Can’t pay? Won’t pay? They’ll take your data anyway

Just a few weeks ago, an American college paid a record amount of $28,000 (about £22,500) to get their files back after a ransomware attack.

With this kind of money on the line, ransomware attackers won’t discriminate who it targets, with businesses big and small, hospitals, police departments and schools all being targeted daily.

Cyber criminals are getting smarter

Since the first ransomware outbreaks were reported, the type and style of attacks have spiralled. Today, there is no guarantee that once data is hostage the cyber criminal will return the files upon receipt of payment.

2016 was a pivotal year in the evolution of ransomware, as it highlighted to the cyber security industry the breadth and increasingly sophisticated attack techniques cyber criminals are using.

>See also: How to minimise the impact of ransomware

Last year alone this ‘uniqueness’ and diversity was seen in Petya and Mamba. In Petya’s case the Windows Master File Table (MFT) was scrambled, whereas the entire disk was scrambled with Mamba.

As well as cyber criminals inventing more sophisticated attacks, it is also becoming simpler for amateur cyber criminals to jump on board the ransomware bandwagon.

Access to ready-made ‘malware as a service’ (MaaS) is incredibly simple for a hacker to obtain, making it easy for an amateur cyber criminal to stage, execute, and reap the rewards of an attack.

Likewise, skilful social engineering has taken over, meaning the previously easily noticeable misspelling, incorrect business logos or poor grammar that once gave away a malicious email is no longer a norm – making these attacks far harder for a user to identify.

Industries can therefore expect more people, businesses and organisations to fall victim to ransomware attacks than ever before.

Ransomware in action

Last year, a small UK-based building consultancy was hit by ransomware – the type of attack was a variant called DMA Locker. The infection was eventually traced back to an email attachment opened in Outlook.

This simple act of an employee, who was probably expecting an invoice and opened up an attachment, completely froze the small business, causing massive disruption.

>See also: The evolution of ransomware: what lies ahead?

As with most SMEs, the firm did not have a dedicated security team, which made locating backups of files a nightmare, and the attack affected the company for months.

What’s next?

This SME won’t be the only business to make this error as ransomware continues to rise. New strains and samples are found almost daily by the Sophos Labs team – and it’s not going anywhere anytime soon.

More users are going to be recognising the risks of ransomware attack via emails, so cyber criminals are looking to explore other methods of infection. Some are experimenting with malware that hits later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files.

Some variants have even offered to decrypt the files after the ransomware is shared with two friends, who pay up to retrieve their files.

What’s more concerning is the pace at which ransomware has transformed. It is only a question of time before IT departments see things beyond data being ransomed.

It is perhaps a while off before we have a sufficient mass of internet-enabled cars or homes, but this still begs the question: how long before the first car or house is held for ransom by a cyber criminal?

Here are some top tips to ensure a business is as safe as can be from the ransomware rise:

1. Backup regularly and keep a recent backup copy off-line and off-site

There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete.

Encrypt backups and then an organisation won’t have to worry about the backup device falling into the wrong hands.

2. Enable file extensions

The default Windows setting is to have file extensions disabled, meaning you have to rely on the file thumbnail to identify it.

>See also: 6 steps to protect your company from crypto-ransomware attacks

Enabling extensions makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript. Ensure these are always switched on.

3. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default as a security measure. A lot of infections rely on persuading you to turn macros back on – don’t fall for this.

4. Be cautious about unsolicited attachments

The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt leave it out.

5. Patch early, patch often

Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more.

>See also: Ransomware now costing big businesses in downtime

The sooner you patch, the fewer holes there are to be exploited.

6. Stay up-to-date with new security features in your business applications

For example Office 2016 now includes a control called “Block macros from running in Office files from the internet”, which helps protect against external malicious content without stopping you using macros internally.

7. Explore anti-ransomware technology

Some modern security vendors have implemented advanced anti-ransomware technology into their products, providing an extra layer of security and offering peace of mind.


Sourced by Marty Ward, VP products at Sophos

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics