Using ransomware, or malicious software, is the most recent technique used to turn compromised computers into cash for criminals. The software holds data hostage while the attacker demands that victims pay a ransom to regain control of their data. This tactic is on the rise.
Although the sale of a credit card number, health record, or banking website password may fetch only a few dollars on the black market, a compromised machine that has been fully encrypted can be worth hundreds if not thousands of dollars. For larger organizations, the amount demanded as ransom often is in the tens or hundreds of thousands of dollars. According to the FBI, from April 2014 to June 2015, a single strain of ransomware was responsible for more than $18 million in losses in almost 1,000 instances.
Ransomware, designed to prevent rightful owners access to their own files, is a threat to both companies and individual users. Victims, in a last-ditch effort to recover precious data, are sending money to an anonymous entity in return for a decryption program. While some victims pay, others have had sensitive corporate data permanently locked, often forcing the organization to revert to data backups. School districts, hospitals, banks, and government organizations have had operations grind to a halt as network and systems engineers rush to contain and eradicate the threat from their systems.
The delivery mechanisms for ransomware are similar to those for other types of viruses found on the Internet: an email attachment or link opened by an unsuspecting user, an advertisement loaded into a commonly browsed and otherwise safe website, or a malicious office productivity tool downloaded and installed by a user. Once the ransomware program has accessed the system, it calls out to a server on the Internet to obtain the encryption key to use. Then, the malicious code begins to identify and encrypt documents, spreadsheets, presentations, emails, photos, and videos not only on the local hard drive but also on attached USB devices and network shared drives. In a corporate environment where network shared drives often are accessible by everyone in the same department or company, huge data stores can be threatened by a single end-user-initiated infection.
Some early variants of ransomware are known to have bugs allowing security researchers to reverse engineer the software by writing a custom decryption program. This is by far the exception because many ransomware applications have been patched. Most ransomware samples analyzed use industry-standard algorithms and key lengths to lock up files with the same strength of encryption used to protect e-commerce transactions and classified national security information. The chance of forcing a break in the encryption is near zero.
Strong data backup processes and procedures are a good defense, but organizations cannot implement them after an infection. To determine the ability to withstand such an attack, organizations and individuals should take a systematic approach to testing the following areas:
Ransomware attacks are a growing threat affecting individuals, small businesses, and large corporations. While a strong response after an attack is critical to limiting the impact, identifying gaps, preparing your network, and testing controls will reduce the risk and exposure to one of today’s fastest-growing cybercrimes.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.