Ransomware: To Pay or Not To Pay
By Ondrej Krehel, CEO and Founder of LIFARS LLC
Ransomware poses one of information security’s biggest threats, right alongside infamous data breaches and high-profile Distributed Denial of Service (DDoS) attacks.
Ransomware. It’s a data security buzzword that has caught on among civilians and businesses. And it’s real. It threatens system security and costs victims plenty. But what is ransomware? Why is it more of a threat than typical cyber viruses and infections? What do you do to keep yourself immune from ransomware? If affected, what are your options?
Antivirus software vendors have predominantly curbed everyday vulnerabilities that malware actively tend to exploit. USB flash drives, so often the carriers of Trojans, viruses, keyloggers and other malware, are scanned immediately upon plugging in by a real-time antivirus program, warning the user of any threats. In the day of the massive data breach wherein millions of individuals’ personal data can be compromised at a whim, governments and corporations are, at long last, investing in better cybersecurity practices and infrastructure.
Meanwhile, malicious hackers have continued to work on inventive new ways to avoid detection and keep up their revenue streams. Ransomware, which really gained prominence from the turn of the decade, is perhaps the most devastating and annoying malware cooked up yet by cybercriminals on a wide, global scale.
Ransomware is malware, or malicious software, that fundamentally restricts the user’s access to the contents of a computer, file or device, until the user pays a ransom.
Typically, ransomware is delivered through rogue URLs or attachments in an email, or instant message.
One of the earliest reported cases of ransomware surfaced in Russia in 2005. While the malware has been around for over a decade, it was only until late 2013 that the rest of the world caught on. CryptoLocker had successfully infected hundreds of thousands of personal computers and business systems around the world.
So potent was the threat at the time, that the United States Computer Emergency Readiness Team, commonly known as US-CERT, a branch of the Department of Homeland Security, issued an advisory warning users of CryptoLocker’s growing threat. The authority advised users to unplug infected machines from their networks since the ransomware also had the ability to spread from an infected machine to other machines on the same network. At the time, CryptoLocker was programmed to target every version of Windows.
In a matter of days, the ransomware spread across the world like wildfire through botnets and infected machines disseminating the malware via phishing links in email attachments and more.
Once activated, the ransomware gave the victim 72 hours to pay up, with an average payment of around $300. A ransom payment returns a decryption key, which is used to regain access to the encrypted files.
If the victim doesn’t pay up, he or she stands to lose all of the encrypted data, typically containing every media file, document, picture and more, from the computer.
The CryptoLocker threat read:
“If the key is not obtained before the deadline, it will be destroyed and you will not be able to open your files, ever again.”
How ransomware works
Any modern variant of ransomware that typically threatens any individual or a corporation uses public-key cryptography. Fundamentally, there are separate keys used to lock and unlock a file. While the public key can be dished out to anyone to encrypt files, the private keys are essential to decrypt them.
Cryptographically secure ransomware strains take advantage of the encryption by generating public-private pairs of keys on their own servers. Victims’ machines and files are infected with the public key sent to the targeted machines. The malware scrambles the data and the private key is entirely necessary to unscramble and regain access to the data.
Since the private key is still in the hands of the malicious hacker, any attempt to search for the private key in the local infected machine is rendered futile.
In Q3 2011, about 60,000 new variants of ransomware were detected. That number doubled to over 200,000 in Q3 2012. Astoundingly, that number quadrupled, to over 700,000 variants from Q3 2014, to Q1 2015. This year, in the first quarter of 2016, security firm Kaspersky Lab revealed 2,900 new “modifications” of existing ransomware, a 14% increase from the last quarter. Compared to Q4 2015, the number of attacked users increased by 30%.
Since the emergence of CryptoLocker in 2013, ransomware has come a long, treacherous way. Year 2014 was the year that birthed the first version of ransomware targeting mobile phones, particularly the Android platform. A year later, 17% of ransomware infections observed by Kaspersky were on Android devices. Year 2015 saw the first known case of ransomware targeting the Linux platform. The firm’s 2015 security bulletin amassed statistics to show that a total of 337,205 ransomware victims were detected in Q3 2015 alone.
To sum up the menace, Q1 2016 saw a record high for ransomware attacks, more than any quarter in the past. Seemingly, the threat of ransomware is only gaining steam, rather than seeing its flames put out.
Why ransomware is more potent and dangerous than other malware
Ransomware found its origins in countries in the post-Soviet era, such as Russia, Ukraine and others in Eastern Europe. Since the malware authors are also from a foreign state, the objective of convincing foreign governments to take stronger measures against local threat actors becomes a diplomatic one.
Legacy malware such as Trojans, backdoors and keyloggers are typically programmed to wait in patience, until a time when the user enters credit card details or other identifying personal information that can later be used for fraudulent transactions or identity theft. Furthermore, if a keylogger or Trojan is detected, malware authors will have to start compiling a new one all over again, as any good antivirus software vendor quickly updates the database definition files for users to remain immune from the latest threats.
Unlike legacy malware, ransomware variants are simple in what they do, while providing a consistent and quick revenue stream for cybercriminals.
The threat of a system wipeout by CryptoLocker authors wasn’t merely a threat alone. The malicious hackers and developers of the ransomware kept their word, proceeding to delete the files permanently. Similarly, if a user paid the ransom, the files were recovered and re-usable. News of ransomware, like CryptoLocker spread and less-resourceful, desperate and confused victims proceeded to pay the fee before the deadline, instead of looking for alternative measures.
The country’s premier law enforcement agency, the FBI, has even bluntly revealed that it tells victims to pay the ransom.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.”
The list of victims goes on forever. The FBI, in a notice this year, revealed “hospitals, school districts, state and local governments, law enforcement agencies, small business, large businesses—these are just some of the entities impacted recently by ransomware.”
To pay or not to pay
The big question. The FBI has released an official advisory recently, contrary to the opinion mentioned by Special Agent Bonavolonta.
The Bureau stated:
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.”
And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Those are clear words from the FBI in an official capacity, taking a stance in advising victims not to pay the ransom.
It is important to note that modern ransomware doesn’t steal any files, they merely and annoyingly scramble them to the point where they are unusable. The only way to redeem the infected file is to gain the private decryption key, which the hackers promise to provide after the ransom.
The official word from the FBI: Don’t pay. Still, those scrambled, undecipherable files could contain important, priceless and business-critical data and documents. The most commonly found variants of ransomware have malware authors who, for better or worse, have gained a reputation to operate while honoring their word.
Skipping the moral answer about whether or not to give in to extortion, victims will have to determine what their files are worth to them.
If a user has backed up files in an offline or online capacity with a copy of the encrypted, scrambled data elsewhere, he or she has dodged the ransom. If not, the only way to recover important and valuable data and media, is by paying the ransom.
Best practices to avoid ransomware
The following tips include preventative measures aimed primarily at organizations and employees but can also be applicable to individuals. It is important to note that these tips are published by the FBI, which knows a threat when it sees one.
∙. Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
∙. Patch operating systems, software and firmware on digital devices (which may be made easier through a centralized patch management system).
∙. Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
∙. Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
∙. Configure access controls, including file, directory and network share permissions appropriately. If users only need to read specific information, they don’t need write-access to those files or directories.
∙ Disable macro scripts from office files transmitted over email. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular internet browsers, compression/decompression programs).
∙. Back up data regularly and verify the integrity of those backups regularly.
∙. Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.