Cybersecurity: The threat from Ransomware and how to reduce the risk

Computer viruses, trojans and worms have been around for as long as computers have been in common use, and since the Internet became ubiquitous they have increased steadily. In the beginning computer viruses were a nuisance, causing problems on the infected PC. The authors of the viruses were mostly looking to cause problems and make a name for their virus, but in recent years the authors have been looking at ways to make money from their viruses and trojans.

Initially the focus was on sending spam, or stealing online passwords from infected computers but a new even more troubling type of trojan has appeared which encrypts every data file it can see on the network with high grade encryption and then charges the victim for the decryption keys to recover their data.

This new form of trojan is called Ransomware. Since many victims find themselves without adequate backups for their data they have been forced to pay the criminals for the keys to recover their data, this makes ransomware potentially an extremely profitable business for criminals.

Most ransomware comes in the form of an email attachment, which could be an executable file, or a Microsoft Word or Excel document with macros, the initial virus downloads the ransomware payload, installs it, creates an encryption key and sends a copy to the criminals. Then it runs and encrypts every data file it can see before alerting the user to the ransomware and telling them how to pay the ransom. The ransomes vary between a few hundred pounds and tens of thousands of pounds and generally the payment method is Bitcoin which is a secure anonymous payment method that is very difficult to track back to the criminals. Many people who have paid the ransom have not received the decryption key, or the key they have received does not work.

All of the examples we have been able to find in antivirus / antispam systems we maintain have been targeted at Microsoft Windows and / or Microsoft Office macros and scripts. Since iMetal, Stockmaster and all of the other application written by Metalogic run on the Linux Operating System, our customers do not currently need to worry about those servers becoming infected, although network shares open to PC would still be vulnerable to an infected PC.

What can be done to protect from Ransomware

• Take regular verified backups of data. Backups are critical in ransomware incidents. If all of your data files get encrypted and you have backups, you just need to restore them.
• Secure your backups. Ensure that backups are not accessible to PCs e.g. over the network, and take backups off site. If an infected PC or server can see the backups when the trojan runs then it can encrypt them.
• Make sure that all PCs have antivirus installed and that it is kept up to date. Ensure that full PC scans are regularly run, and that users report any errors or warnings related to antivirus software, or when opening email attachments.
• Make sure that all PCs have patches and updates installed as they are released from Microsoft, most viruses and trojans rely on known vulnerabilities in Windows to infect the computer. Also ensure that other applications such as Microsoft Office, Flash, Java, are updated where possible.
• Block executable email attachments and document types that include macros such as .docm and ensure that anyone who may need to send you documents sends them in a form that does not include macros.
• Ensure that macros are disabled in all Office products and that users do not enable macros unless it is essential to do so. Microsoft provide free Office document viewers which can be used to view office documents, these do not support macros.
• Make sure that users are aware never to open an email attachment unless it is from a known source and they are expecting it. Make sure that users know never to enable macros to view a document sent to them unless it is essential to do so. Some Ransomware documents show the steps necessary to enable macros when opened, and uneducated users may follow those steps. Regularly remind users never to open email attachments from unknown sources and never to enable macros to view documents from emails.
• Restrict access to files on the network as much as possible, ransomware only infects the files the PC can see, and those we have examined only infect active shares the PC has. If users do not need access to data files then do not allow them access.
• Restrict access to the Internet. If users do not need access to the Internet then do not allow it, or if only a number of sites are required allow only those sites on the PC. Consider installing a PC running a non Microsoft Operating System for surfing the net.

While it is never possible to entirely eliminate the threat from viruses and trojans, it is possible to ensure that the business is not threatened should you become a victim of an attack.

Read more on Ransomware and risk reduction here.