Ransomware maintained its attractiveness amongst cybercriminals in 2016. Of note is the steady growth on multiple platforms including mobile which essentially means every mobile device user is vulnerable as we enter 2017.
According to research by Internet Security firm ESET, Android mobile device users have been targeted by various types of ransomware. Most frequently the police themed ransomware which tried to scare victims into paying up after (falsely) accusing them of harvesting illegal content on their devices.
Many ransomware campaigns use phishing emails as an entry point and may arrive as part of another malware’s payload. Similarly an attack may be delivered by an exploit kit seeking vulnerabilities so as to install and execute the malware on the affected computer.
To the trained eye, or protected computer, it is easier to spot and remove these emails and delivery methods before the attack is deployed.
“Often, organizations realise they are under attack after the fact. At which point their data or documents have already been encrypted and an expensive demand note in untraceable Bitcoins, attached as a permanent screen saver on their computers“, says Teddy Njoroge, Country Manager, ESET East Africa.
To Pay or Not To Pay
Ransomware has turned into a multi billion dollar industry – meaning many attackers perpetrating the crime do in fact provide the encryption keys to unlock your data. If it became public knowledge that the perpetrators behind a particular strain of ransomware are not providing the necessary encryption keys, this would be bad for business.
There are however a few unfortunate circumstances which may result in you still not getting your data back, even after you pay a hefty ransom – often running into many thousands of dollars.
Firstly, many ransomware developers sell their code to syndicates and other criminals – some even provide simple to use web interfaces so anyone can reap a profit and earn them a percentage. In the case of the former though, you are relying on a twisted form of honour amongst thieves in the hopes that you’ll get the necessary keys to decrypt your data. They may very well be running short campaigns in order to extort various business and individuals only to disappear with your money.
Secondly, not all code is created equal. There have been numerous examples of ransomware where the encryption process was flawed in some way, or where there is no key even being stored/transmitted after an infection which could be used for the decryption process. This is of huge concern and experts continue to do great work in analysing the processes and routines of these variants in order to publish their findings to prevent people from paying for an encryption key that won’t work, or worse, doesn’t even exist.
Thirdly, if people continue to pay, the attackers will persist. Only by no one paying up will attackers eventually get the message that their ongoing efforts will not generate them any profit – to the benefit of all.
It is worthy to note that some attacks have been well orchestrated – cyber-criminals often do research before targeting a particular entity or organisation in order to determine the size of the organisation and the likely payment that can be made based on the amount of data affected – even worse identifying those who may have paid for similar attacks in the past.
“The best approach is for all to refuse to be bullied into making payments, no matter the demands. Understandably it is an easier decision to make if only one or two computers or websites are affected as opposed to an entire network of devices“, explains Njoroge.
Pro-Active Internet Security
Unfortunately as long as it remains profitable, ransomware will continue to be a problem, especially for emerging economies such as Kenya and the larger Africa. For this reason, precaution in the form of a robust internet security regime, supported by regular training of staff, based on an organization‘s cyber-risk profile would be a most preferred investment route.
Driven from a policy perspective, it is advisable to add dealing with ransomware to the organization‘s disaster recovery (DR) plans. In addition there are cyber-insurance options that can help an organization start over in case of the cyber-risk being realized.
A key component of DR is regular back-up of critical business data and documents at an offsite location. Based on the service level procured this should be done at regular intervals. ESET recommends StorageCraft as a world leading DR vendor – through proper implementation, in the event of ransomware infections, site wide disasters such as fires, floods and other events, one can restore business critical systems in minutes rather than hours or days.
A proper DR investment can also cost significantly less than paying up for ransomware, let alone the loss of money from impacted systems being unavailable for extended periods of time.