The term ‘ransomware’ turns up more and more often. Ransomware is a persistent problem that will not disappear anytime soon, if the findings of recent studies are correct. Computers of COMPAREX customers, too, are taken hostage at an increasing rate. These customers ask us questions about how to deal with this problem and how to prevent their computers from getting infected.
By Eric Bruseker, Solution Security Specialist
Reading time: 4 minutes
What is ransomware?
Ransomware is a form of malware that causes the computer to be locked or information to be encrypted so that it cannot be used any longer. Next, the user receives a message indicating that ransom is to be paid for the release of the computer or information. Currently, ransomware is active in many variants.
How does your computer get infected?
Ransomware can access the computer in two ways: via web traffic, for instance when an ad or download causes the malware to be installed, or by e-mail. In the latter case, the harmful process is started by an attachment or hyperlink via which information becomes inaccessible.
The sting of ransomware is in the fact that it continues to evolve. As ransomware is adjusted again and again, traditional antivirus solutions always remain one step behind. In the past, infections primarily occurred by mass mailing and were based on the assumption that there would always be somebody who would click the URL and thus start the malware process. Nowadays, e-mails are increasingly focused on and specifically addressed to the recipient. A well-known example is the e-mail full of spelling errors from the Nigerian prince with his millions of dollars. Virtually everybody got suspicious and did not click the links. Today, however, personal spear phishing looks legitimate, making it for people a lot harder to discern the threat.
What are your options, when your computer is infected with ransomware?
With an infected computer you have two options: you pay or you do not pay. COMPAREX advises its customers not to pay, for there is no guarantee that the infected files will actually be released and whether the malware will really be deleted. If the infection has been on one desktop, there will be possibilities to remove the ransomware. An infected network is more complicated, especially if the cryptoware was lodged in the network some time ago without manifesting itself – the latest trend, in which the malware lies low for one month before it becomes active. The back-up is also corrupted, so cleaning the system and installing a back-up is no longer an easy matter.
The benefits of ransomware
One would not expect to read about the benefits of ransomware in this text, but let me explain my train of thought.
Ransomware has the benefit of alerting an organization immediately to its vulnerability. Other Advanced Persistent Threats are specifically programmed to remain as quiet and unnoticeable as possible, so that the largest amount of information can be gathered and more damage is caused as a result. Researchers have found that it takes eight months on average before Advanced Persistent Threats are detected. Imagine the huge loss of data an organization may suffer in such a long period of time!
How to prevent data from being taken hostage?
How do you prevent your data from being taken hostage? There are several methods:
Ransomware is often targeted at a legacy browser or a browser that has not been updated, Adobe Flash, operating systems, or Java that have a security leak. Keeping the patch cycle as short as possible is essential for reducing the risks. In other words, ensure your software remains up to date.
To what extent are your employees aware of any potential danger? It has been found that malware is often started from webmail, such as gmail and hotmail. Therefore, inform your employees that due to their surfing and mailing behaviour they pose a risk to the organization.
There are several technological solutions for preventing ransomware infection. With these security solutions, a security layer can be built on the endpoints, in the network or in the cloud (or a combination of these) to prevent any potential danger. Every security layer has its own benefits. Solutions that are currently widely used include the following:
Advanced Threat Protection
Various security vendors provide supplementary security measures. The most frequently occurring component is sandbox technology: suspect or unknown files are opened in a virtual environment to find out how the files behave. If they turn out to be malware, the threat can be easily overcome by isolating the endpoints and by blocking any new attacks on control points.
Additionally, some security vendors focus on the framework from which malware is started. As this process always takes place by several regular steps, it can be monitored so that the malware can be stopped at an early stage (before the malware reaches the endpoints). In this context, you need to consider if you want to allow any SSL inspection on the perimeter or on the endpoints. The perimeter has the advantage that it prevents malware from reaching the endpoints. Its disadvantage could be that privacy questions may arise when webmail is scanned for malware content.
Application control / whitelisting
Your organization has various processes in your IT environment, in which some files and processes that are known to the organization may be started. If this system is properly set, an unknown process, such as ransomware, can be stopped at an early stage after it was started, rendering this a fairly easy way to counter ransomware. Of course, this effectiveness also depends on the internal processes running on the system.
Obtain good information on ransomware
As indicated above, there are many possibilities to protect your computers against ransomware (and other threats). Do you want to know what we can do for you? Please, contact me or one of my colleagues.