Dark Reading is reporting that due to the success of Ransomware, the sophistication of the attacks is growing. As a reminder, ransomware infects a computer and encrypts the files on it. If you pay the ransom, the attacker will usually give you the key to decrypt your files. Ransonware is not very particular and can infect any files it has write access to – network shares, Dropbox files, local files.
Ransonware, researchers think, has cost system owners millions of dollars, although I can’t imagine how anyone could put an exact number on that.
Dark Reading talks about two new strains of ransonware. One, called Virlock, infects the files on the machine. This is so that if the files are shared, the ransonware can infect other machines. In addition to this new feature, it does the normal encryption of files and locking of the screen. Virlock also morphs with each infection (called polymorphic malware) to make it harder for anti-malware software to detect it. It also uses other techniques to hide.
The other new ransonware product, TeslaCrypt, goes after gamers and encrypts the game data files. Most ransonware targets Office files (Word, Excel and the like) and Pictures. By going after gamers, they have a whole new market of customers. Just like businesses are very concerned about losing their Office files, gamers are very concerned about losing the game data.
The only effective protection is effective backups. As Sony saw when they were attacked, their backups were insufficient.
I speculate from talking with people that most businesses would not recover well from this kind of attack, It took Sony over two months to rebuild their systems.
For individuals, losing their data would be, at least, annoying, but often not “life threatening”. For businesses, losing key Office files could put them out of business.
NetworkWorld reported on some typical victims. One was the Dickinson County Tennessee Sheriff. Their ransonware encrypted every file created as part of an investigation. If they lost that data then likely most active cases would be dismissed for lack of evidence. Another was a suburban Chicago police department, the Midlothian PD was faced with the same problem. Both departments opted to pay the ransom.
Many people backup to the cloud, which is fine, but a single generation of backups, in the cloud or elsewhere, will likely be infected before the malware is detected. And for those of you who use realtime backups (like Carbonite), the ransomware will trigger the backup, so making sure that the system is keeping several generations of backups is important.
For businesses, making sure that you can recover from this kind of attack and continue operating while you are recovering is called disaster recovery and business continuity.
Are you prepared or will you be paying the ransom and hoping you get the keys.
P.S. just because they give you the keys does not mean that the ransomware has been removed from your system. In fact, what it really means is that the attacker has a juicy target for future attacks. Networkworld wrote that one strain, OphionLocker, remembers it’s victims and does not attack them again.