With crypto-ransomware's staying power, businesses must be proactive, writes Sean Sullivan, Security Advisor, F-Secure.
Crypto-ransomware has been dominating security headlines for months. In the UK the situation is reportedly even worse than in other countries: A new survey by Malwarebytes found that more than half of large UK firms have been hit by ransomware. And there's no sign it's going away anytime soon.
Crypto-ransomware, which encrypts the victim organisation's files and demands payment in return for their decryption, evolved from earlier forms of ransomware and scareware. Police-themed ransomware locked up the victim's computer, accused the victim of having performed some "illegal" online activity, and demanded a ransom in return for unlocking the machine. Scareware tried to fool people into believing they had a virus on their machine, in order to get them to pay for so-called "antivirus" software.
These schemes, while irritating and convincing to many, proved to have no real staying power. Once people became aware they were bogus, they simply stopped paying. If a computer had locked up, removing the malicious program would restore it.
?But crypto-ransomware is different. This time around, it is not a farce. Ransomware has figured out a successful business model offering a tangible benefit: Get your files back.
A strong business model isn't the only concept ransomware borrows from legitimate enterprise. The gangs behind these crypto-ransomware families have discovered that, like a legitimate business, they can achieve better results with good customer service. Accordingly, some families even feature support channels for victims needing help making the Bitcoin payment.
We recently did research to delve into this so-called 'customer journey'. We infected isolated test computers with five different ransomware variants. We then attempted to contact the criminals behind them via the channels they provided - some email, some an online support form.
?In a nutshell, our findings showed that these would-be extortionists are not immovable. Three out of four of them (the fifth never responded to our messages) were willing to lower the original ransom fee - netting us an average 29 per cent discount off the original demand. And all four of them granted extensions on the deadlines. (Full details are available in our report, Evaluating the Customer Journey of Crypto-Ransomware.)
According to the aforementioned survey, 58 per cent of UK businesses said they paid the ransom attackers demanded. Indeed, security experts acknowledge that file restoration may be completely impossible without paying. Paying the ransom usually ends up being the cheapest, most efficient way to get back to business. The ethical dilemma of encouraging the criminals understandably takes a backseat when compared with the downtime and expense required to get business online another way. Video
Fortunately, there are ways to minimise the chances of becoming a victim of ransomware. First, keep all software up to date. Ransomware often infects by taking advantage of security flaws in outdated software, making patch management a key part of ransomware prevention.
Second, use robust security software that employs a layered approach to block both known threats, as well as brand new threats that haven't been seen yet. For instance, Protection Service for Business (PSB) which is a feature-rich endpoint security product that is available thorough F-Secure's authorised network of reseller partners. Because it's a hosted solution, businesses do not need to invest in server hardware and with minimal maintenance, companies can spend their valuable time focusing on their core competencies.
Third, watch out for spam and phishing emails, as ransomware commonly rides along in attachments and email links - and keep employees educated about the latest phishing tactics.
Email safety for business also means using a good email filtering system and disabling macro scripts from Office files received via email. In addition, admins should limit the use of browser plugins; manage access controls so no user gets more access than they need; implement application controls so programs can't execute from common ransomware locations; implement application whitelisting; and segregate data to limit lateral movement within a network.
Perhaps the most important aspect of data protection is backups. Making backups, testing to be sure they'll work, and storing them offline is the fool proof way of making sure that ransomware won't destroy all your data.
Businesses who take the above precautions will be in much better shape. And even if you do still get hit, with reliable backups, you won't be joining the 58 per cent of UK firms who've had to pay the ransom.