Blue Line

News
Ransomware holds your data hostage


September 1, 2016
By Tom Rataj

907 words – MR

Ransomware holds your data hostage

by Tom Rataj

As if computer viruses and other malicious software weren’t annoying and damaging enough, the latest trending computer security threat holds your data hostage until you pay a ransom to free it.

Advertisment

Although first successfully demonstrated back in the late 1980s, ransomware has only gained notoriety recently. Since Microsoft Windows is the most widely used operating system, with a marketshare of about 80 per cent, it is the primary target of most malicious computer software.

Mobile devices such as tablets and smartphones are also generally not immune to malware threats. Devices running Google Android are most vulnerable and some jailbroken Apple iPhone/iPad devices have been successfully attacked. There are some malware issues with Windows Phone devices and Android apps (but not native BlackBerry 10 apps) running on BlackBerry 10 devices.

{Locks system}

Ransomware is a malicious computer program covertly installed on a victim’s computer or network. It typically arrives through a Trojan virus contained in an e-mail attachment, from visiting a surreptitiously or deliberately infected website or by clicking on a pop-up ad.

Once installed and activated, it typically encrypts part or all of the computer’s operating system and/or files and then displays a web-page demanding a ransom payment for a decryption key to unlock the system and files. There is often a time limit on when payment must be made, leaving a victim little chance to decide what to do. Payment is usually demanded in bitcoin or other non-traceable payment instruments.

The original ransomware programs were relatively simple, often just disabling a computer’s start-up file, master boot record or partition table. The computer couldn’t boot without them, although the data on the hard-drive was still retrievable and the disabled programs were relatively easy to repair.

The latest generation of ransomware is far more sophisticated, using strong encryption technologies such as 128 or 256-bit AES (Advanced Encryption Standard) or RSA (named after cryptologists Rivest, Sharmie and Adleman) to encrypt all the data on an infected system.

Without a decryption key, the affected data is irretrievable because of the strength of the encryption, so many victims just pay the ransom.

Although ransomware has been around for more than 20 years, it began gaining notoriety in the mid-2000s. The most common encrypting ransomware include CryptoLocker, CryptoLocker 2.0 and CryptoDefence.

The widespread use of the Internet has made it far easier for ransomware to spread and its growing sophistication has made it much more effective and profitable for the criminal gangs typically behind it.

{Victims}

CryptoLocker ransomware corrupted the computer system and most recent backup drive of the Tewksbury, Massachusetts police department in April 2015. An 18 month old backup drive was not affected but wasn’t of much use. Despite help from the FBI and others the department was unsuccessful in recovering its system until it paid roughly $500 in bitcoins.

Several other small US police departments were similarly victimized by ransomware and had to pay to recover their systems. At least a dozen hospitals around the world have also been successfully targeted by ransomware infections.

The Hollywood Presbyterian Hospital in California paid a ransom in February 2016 after most of its network, including medical records and connected medical devices, was disabled. The original ransom demand was US$5 million but it ended up paying US$17,000 in bitcoins. The case took several weeks to resolve and was an expensive operational nightmare affecting all hospital operations during the attack and for months afterwards.

{Not just computers}

With so many devices connected to the Internet, it’s not surprising that some have been compromised and used as an infection point for ransomware. There are reports of routers, network attached storage devices and back-up drives being infected through security vulnerabilities.

{Prevention}

Most ransomware, viruses and other malware infections begin with individual computers so this is where major defensive efforts should focus.

Ransomware is best prevented by using up-to-date anti-virus/malware software and a firewall. Additionally, all security updates and patches for computer and smartphone operating systems, and other potentially infected hardware such as routers, should be installed as soon as they become available.

All default device and system passwords should be changed to strong passwords with at least 12 characters, including random combinations of both upper and lower case letters, numbers and special characters.

Comprehensive network security tools with behavior detection should be used to monitor business network traffic and e-mail systems for viruses and malware.

Windows users should activate User Access Control to prevent unapproved installation of software. A “pop-up” ad blocker is also important, since enticing and misleading pop-up ads are often used to infect computers. Training and user awareness are also important.

{The pay question}

This is a complicated decision that depends on a number of factors, including how current and thorough the back-up files are, whether a victim believes the attacker will actually provide a valid decryption key and ability to pay.

In many cases, paying the ransom is the only way to quickly regain control of a system because the encryption technologies used are unbeatable.

Ransomware is a complicated, dangerous and potentially expensive threat to businesses, government agencies and private computer users.

Comprehensive preventative measures and a thorough and up to date data back-up plan are the most effective ways to counter the threat.

Police agencies may be particularly vulnerable since much of the data they collect and maintain is very valuable to criminal organizations.