Ransomware is booming and fast becoming a global security threat. The malware has caused much distress with the loss of important information for both business and personal users.
Ransomware is also more common than most would think, and comes in different variants such as Teslacrypt, Locky, Cryptowall etc. In 2015, there were almost 407,000 attempted ransomware infections and over USD325 million extorted from victims. The potential impact of a ransomware attack could even be life-threatening. In 2016, Los Angeles-based Hollywood Presbyterian Medical Center’s computer network was breached and disabled after being infected with ransomware. The hospital paid almost USD17,000 in ransom to obtain the decryption key and restore its computer systems.
So, what is ransomware and what can we do to protect ourselves against this growing threat?
What is Ransomware?
An amalgamation of two words—“Ransom” and “Ware”, the former suggests the release of something held hostage for a fee whereas the latter is short for “software.” Together they mean malicious software (malware) that infects computers and demands for monetary ransom for its release.
How does Ransomware work?
Data can be encrypted, or “protected” similar to how passwords are needed to prevent unauthorized access. Once ransomware infects a computer, the assailant encrypts all data and prevents the victim from accessing information. This could be anything from files stored in shared network drives, to other more common files such as images. Upon encryption, the victim will be unable to access any data without the decryption key that the assailant will offer in return for cash in the form of bitcoins.
How does it spread?
Generally, ransomware spreads through malicious “clickbait” of sorts. This could be from emails supposedly sent from the victim’s friends, advertisements, and software from disreputable sources. Take this scenario as an example. You receive an email from your friend titled “Hey, Kelvin” and you acknowledge the use of your name as confirmation of the credible source. There is a link in the email content that you click without much thought. BAM! Ransomware is downloaded without you knowing. Ransomware can also be downloaded from malicious advertisements on compromised websites (for example, advertisements that claim that you are the 10,000th visitor or that you have won a prize and enticed you to click to claim prize), or just through a VLC download from an unofficial website.
How will I know if my computer is infected?
A ransom note would appear if you have been infected. Other symptoms include the inability to access files or your computer altogether. Often times, the perpetuator would set a deadline for the victim to pay up. Non-compliance would lead to the increase in ransom price, or the complete deletion of the decryption key which could result in a permanent loss of data and/or access to your computer.
How does this impact me or my business?
Ransomware is indiscriminate and targets both home and business users. The level of devastation felt by the victim depends on the type of data held hostage. Personal data owned like photos of a birthday party would be negligible, however sensitive personal information such as credit card information could be destructive. Business operations will also be disrupted if employees are unable to work due to certain files being encrypted. Added to this are the possible financial implications to reinstate systems back to their original state.
What are the preventive measures to take?
- Do not open suspicious email or advertisement links; do not download software from untrustworthy websites.
- Update software regularly. Software vulnerability leaves an open window for viruses to infiltrate.
- Backup files regularly to minimize loss
- Download an ad/script blocker which would disallow unauthorized content to run in the background
- Encrypt sensitive data for extra protection
- Enable Microsoft Office macros only when required.
- Application whitelisting. This would allow only approved programs to run, similar to ad blockers.
What should I do if my computer is infected with Ransomware?
To receive timely information and alerts on cyber security threats and issues, do subscribe to the SingCERT mailing list. Simply send an email to firstname.lastname@example.org and type "SUBSCRIBE" in the subject line.
- Disconnect the infected computer from all network access, storage devices and Bluetooth devices.
- Scan and disinfect PC with antivirus or anti malware programs
- Go to https://id-ransomware.malwarehunterteam.com/ and upload your ransom note—a decryption key may be available
- Locate files that have been backed up to determine the extent of data loss
- Perform system data restoration from backed up sources—do a clean installation
- Lodge a police report at any Neighbourhood Police Centre/Post or via the Electronic Police Centre website at http://www.police.gov.sg/iwitness for Police assistance
- If your computer has been infected, you can contact SingCERT (Singapore Computer Emergency Response Team) to report the incident and for further advice on what to do
Ransomware Malware: Everything You Need To Know About It
With $325 Million in Extorted Payments CryptoWall 3 Highlights Ransomware Threat
SingCERT advisory on Ransomware