We see this all the time... those guys are called lawyers and politicians.
Posted on 03/21/2015 9:30:33 AM PDT by xzins
Ask security experts what to do when hit with ransomware – the sophisticated malware that infects a device or network, uses military-grade encryption to restrict access, and demands payment for the decryption key – and you'll typically get the same answer: "never pay the ransom."
But for many, that's simply not an option. For example, last November an employee in the Sheriff's Department in Dickinson County, Tenn., accidentally clicked on a malicious ad and exposed the office network to the infamous CryptoWall ransomware. Detective Jeff McCliss told local News Channel 5 that CryptoWall had encrypted "every sort of document you could develop in an investigation," such as witness statements and evidence photos. Even after consulting with the FBI and U.S. military, McCliss told the news station that the only solution was to pay the $500 to the cybercriminals to get their files back.
This wasn't an isolated case – for example, a police department in suburban Chicago recently paid a $600 ransom after it was struck by a similar attack, according to the Chicago Tribune. Although ransomware has been around in some (less successful) forms since the late 1980s, modern ransomware is designed to be essentially impenetrable. Only the malware author holds the private decryption key, meaning the only way to fight this threat is to prepare for it ahead of time. Enterprises that aren't fully prepared for a ransomware attack really have no incentive not to pay. In fact, many of those who do think they're prepared find that they have no option other than to negotiate with their hostage takers.
Organizations that employ real-time backup and frequently test their tools typically survive a ransomware attack unscathed – they can simply wipe the infected device and restore the backed-up files.
This is hardly the reality for many organizations, especially for mid-sized companies with limited to no IT resources or even larger organizations whose IT staff is spread thin. Even organizations that have prepared for this kind of scenario often find that their file restore functions don't work, says Stu Sjouwerman, CEO of security training firm KnowBe4, which has advised and assisted victims of ransomware. Many organizations that invest in a file backup solution fail to test their restore function. When they need it to work, they find that they cannot restore all the files that they backed up, rendering the backup efforts futile.
"They overlook [testing the restore function] all the time," Sjouerwman says. "It is a best practice, but IT is, as you well know, under a lot of pressure. They are forced to put out fires all day long and in the meantime also put new systems online. So it's hard to find time for that type of thing in a day-to-day IT environment."
From there, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.
In most of these cases, paying the ransom is a "no-brainer" for the organization, Sjouwerman says. That's because ransomware is largely automated, demanding around $500 in exchange for the decryption key for all victims. The ransom for a police department's evidence might be the same for a personal PC user's photos.
"Ransomware is the Walmart of cybercrime. They just have decided to automate the whole process," Sjouwerman says. "And they are massively phishing as many email addresses and companies as they possibly can. For them, they have figured out that the business model is: some people will have backups, some people won't. Of the people that don't, it has to be a no-brainer."
The cybercriminals behind these attacks are concerned with maximizing the likelihood of their victims paying the ransom. Theoretically, they could increase the payout for cases where they've encrypted more valuable data. But the key is to make sure they pay up, and keeping the price within a reasonable range will increase the chances that more victims will pay.
Honor among thieves
Along these lines, many of the people behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom payments and leaving victims alone once the exchange has been made. In December, Sjouwerman told CSO about a new strain of ransomware called OphionLocker that was designed to recognize the devices it had infected in the past so that it doesn't hit the same victims repeatedly. And in his experience working with ransomware victims, Sjouwerman says every victim that has paid the required ransom amount did receive their decryption key, most of them within an hour of sending the payment.
The objective is to make the decision as easy as possible for ransomware victims – if they pay up, they will receive access to their files and can put the entire ordeal behind them. "If they are not prepared and they are hit, most of them will pay," Sjouwerman says.
So it's not much of a surprise that ransomware has grown so rapidly since CryptoLocker, the now-defunct ransomware strain that brought this model to the internet, was released in September 2013. Symantec estimated in September (PDF) that CryptoLocker-style ransomware grew 700% in 2014. McAfee recently reported (PDF) a 155% growth of ransomware in the fourth quarter of 2014.
The IT security community may advise against paying the ransom as a means of removing the incentive for cybercriminals to engage in this kind of scam. But that is usually the last thing on the minds of IT decision makers who just want to get their files back and get back to work. For an organization that faces losing weeks' or months' worth of data, they can write off the expense as a learning experience.
"This is in jest and more ironic than anything else, but you almost have to be grateful to the Eastern European cyber mafia to send you a social engineering audit that tests both your employees and your IT department for being click-happy, and also if best practices are being implemented or done," Sjouwerman says. "It's a really cheap audit, for $500."
This is a new one for me, but it seems a natural next step for the thieves in the virus/spyware business. I’ve often thought that the companies producing the solutions had a lot to gain from new viruses being created. That’s something I hope isn’t true, but it’s been in the back of my mind.
Now, the guy with the solution is the guy who creates the problem.
How can this not be an actionable crime?
Run a daily backup and it’ll never be an issue.
You don’t need to do either. It a scam. Shut down your computer, sign in as the administrator and run your antivirus scans to remove the virus.
It’s a clever virus but it can be removed. It just needs to be removed outside before you “sign in” to your computer, and that’s through administrator mode.
I’ve had this happen to me and resolved it.
This says that they lock you out of your files and that restore doesn’t necessarily help.
It’s a crime. But the criminals are in other countries and aren’t available for prosecution. At least not easily.
And how come you don't have up-to-date backups?
DO THE SMART THING:
It's a fact.
I’ve had this happen to me, as well. My solution has always been to go in before window’s starts and reset the system to an earlier date, then run Malwarebytes. Now if some white hat hacker were to track these guys down, we could round them up and shoot them.
The solution is to track these vermin down and break their skulls.
Exactly true.
There are great programs that can even give you hourly incrementals (like Apple's Time Machine) and you can go back to just before you got hit.
“How can this not be an actionable crime?”
It is a crime, but it usually is not actionable:
1. You have to have a government who is willing and capable of investigating and prosecuting such a crime, which we do not have at present.
2. The government must have a means of extraditing the suspect/s to stand trial, which they usually don’t with respect to the vast majority of cyber-criminals conducting state supported criminal racketeering from Russia, China, North Korea, and so forth.
Ransomware has destroyed three hard drives of my data so far....
We see this all the time... those guys are called lawyers and politicians.
Not true. Just restore from your recent backup.
You DO make backups, right???
I’ve not had it happen, and hopefully won’t, but it’s good to have that solution on file.
Wished Symantec could do it. On the couple with ransomware that came to me, it took either other 3rd party or just wiping and starting over.
I hate Symantec but McAfee is even worse. Supposedly we are going to it.
We're not talking about Windows System Restore. That's NOT A BACKUP.
We're talking about a full backup of the machine, plus incrementals of changed files. It's not hard to do. You just have to care about your work.
Yep. If Tom Jefferson was still President, he would have our federals doing this. This is one appropriate function/place for federal action.
Find them. Kill them.
It's a criminal attack on US citizens on US soil by foreign powers. Kill them.
/johnny
A much better solution, and the one I’d use if I was President, would be to form an elite unit that tracked these scum down and assassinated them in extremely gruesome fashion, leaving behind warning messages of a no uncertain character for the rest. My prediction is that these types of cyberattacks would quickly wane in the presence of such countertactics.
I also have a second HD in my home desktop where I store/install everything but the basic Win7 Pro operating system.
To your very good list I would add the following:
If someone actually HAS software that will make your machine 200% faster, why would they offer to give it away for free?
Porno sites are the WORST because no one wants to report being infected by one so they run free forever.
Unless your stupid IT department has locked this feature out, always turn on show file extensions. With it on, anything you receive from anybody that has an extension of .exe should be thrown away immediately. Even if it appears to have been sent by a friend.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.