Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Andrew Hay
Andrew Hay
Connect Directly
E-Mail vvv

The Truth About Ransomware: Youre On Your Own

What should enterprises do when faced with ransomware? The answer is, it depends.

Dark Reading Editor Tim Wilson raises an interesting question in a recent comment on Sara Peters’ blog, CryptoWall More Pervasive, Less Profitable Than CryptoLocker:

I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?

When faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem.

Calling in law enforcement won't likely result in the recovery of your files. In fact, the Swansea, Mass., police department paid to have its own files decrypted last November. If the encrypted files are unrecoverable from a previous backup or are important to the continued operation of the business (or livelihood of the individual), paying the ransom might be the best course of action.

Keep in mind, however, that criminals utilizing file encryption tactics are under no obligation to actually decrypt your files once you have paid the ransom. Researchers suspect that some ransomware does not have the related infrastructure to store, nor eventually provide, the key to decrypt an infected user’s files after the ransom is paid.

The ZeroLocker issue
One such ransomware variant that raises this question is ZeroLocker. After ZeroLocker encrypts your files, the encryption key along with other information is sent through a GET request, rather than a POST, to a pre-determined server. This request results in a 404 on the server, which could mean that the server is not storing the key. So if you pay the ransom, you may not see your files restored. On the other hand, you might.

There will likely never be a Yelp or Angie's List review for a "reliable and honest online extortion racket," so unless you actually go through the motions of paying the ransom yourself or hear about the experiences of other infected users, you really won’t know the outcome.

With the current strain of CryptoLocker crimeware, tools such as the FireEye/Fox-IT Decrypt CryptoLocker site can be used to recover encrypted files without having to pay the demanded ransom. The service is not a silver bullet for all future strains of CryptoLocker, however, nor will it help with the decryption of files affected by other crimeware kits such as ZeroLocker, CryptorBit, or CryptoWall.

If your files are not recoverable from a backup, and you’re using a relatively new Microsoft Windows Desktop operating system release (Microsoft Vista and later), you may be able to leverage Microsoft Windows’ System Restore functionality to restore your encrypted files. Using a tool such as Shadow Explorer or Windows’ Previous Version functionality, you may be able to recover your file.

For information on how to restore files via these methods, the Bleeping Computer CryptoLocker guide located at the Bleeping Computer website is an excellent resource on this subject.

Be prepared
There are steps you can take to mitigate or prepare for the next massive ransomware outbreak. Organizations should revisit and reinforce policies surrounding the frequency of data backups (and the testing of data restoration), acceptable email use, and user education to help combat future infestations. The policy should also apply to all devices within the infrastructure including laptops, servers, and workstations as well as cloud instances, employee-owned devices, and even IoT systems.

Individual end-users, including home and remote users, need to be particularly vigilant because the majority of ransomware malware packages are delivered as email attachments -- or as the second-stage malware downloaded after executing an initial email attachment. If you (or users in your organization) are skeptical about an unexpected email asking you to download or view a PDF, DOC, or PPT file, don’t follow the email instructions. Pick up the phone and physically call the individual (if you know them) or delete the email entirely. If it is important, it can always be resent after confirming its validity.

The delivery methods for ransomware continue to evolve from native email attachments, to downloaders that fetch additional malicious malware, to automated bots that pepper the Internet with documents just begging to be opened. Since delivery mechanisms are ever-changing, organizations need to adopt a predictive approach to defending against ransomware. Having the ability to discern patterns employed by criminals before an attack occurs enables organizations to be far more prepared to mitigate any ransomware infections after the fact. This concept is known as predictive intelligence. In my next post I will explain how it works.

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
9/22/2014 | 11:41:27 AM
Backups and Malware Scans
I've seen this happen in corporate and personal occurences. From a corporate standpoint, the ones who have defined in policy to not allow the saving of materials to local drives were normally better off than the other scenario. Network drives that have the appropriate security safeguards and that are backed up to another location seem to be the most logical configuration to fight against ransomware from a corporate standpoint.

The only advice I can give to the individual user is to have antivirus and malware scanning capabilities. Scanning on a regular basis and back up your materials to a device such as an external drive that doesn't regularly touch the internet. Before attaching the device, make sure you scan your computer first to ensure the integrity of your systems current config.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.