Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Andrew Hay
Andrew Hay
Connect Directly
E-Mail vvv

The Truth About Ransomware: You’re On Your Own

What should enterprises do when faced with ransomware? The answer is, it depends.

Dark Reading Editor Tim Wilson raises an interesting question in a recent comment on Sara Peters’ blog, CryptoWall More Pervasive, Less Profitable Than CryptoLocker:

I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?

When faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem.

Calling in law enforcement won't likely result in the recovery of your files. In fact, the Swansea, Mass., police department paid to have its own files decrypted last November. If the encrypted files are unrecoverable from a previous backup or are important to the continued operation of the business (or livelihood of the individual), paying the ransom might be the best course of action.

Keep in mind, however, that criminals utilizing file encryption tactics are under no obligation to actually decrypt your files once you have paid the ransom. Researchers suspect that some ransomware does not have the related infrastructure to store, nor eventually provide, the key to decrypt an infected user’s files after the ransom is paid.

The ZeroLocker issue
One such ransomware variant that raises this question is ZeroLocker. After ZeroLocker encrypts your files, the encryption key along with other information is sent through a GET request, rather than a POST, to a pre-determined server. This request results in a 404 on the server, which could mean that the server is not storing the key. So if you pay the ransom, you may not see your files restored. On the other hand, you might.

There will likely never be a Yelp or Angie's List review for a "reliable and honest online extortion racket," so unless you actually go through the motions of paying the ransom yourself or hear about the experiences of other infected users, you really won’t know the outcome.

With the current strain of CryptoLocker crimeware, tools such as the FireEye/Fox-IT Decrypt CryptoLocker site can be used to recover encrypted files without having to pay the demanded ransom. The service is not a silver bullet for all future strains of CryptoLocker, however, nor will it help with the decryption of files affected by other crimeware kits such as ZeroLocker, CryptorBit, or CryptoWall.

If your files are not recoverable from a backup, and you’re using a relatively new Microsoft Windows Desktop operating system release (Microsoft Vista and later), you may be able to leverage Microsoft Windows’ System Restore functionality to restore your encrypted files. Using a tool such as Shadow Explorer or Windows’ Previous Version functionality, you may be able to recover your file.

For information on how to restore files via these methods, the Bleeping Computer CryptoLocker guide located at the Bleeping Computer website is an excellent resource on this subject.

Be prepared
There are steps you can take to mitigate or prepare for the next massive ransomware outbreak. Organizations should revisit and reinforce policies surrounding the frequency of data backups (and the testing of data restoration), acceptable email use, and user education to help combat future infestations. The policy should also apply to all devices within the infrastructure including laptops, servers, and workstations as well as cloud instances, employee-owned devices, and even IoT systems.

Individual end-users, including home and remote users, need to be particularly vigilant because the majority of ransomware malware packages are delivered as email attachments -- or as the second-stage malware downloaded after executing an initial email attachment. If you (or users in your organization) are skeptical about an unexpected email asking you to download or view a PDF, DOC, or PPT file, don’t follow the email instructions. Pick up the phone and physically call the individual (if you know them) or delete the email entirely. If it is important, it can always be resent after confirming its validity.

The delivery methods for ransomware continue to evolve from native email attachments, to downloaders that fetch additional malicious malware, to automated bots that pepper the Internet with documents just begging to be opened. Since delivery mechanisms are ever-changing, organizations need to adopt a predictive approach to defending against ransomware. Having the ability to discern patterns employed by criminals before an attack occurs enables organizations to be far more prepared to mitigate any ransomware infections after the fact. This concept is known as predictive intelligence. In my next post I will explain how it works.

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/22/2014 | 11:41:27 AM
Backups and Malware Scans
I've seen this happen in corporate and personal occurences. From a corporate standpoint, the ones who have defined in policy to not allow the saving of materials to local drives were normally better off than the other scenario. Network drives that have the appropriate security safeguards and that are backed up to another location seem to be the most logical configuration to fight against ransomware from a corporate standpoint.

The only advice I can give to the individual user is to have antivirus and malware scanning capabilities. Scanning on a regular basis and back up your materials to a device such as an external drive that doesn't regularly touch the internet. Before attaching the device, make sure you scan your computer first to ensure the integrity of your systems current config.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).