Data Security 04-22-2016

Ransomware: A Threat On The Rise

Sara Drury

Ransomware—it’s the rampant business wreaking havoc across the globe. With each week, there seems to be a new report about a company getting hit by ransomware, but what exactly makes these attacks so effective?

Cybercriminals first identify vulnerabilities that allow access to computer files and then encrypt all the information on those files so the owner is left without the ability to access them. Hackers hold their victims' files hostage until they agree to pay the ransom (which is paid in bitcoins) in exchange for the key to decrypt their now-encrypted files. This particular strategy aims to gain immediate profit.

In 2015, an advanced banking malware, Dridex, gained access to financial login information that was used to drain bank accounts across the U.S. and United Kingdom. Dridex tactics have influenced the growth of one of the most popular ransomware infections, the Locky Trojan. Not only does the Locky infection encrypt important data, it also searches for and erases Volume Shadow Copy files, a backup repository in Windows that victims might ordinarily use to try to restore their lost data. Locky is distributed through spam messages sent by the same botnet used to send the infamous Dridex malware. Furthermore, according to Kim Zetter's article for Wired, attackers use Locky to deny access to a server, locking out all workers and infecting anyone who tries to access the server. This allows the attacker to spread malware to even more machines.

But Locky is not the only ransomware predator in use today. Businesses must be aware that infections like Cryptowall and Teslacrypt are other ransomware families using tactics like phishing and malvertising to infect their target systems.

Take the Proper Precautions to Avoid Becoming a Victim

The flood of ransomware attacks has caused enough damage that both the U.S. and Canada governments’ have issued cyber alert warnings to alert businesses and their consumers of this cyber plague. Most ransomware victims are completely unaware of the attack until it’s too late. To help protect your computer and your networks from ransomware infection, here are some  preventative tips, according to the US Department of Homeland Security and the Canadian Cyber Incident Response Centre:

  • Back up data and store it offline, ideally on a separate device. This makes Locky less effective when it attempts to target Volume Shadow Copy files stored right in Windows.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running.
  • Keep any operating system and software up-to-date with the latest patches. Most attacks target vulnerable applications and older operating systems.
  • Maintain up-to-date anti-virus software and scan all software downloaded from the internet prior to executing.
  • Restrict user permissions for installing and running unwanted software applications and apply the principle of “Least Privilege” to all systems and services. This will help prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. Macros are how the Locky strain of malware hooks into systems, so enterprises and organizations might be better off blocking email messages with attachments from suspicious sources.
  • Don’t click on links in unsolicited email, or even on links from people you know. These crooks have made a living out of duping people they are clicking on something sent from a friend or coworker.

Sometimes though, prevention isn’t enough, and ransomware sneaks its way through even the smallest vulnerabilities. So what if infection has already breached your server? If you can help it, do not pay the ransom. Obviously, this step is easier said than done, but as the alert warns, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”

NakedSecurity has determined a few guidelines to follow in the event of a ransomware infection, such as utilizing a little guesswork to reconstruct a list of decryption keys yourself. But guesswork is only so reliable and the process increasingly more complicated. Thus, prevention tactics remain the best guard against attack as ransomware campaigns get even more creative.

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


Unlocking Device Trust Manager

A Q&A with DigiCert Director of Product Management Kevin Hilscher

6 reasons signed SBOMs are essential to software security