Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Andrew Hay
Andrew Hay
Connect Directly
E-Mail vvv

The Truth About Ransomware: Youre On Your Own

What should enterprises do when faced with ransomware? The answer is, it depends.

Dark Reading Editor Tim Wilson raises an interesting question in a recent comment on Sara Peters’ blog, CryptoWall More Pervasive, Less Profitable Than CryptoLocker:

I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?

When faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem.

Calling in law enforcement won't likely result in the recovery of your files. In fact, the Swansea, Mass., police department paid to have its own files decrypted last November. If the encrypted files are unrecoverable from a previous backup or are important to the continued operation of the business (or livelihood of the individual), paying the ransom might be the best course of action.

Keep in mind, however, that criminals utilizing file encryption tactics are under no obligation to actually decrypt your files once you have paid the ransom. Researchers suspect that some ransomware does not have the related infrastructure to store, nor eventually provide, the key to decrypt an infected user’s files after the ransom is paid.

The ZeroLocker issue
One such ransomware variant that raises this question is ZeroLocker. After ZeroLocker encrypts your files, the encryption key along with other information is sent through a GET request, rather than a POST, to a pre-determined server. This request results in a 404 on the server, which could mean that the server is not storing the key. So if you pay the ransom, you may not see your files restored. On the other hand, you might.

There will likely never be a Yelp or Angie's List review for a "reliable and honest online extortion racket," so unless you actually go through the motions of paying the ransom yourself or hear about the experiences of other infected users, you really won’t know the outcome.

With the current strain of CryptoLocker crimeware, tools such as the FireEye/Fox-IT Decrypt CryptoLocker site can be used to recover encrypted files without having to pay the demanded ransom. The service is not a silver bullet for all future strains of CryptoLocker, however, nor will it help with the decryption of files affected by other crimeware kits such as ZeroLocker, CryptorBit, or CryptoWall.

If your files are not recoverable from a backup, and you’re using a relatively new Microsoft Windows Desktop operating system release (Microsoft Vista and later), you may be able to leverage Microsoft Windows’ System Restore functionality to restore your encrypted files. Using a tool such as Shadow Explorer or Windows’ Previous Version functionality, you may be able to recover your file.

For information on how to restore files via these methods, the Bleeping Computer CryptoLocker guide located at the Bleeping Computer website is an excellent resource on this subject.

Be prepared
There are steps you can take to mitigate or prepare for the next massive ransomware outbreak. Organizations should revisit and reinforce policies surrounding the frequency of data backups (and the testing of data restoration), acceptable email use, and user education to help combat future infestations. The policy should also apply to all devices within the infrastructure including laptops, servers, and workstations as well as cloud instances, employee-owned devices, and even IoT systems.

Individual end-users, including home and remote users, need to be particularly vigilant because the majority of ransomware malware packages are delivered as email attachments -- or as the second-stage malware downloaded after executing an initial email attachment. If you (or users in your organization) are skeptical about an unexpected email asking you to download or view a PDF, DOC, or PPT file, don’t follow the email instructions. Pick up the phone and physically call the individual (if you know them) or delete the email entirely. If it is important, it can always be resent after confirming its validity.

The delivery methods for ransomware continue to evolve from native email attachments, to downloaders that fetch additional malicious malware, to automated bots that pepper the Internet with documents just begging to be opened. Since delivery mechanisms are ever-changing, organizations need to adopt a predictive approach to defending against ransomware. Having the ability to discern patterns employed by criminals before an attack occurs enables organizations to be far more prepared to mitigate any ransomware infections after the fact. This concept is known as predictive intelligence. In my next post I will explain how it works.

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/22/2014 | 11:41:27 AM
Backups and Malware Scans
I've seen this happen in corporate and personal occurences. From a corporate standpoint, the ones who have defined in policy to not allow the saving of materials to local drives were normally better off than the other scenario. Network drives that have the appropriate security safeguards and that are backed up to another location seem to be the most logical configuration to fight against ransomware from a corporate standpoint.

The only advice I can give to the individual user is to have antivirus and malware scanning capabilities. Scanning on a regular basis and back up your materials to a device such as an external drive that doesn't regularly touch the internet. Before attaching the device, make sure you scan your computer first to ensure the integrity of your systems current config.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.