What is ransomware?
Ransomware defines a category of malicious computer software that encrypts the users data, demanding a ransom be paid to the software creators.
Recently, ransomware has become more common, and means your backup routine is more important than ever.
Is ransomware common?
Dozens of victim businesses have gone public detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data — or in lost productivity by choosing to cut losses.
In the last 6 months, many Australian businesses have had their data held to ransom:
- September 2012: NT based TDC Refrigeration and Electrical had vital financial records encrypted, forcing it to pay a $3000 ransom.
- November 2012: Deanes Buslines was similarly confronted with a $3000 ransom after having its critical data locked down.
- December 2012: A Byron Bay school found its records encrypted and a ransom demanding $5000. The school could not pay, and after trying to bargain with the Eastern-European attacker, forfeited the data and recovered a limited data set from forensic analysis.
- Gold Coast medical practice The Miami Family Medical Centre was held to ransom by hackers demanding $4000 to decrypt sensitive patient information.
- February 2013: Melbourne bus company Firefly Coaches found its data had been encrypted and its Windows machines were locked down. A ransom notice was left demanding $5000 for the decryption key to unlock the data. Firefly had backups.
Firefly, a small family owned business in Avondale Heights, did what many of us fail to do – maintain regular, tested and “air-gapped” backups on a drive which was kept physically separate from the PC network.
A video by Symantec
How does ransomware infect?
Many of these ransomware attacks have occurred initially by visiting through malicious websites which deliver malware using drive-by-download or by opening malicious email attachments / clicking malicious links.
The attackers then breach the company network by brute-forcing open RDP credentials. The Remote Desktop Protocol (RDP) function, which allows remote access, is commonly unused and should be disabled (on port 3389).
How to protect against ransomware
A few simple steps will reduce your chances of being infected with ransomware:
- Ensure your computer system has the latest update patches installed.
- Be wary of opening email attachments and clicking links in spam emails, or installing software from untrusted sources.
- Be wary of visiting websites that suggest you need to update/install software, drivers or video codecs.
- Backup important data !!!
Once your data is held to ransom, there are only 3 options: 1. You can pay the ransom demanded, which is generally $3000-$5000 and provides no guarantee that your computer/files will be returned to you; 2. Attempt to crack the encryption using a decryption tool, or 3. Completely wipe and reinstall your system from backups.
Clearly just having a backup stored on a USB drive that is always connected is not safe from the attackers. You need to remove external hard drives, or they will attack them and lock them down too. For many businesses, a sensible “air-gap” solution is to ensure backups are taken off site, as this also prevents against data loss in the event of fire.
Panda Security have released a ‘Panda Ransomware Decrypt‘ tool.
Note: There is also fake ‘Australian Federal Police Ransomware’ which behaves in a similar fashion: Locking the computer and demanding money, with the attackers pretending to be Australian law enforcement officials. The lock screen looks fancy (shown below) but would the AFP accept Ukash ?