are able to locate, including those residing on network shares. That is why it is important to make “cold” backups (read and write only, no delete/full control access) that cannot be deleted by the ransomware.

Kaspersky Lab hasalso developed a countermeasure called theSystem Watcher module.System Watcher is able to keep local protected copies of files and revert changes made by crypto malware. This enables automated remediation and saves administrators the trouble of having to restore from backup and the burden associated withdowntime. It’s important to have security technology installed and to make sure that users have this module running.

9. What should users do if the system already infected?

Unfortunately, in many cases, once the ransomware is launched, unless there is a backup or preventive technology in place, there is very little that a user can do. However, some time it’s possible to help users to decrypt their data that has been locked by the ransomware without having to pay the ransom. Kaspersky Lab recently partnered with the National High Tech Crime Unit of the Netherlands’ police to create a repository of decryption keys and a decryption application for victims of theCoinVault ransomware.

In addition, I caution victims about using uncredited software that they’ve found on the Internet that claims to fix encrypted data. In the best case, this software is a useless solution and the worst case scenario is the software distributes additional malware.

10. If attacked, should a business pay the ransom?

Because companies place a high value on their data, many are willing to pay to get it back. According to a survey conducted by Interdisciplinary Research Centre in Cyber Security at the University of Kent in February 2014, more than 40% of CryptoLocker victims agreed to pay. CryptoLockerhas infected tens of thousands of machines and generated millions of dollars of revenue for the cybercriminals behind it. Moreover, a Dell SecureWorks report shows that the same malware rakes in up to $30 million every 100 days.

However, paying the ransom is unwise, primarily because it does not guarantee that the corrupted data will be decrypted. There are also a number of ways things can go wrong even if the companydecides to pay the ransom, including bugs in the malware itself that make encrypted data unrecoverable, actions by a system administrator that make data unrecoverable, IT infrastructure damage and/or downtime, legal consequences due to information loss, damaged relations with partners and customers, etc.

In addition, if the ransom is paid, this validates to the cybercriminals that the ransomware is effective. As a result, cybercriminals will continue to find new ways to exploit systems and could lead to additional infections targeting that individual user or company.

11. What Kaspersky Lab solutions protect businesses from ransomware attacks? And how?

Kaspersky Endpoint Security for Business, our flagship product for businesses, provides reliable protection against known, unknown and advanced cyberthreats, including ransomware attacks. The solution includesKaspersky Lab’s System Watcher, and as I mentioned earlier, it is critical that businesses make sure this module is running as it scans the most relevant system event data. This monitor tracks information about the creation and modification of files, the work of system services, any changes made to the system registry, system calls and data transfers over the network. System Watcher also processes information about operations with symbolic links containing references to files or directories, modifications of the master boot record where the loader for the installed operating system is stored and interception of OS reboots. Moreover, it analyses the contents of the packets transmitted via TCP, the main Internet transport layer protocol, in search of any evidence of maliciousactivity. System Watcher can independently make decisions as to whether a program is malicious based on the data it analyzes. As a result, the security solution delivers better overall detection of ransomware and security policy breaches, and is better at identifying the sequences of events which lead up to these types of incidents.

While Kaspersky Lab security solutions significantly mitigates the risks of ransomware infection, human error can always come into play. An equally comprehensive backup solution is necessary to help ensure that critical company data is not lost because of a ransomware incident. By employing a robust cybersecurity and backup strategy, businesses could stay one step ahead of ransomware attacks.

12. How do your solutions protect from unknown threats?

As I mentioned earlier, Kaspersky Endpoint Security for Business protects organizations from known, unknown and advanced cyberthreats. This solution also includes the Kaspersky Security Network (KSN) provides a response to suspected threats, much faster than traditional methods of protection. KSN has more than 60 million Kaspersky Security Network volunteers worldwide. This security cloud processes over 600,000 requests every second. Kaspersky users around the globe provide real-time information about threats detected and removed. This data and other research are analyzed by an elite group of security experts — the Global Research and Analysis Team. Their main focus is the discovery and analysis of new cyberthreats, along with the prediction of new types of threats.

While today’s threats are becoming more sophisticated, we have found that too many users – both on the corporate and consumer side – could improve their cybersecurity practices. What’s worse is that some are using either outdated or unreliable security solutions that do not provide them with the necessary protection. As a result, it is important to choose the most effective protection available. In fact, just last year Kaspersky participated in 93 independent testsand of all the vendors taking part in these tests, Kaspersky Lab achieved the best results. Sixty-six times Kaspersky Lab was named in the Top 3 and 51 times was rated first place. Information security is in Kaspersky Lab’s DNA and we are always working to improve the effectiveness of our technology so our users are provided with the most reliable security solutions.