Ransomwares roots stem back to the late 80’s although due to the advent of modern anonymous payment systems such as bitcoin, ransomware has been reborn.
Ransomware usually enters an organisation via a nefarious email attachment. The attachment is typically a Word or Excel document containing a malicious payload. These malicious emails tend to target non-technical departments to increase the chances of a successful compromise. For example, a seemingly benign email is sent to an organisations HR department. This email may contain an attached CV in the form of a Word document. All the employee needs to do is open and click Enable Content on the document. Once this has been done the ransomware can now begin to execute its task.
The ransomware infection will not be evident at first, it will begin by searching for files on the computer and network that will be of value to an organization. These files tend to include Office documents such as spreadsheets, reports and power-points. Other file types include audio-visual files such as mp3/4 and numerous web server files. Many professional software package file extensions are also included in the attack to cause maximum harm to the organization. Once these business-critical files have been found they are then encrypted. Encryption renders these files completely unreadable, therefore having the potential to cease an organisations ability to do business with customers. Some ransomware variants will also disable user access to the windows operating system, subsequently causing the computer to be completely unusable.
Once the computer and documents have been encrypted the malware declares its ransom. This is done via a splash screen or within various text files informing the user of the breach. This notice will state the attackers payment details for the ransom of the decryption key. Payments are typically made through the TOR network [Dark Web] into Bitcoin cryptocurrency wallets. This is done to hide the attackers identity. Ransoms typically range from £200 – £8000 in order to recover sensitive data from one machine.
According to an FBI statement to CNN the estimated cost of damages caused by ransomware during Q1 2016 totals $209 mIllion. Healthcare departments, schools and law enforcement agencies include some of this years targets. Many companies are forced to pay the ransom as complete loss of their data would cause irreparable damage to their business. Once the ransom has been paid there is no certainty you will receive the decryption key in return. Ransomware has the ability to close businesses down and prevent healthcare organisations from saving lives. With the attackers widespread success more intricate strains of ransomware are being developed every week. Ransomware is here to stay.
- Ensure employees are aware of Ransomware and its dangers.
- Train employees to question the validity of emails and to not open suspicious unexpected attachments.
- Disable Macro scripts within Microsoft Office.
- Manage the distribution of privileged accounts. Only use administrative accounts when absolutely necessary.
- Have a robust and frequent data Backup strategy in place. Ensure backup data isn’t attached to the network. Always keep a backup offsite and offline.
- Rename sensitive file extensions to something unique [.doc to .file] This will prevent ransomware from encrypting the document.