Ransomware

ransomware

What is ransomware?

Ransomware defines a category of malicious computer software that encrypts the users data, demanding a ransom be paid to the software creators.

Recently, ransomware has become more common, and means your backup routine is more important than ever.

 

Is ransomware common?

Dozens of victim businesses have gone public detailing how thousands of dollars had been lost paying ransoms to unlock encrypted data — or in lost productivity by choosing to cut losses.

In the last 6 months, many Australian businesses have had their data held to ransom:

Firefly, a small family owned business in Avondale Heights, did what many of us fail to do – maintain regular, tested and “air-gapped” backups on a drive which was kept physically separate from the PC network.

 


A video by Symantec

 

How does ransomware infect?

Many of these ransomware attacks have occurred initially by visiting through malicious websites which deliver malware using drive-by-download or by opening malicious email attachments / clicking malicious links.

The attackers then breach the company network by brute-forcing open RDP credentials. The Remote Desktop Protocol (RDP) function, which allows remote access, is commonly unused and should be disabled (on port 3389).

 

How to protect against ransomware

A few simple steps will reduce your chances of being infected with ransomware:

  • Ensure your computer system has the latest update patches installed.
  • Be wary of opening email attachments and clicking links in spam emails, or installing software from untrusted sources.
  • Be wary of visiting websites that suggest you need to update/install software, drivers or video codecs.
  • Backup important data !!!

Once your data is held to ransom, there are only 3 options: 1. You can pay the ransom demanded, which is generally $3000-$5000 and provides no guarantee that your computer/files will be returned to you; 2. Attempt to crack the encryption using a decryption tool, or 3. Completely wipe and reinstall your system from backups.

Clearly just having a backup stored on a USB drive that is always connected is not safe from the attackers.  You need to remove external hard drives, or they will attack them and lock them down too.  For many businesses, a sensible “air-gap” solution is to ensure backups are taken off site, as this also prevents against data loss in the event of fire.

Panda Security have released a ‘Panda Ransomware Decrypt‘ tool.

Ransomware

Note: There is also fake ‘Australian Federal Police Ransomware’ which behaves in a similar fashion: Locking the computer and demanding money, with the attackers pretending to be Australian law enforcement officials.  The lock screen looks fancy (shown below) but would the AFP accept Ukash ?

AFP Ransomware

“AFP” Ransomware – and they accept Ukash ?