"Your personal files are encrypted!" glares the headline on a red pop-up window. The text that follows warns the user that all of the photos, videos and documents stored on the computer were encrypted with a secret encryption key. Unless the user pays a $500 ransom, then a virus will destroy those files permanently.
Words like this must have struck fear into the hearts of IT administrators at the Midlothian, Ill., police department when they came up on a police computer in January 2015. Lacking any solid technical alternative, the department paid a $500 ransom to unknown attackers to restore access to critical files.
While a police department may feel especially embarrassed when successfully extorted by unknown cybercriminals, thousands of people around the world experience this same scenario every day. Ransomware, a fairly new class of malware, infects systems and holds important personal information hostage unless the user meets the attackers' financial demands. Fortunately, there are simple steps that users and businesses can take to protect themselves against ransomware infection.
What is Ransomware?
From a technical perspective, ransomware isn't much different from any other form of malware. It spreads to new victims through a variety of mechanisms, including the use of drive-by downloads. In this attack, hackers compromise otherwise normal websites and reconfigure the site to distribute ransomware. When an unsuspecting user visits the compromised site, a hidden download exploits vulnerabilities in the user's computer to install the ransomware on the system and wreak havoc on personal information.
Ransomware departs from the tactics of its malware brethren by taking advantage of strong cryptographic techniques to prevent legitimate access to files. Cryptography, normally a technique used to protect sensitive information, uses encryption keys to convert normal files into versions that may not be read without the appropriate decryption key. It's a tactic similar to password protecting a file. If you don't know the decryption key, you simply can't access the content.
This is a very effective technique for transferring sensitive information between systems and individuals over otherwise insecure networks. In fact, the HTTPS secure websites users visit every day use encryption to protect information sent back and forth between the user and the web server.
When ransomware uses encryption, however, it has much darker intent. The malware scours the infected system's hard drive, searching out personal files. Each time it encounters such a file, it encrypts it using a secret key known only to the malware author. When the legitimate user attempts to access his or her files, the encryption stymies that effort and the ransomware pops up a demand for payment in Bitcoin or other anonymous digital currency. If the user pays the ransom, the attacker sometimes (but not always!) provides the decryption key used to restore file access. If the user doesn't pay the ransom, the encryption may result in the potentially devastating permanent loss of data.
Protecting Against Ransomware
Fortunately, there are ways that users and organizations can protect themselves against the ransomware threat. The same good computer security practices that IT professionals advocated in years past apply to this new threat. Well-maintained systems should be immune from most ransomware threats, although no technique is foolproof.
First and foremost, every system connected to a network should run antivirus software from a reputable vendor with current signature files installed. That means paying the annual license fee to maintain current protection. If users don't purchase these updates, the antivirus software cannot effectively defend against new risks. Each day that passes without a signature update significantly increases the risk of infection by ransomware or other malware nasties.
Second, IT staffers should install operating system patches and software security updates on a regular basis. The drive-by download technique favored by ransomware creators depends upon exploiting known flaws in operating systems, web browsers and other applications. Running old, unpatched software provides a pathway that may allow malware to enter the system.
Finally, there's no substitute for practicing safe web browsing habits. Users should avoid visiting suspicious sites, downloading unapproved software, and clicking on unknown attachments. Making one of these simple mistakes, even a single time, can trigger an irreversible ransomware infection. Organizations can complement safe browsing education programs with technical filters that block access to known malicious sites from the organization's network. This is an effective way to block some infections, but IT staffers must remember that many computers leave the safe confines of the corporate network and access the Internet from unfiltered connections at hotels, airports, coffee shops and similar locations.
The key to avoiding ransomware infection is the same as protecting against many other security risks practice defense in depth. No single security control is a panacea in the fight against malware. Building a series of layered defenses dramatically increases the safety of Internet-connected systems.
What If You're Infected?
What happens when defenses fail and a system falls victim to ransomware infection? Unfortunately, the prognosis is bleak. Ransomware uses very strong encryption technology and it is virtually impossible to decrypt files without access to the secret decryption key.
If an organization has backups of the files stored on a computer, the best bet is to simply wipe and rebuild the infected system and then restore the unencrypted files from backup. When taking this path, it's very important to verify the security controls described earlier are in place. Without antivirus software, content filtering and safe browsing habits, the system may fall victim to the same infection again.
If backups don't exist, there aren't many great options. Organizations can take the same path as the Midlothian police department and pay the ransom, but that's a risky proposition. There's no guarantee that anonymous criminals will honor their word and provide the decryption key. If the organization refuses to pay the ransom and no copies of the files exist elsewhere, data loss may be inevitable.
Ransomware is big business. Symantec recently issued a report analyzing the ransomware industry and estimated that ransomware developers may rake in as much as $400,000 per month! By taking simple security steps, organizations may protect their computers and critical files from this dangerous threat.