Posted on 03/21/2015 9:30:33 AM PDT by xzins
Ask security experts what to do when hit with ransomware – the sophisticated malware that infects a device or network, uses military-grade encryption to restrict access, and demands payment for the decryption key – and you'll typically get the same answer: "never pay the ransom."
But for many, that's simply not an option. For example, last November an employee in the Sheriff's Department in Dickinson County, Tenn., accidentally clicked on a malicious ad and exposed the office network to the infamous CryptoWall ransomware. Detective Jeff McCliss told local News Channel 5 that CryptoWall had encrypted "every sort of document you could develop in an investigation," such as witness statements and evidence photos. Even after consulting with the FBI and U.S. military, McCliss told the news station that the only solution was to pay the $500 to the cybercriminals to get their files back.
This wasn't an isolated case – for example, a police department in suburban Chicago recently paid a $600 ransom after it was struck by a similar attack, according to the Chicago Tribune. Although ransomware has been around in some (less successful) forms since the late 1980s, modern ransomware is designed to be essentially impenetrable. Only the malware author holds the private decryption key, meaning the only way to fight this threat is to prepare for it ahead of time. Enterprises that aren't fully prepared for a ransomware attack really have no incentive not to pay. In fact, many of those who do think they're prepared find that they have no option other than to negotiate with their hostage takers.
Organizations that employ real-time backup and frequently test their tools typically survive a ransomware attack unscathed – they can simply wipe the infected device and restore the backed-up files.
This is hardly the reality for many organizations, especially for mid-sized companies with limited to no IT resources or even larger organizations whose IT staff is spread thin. Even organizations that have prepared for this kind of scenario often find that their file restore functions don't work, says Stu Sjouwerman, CEO of security training firm KnowBe4, which has advised and assisted victims of ransomware. Many organizations that invest in a file backup solution fail to test their restore function. When they need it to work, they find that they cannot restore all the files that they backed up, rendering the backup efforts futile.
"They overlook [testing the restore function] all the time," Sjouerwman says. "It is a best practice, but IT is, as you well know, under a lot of pressure. They are forced to put out fires all day long and in the meantime also put new systems online. So it's hard to find time for that type of thing in a day-to-day IT environment."
From there, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.
In most of these cases, paying the ransom is a "no-brainer" for the organization, Sjouwerman says. That's because ransomware is largely automated, demanding around $500 in exchange for the decryption key for all victims. The ransom for a police department's evidence might be the same for a personal PC user's photos.
"Ransomware is the Walmart of cybercrime. They just have decided to automate the whole process," Sjouwerman says. "And they are massively phishing as many email addresses and companies as they possibly can. For them, they have figured out that the business model is: some people will have backups, some people won't. Of the people that don't, it has to be a no-brainer."
The cybercriminals behind these attacks are concerned with maximizing the likelihood of their victims paying the ransom. Theoretically, they could increase the payout for cases where they've encrypted more valuable data. But the key is to make sure they pay up, and keeping the price within a reasonable range will increase the chances that more victims will pay.
Honor among thieves
Along these lines, many of the people behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom payments and leaving victims alone once the exchange has been made. In December, Sjouwerman told CSO about a new strain of ransomware called OphionLocker that was designed to recognize the devices it had infected in the past so that it doesn't hit the same victims repeatedly. And in his experience working with ransomware victims, Sjouwerman says every victim that has paid the required ransom amount did receive their decryption key, most of them within an hour of sending the payment.
The objective is to make the decision as easy as possible for ransomware victims – if they pay up, they will receive access to their files and can put the entire ordeal behind them. "If they are not prepared and they are hit, most of them will pay," Sjouwerman says.
So it's not much of a surprise that ransomware has grown so rapidly since CryptoLocker, the now-defunct ransomware strain that brought this model to the internet, was released in September 2013. Symantec estimated in September (PDF) that CryptoLocker-style ransomware grew 700% in 2014. McAfee recently reported (PDF) a 155% growth of ransomware in the fourth quarter of 2014.
The IT security community may advise against paying the ransom as a means of removing the incentive for cybercriminals to engage in this kind of scam. But that is usually the last thing on the minds of IT decision makers who just want to get their files back and get back to work. For an organization that faces losing weeks' or months' worth of data, they can write off the expense as a learning experience.
"This is in jest and more ironic than anything else, but you almost have to be grateful to the Eastern European cyber mafia to send you a social engineering audit that tests both your employees and your IT department for being click-happy, and also if best practices are being implemented or done," Sjouwerman says. "It's a really cheap audit, for $500."
My geek friend said yeah ... it's a virus and he somehow re-formatted (I had lost my back-up CD) and got me back on track
I thought of this last night for no known reason (the event was about a year ago) and I thought ... the FBI or anyone that is named as a ransomware deliverer, should protect their own name and reputation by figuring out a patch and give it away free.
Ironic this thread shows up after I had thought of that klast night.
Good points all.
At this point just about everybody has a newer machine and an old one gathering dust. I made it a point a long time ago to use a “throwaway” laptop for all my internet browsing. It has no data on it and with a Ghost snapshot I can restore it in 20 minutes if I get a bug.
There’s no excuse for losing your stuff anymore.
On the side, it would seem every piece of evidence touched by the encryption would be invalidated. It was out of the chain of custody while encrypted and subject to manipulation while the pc was infected.
Both are overpriced bloatware. AVG and Malwarebytes both publish free versions and the paid versions are reasonably priced for what they offer; there are other good free ant-malware packages as well.
I run an image with Odin on a weekly basis. Runs in the background and takes rougly 18 hours. This is in addition to my nightly backup.
Something similar happened at work where one person’s pc was infected but they put a file on a shared drive which infected all those files and some other people had their pc’s infected who used files from the infected drive.
The company has backups for the network drives and was able to use them but anything new added to those network drives was lost and the other pc’s infected were wiped and a new image of Windows was put on as they could not remove the virus.
Copy your photos separate off the pc or you may lose all those memories.
I routinely backup, and verify the backup. I have multiple backups in case the latest one is compromised. That’s at home. At work. ..
That’s a good point.
The safest route is to back up your file and get an entirely new system, writing off the old equipment and old files.
This can stop the takeover.....Some people say to unplug form the Ethernet first but I don't know if that helps.
However, if you take regular backups then disconnect the backup device and only reconnect it to restore a file or to do the next backup, then yes, you can restore from there.
I back up regularly to a memory stick that I immediately remove once the backup is done. I NEVER leave it in the port.
Bump for reference.
Excellent point. I do that also (unmount the backup drive), but I took it for granted that of course people do that.... you're right, they don't.
Bump
That’s a very good point. Back up and remove back up device. Too easy to get sloppy and just sign off.
Roger that. I'm a belt and suspenders guy. Mirror raid with a time machine backup on the Mac Pro home server. Macbook Pro for browsing and preliminary work. Then a business workhorse desktop, another older Mac Pro, with no internet connection. This machine is Super Duper cloned periodically to an external HD. Then the kids use a PC desktop for homework. If that blows up, who cares…dime a dozen
I realize the bigger issue is for those with offsite servers. The secret here is backing up. And maybe it's a good idea to eliminate web browsers from employees machines.
Download Kaspersky Rescue Disk 10 ,boot computer from it clean out Ransomware ,D’oh
An earlier poster pointed out that the ransom originators could have changed your files, and they should not be used again.
The suggestion it’s better to back up and start over completely. That seems logical to me.
An earlier poster, criticalj, pointed out that the ransom originators could have changed your files, and they should not be used again.
The suggestion it’s better to back up and start over completely. That seems logical to me.
Agree with your recommendations, and would add one.
I use Firefox with an add-on called ‘No Script’. It blacklists all scripts unless you explicitly allow them. You can white-list known-good sites and it will remember them.
Keep much of the stuff from getting in in the first place, so you don’t end up having to dig it out of your OS.
I had Dr. Spyware, which did a great job.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.