November 15, 2016
Teachers Talk - Ransomware - When Will You Lose Your Data?
Colin Hill, Director of Computer Services, Burman University, Lacombe, AB

Ransomware has a long history; it’s been a threat to computer security since 1989.  But with the use of the untraceable Bitcoin payment system, it has quickly risen as a very profitable (for the criminals) and extremely frustrating (for those infected) reality that must be taken seriously.  Since the best tool to thwart a ransomware attack is knowledge, hopefully this information will give you a starting point to a safer computing environment.
 
A ransomware attack typically comprises of malware infecting your computer that will encrypt files on the system. This is followed by a demand for payment of a ransom before you are provided with a means to decrypt those affected files.  
 
There are many ways that the malware can install itself on your computer or mobile device.  In days past, an infected diskette placed in a computer was the main vector.  Today, an infected USB thumb drive could just as well do the job.  But with the low cost and universal reach of email, this has become the predominant means of transfer.  Anti-virus systems have been rather ineffective against threats spread through email due to their fast evolution and trickery to bypass these systems.  As the attackers have honed their skills, they are relying more on social engineering to trick you into installing or activating the little piece of code that will begin the attack.  Emails with attachments have been very popular. These attachments appear to be resumes, requested files, pictures, links to articles or deals that seem too good to be true. As this threat continues to progress, the attackers are taking more time to craft their messages so that you are more likely to ‘click’.  Here at Burman University, we have seen messages including administrator names and positions with enough detail to know that someone has spent time researching us.  This is becoming more likely for smaller businesses and organizations as they are known to often have more lax security in place.
 
Once you open the attachment or click on a link, things can begin to happen behind the scenes, and the next thing you know, you are prompted with a message saying that all of your files have been encrypted and you must follow their instructions to get them back. Most of the recent attacks will demand payment using the Bitcoin virtual currency system that is untraceable. It is the use of such a payment system that has allowed these attacks to continue across international borders, and there is little that authorities can do to catch these criminals.  Some have been so ‘kind’ as to set up help desks that will assist you in converting your money to Bitcoins and transferring it to their account.
 
Yes, they want your money.  For the most part, once you have paid, they will provide you with the decryption key and tool that you need to decrypt your files and get the data back.  Lately, there has been an increase in the number of targets that have been hit a second time.  It seems that once they know you have paid, they will hit you again and try for a larger ransom.  It is worth noting also that an extension to any deadline that they may provide is always negotiable.  
 
So, should you pay or not?  Over the past year, there have been many examples of targets that have paid hefty ransoms, ranging from hospital systems in the US to the University of Calgary.  It really depends on how much you value your data and the cost associated with restoring or rebuilding it.  While most law enforcement officials will urge non-payment if at all possible, there have been police forces that have paid the ransom. However, if you can be in a position to have an option not to pay, then you are much better off.  
 
When these attacks first started, they would only affect files on the local C: drive of the computer.  Soon, though, they have evolved to also affect network mapped drives, and then infect the file servers that you were connected to.  Another change that has occurred in this sinister trend is that you no longer need to have an active Internet connection for the malware to connect to its master server and generate the encryption keys. In the past, if you simple disconnected or shut off the computer as soon as you realized you may have clicked on a bad link, you might have been saved.  We are now seeing a variety that will encrypt files even if the system is not on the Internet. This is a fast evolving threatscape.  
 
Once you have been infected and see a ransom message, your options are: 1) to pay and take a chance that you will be able to retrieve your files, 2) recover the files from a good backup, or 3) attempt to decrypt the files without paying. They will give you direction on how to pay, so no additional discussion of that is needed here.  By far the best recovery option though is to restore from a known good backup.  Of course, this assumes that you do have a good backup.  Those with cloud based or other online backup plans could even have their backup files encrypted if they are connected during the attack.  It is imperative that you have an off-line backup strategy in place, even if it is only part of your backup solution. If you do not have a backup and payment is not attractive, there may still be hope. Some decryption tools have been created by antivirus companies, but these often take weeks or months to develop. If you are attacked by an older variant, then it is worth seeing what is available. An Internet search could lead you to something that will work.
 
Finally, we all know that a gram of prevention is worth a kilogram of cure, so what can you do to ensure you do not become a victim?  The first step in defense is education.  As the majority of current attacks are carried out through email, you must educate your users to be on the lookout for suspicious emails and attachments.  The best policy is to never open an attachment that you are not expecting, be suspicious of those that you are, and don’t click on any links.  Most email systems will do a preview of an attachment.  If you do not get this preview without clicking on it, be suspicious.  Perhaps forward questionable email to a mobile device that is not likely to be affected and open the attachment there (however, Android and iOS devices are not totally immune).   Always inspect a link before you click to ensure that where it is taking you is where you want to go.  Offering security awareness and training sessions as a part of your professional development plan is also great place to start. Conducting an Email Exposure Check (as is offered by KnowBe4 in the resources below) could give you a baseline to work from.
 
For the second step, put policies and tools in place that are appropriate for your environment. Be aware that most antivirus software is not going to stop one of these attacks.  It can take time for even systems like Google to detect and block new variants. One of the best defenses is to not give your users administrator access to their accounts.  Since we have done this at Burman University we have not had any successful attacks, whereas we had had a half dozen in the few months before we implemented this policy.  Even if you do this, it is not a guarantee as there are possibilities of drive-by exploits that can deliver a punch without the Administrator access.
 
With our increasing reliance on technology, there is an ongoing battle between security and usability.  The only safe computer is one that is turned off.  Users are the most uncontrollable component.  So education backed up with appropriate policies is the best defence.  Stay safe.
 
Resources:
 
Should you pay?  https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/
 
How to decrypt:
https://blog.kaspersky.com/cryptxxx-ransomware/11939/
 
User Education
https://blog.knowbe4.com/the-fine-art-of-not-being-stupid-security-awareness-training
 
Remove Admin rights?
https://securityintelligence.com/endpoint-security-admin-rights-malware-yeah-right/