Dark Reading Editor Tim Wilson raises an interesting question in a recent comment on Sara Peters’ blog, CryptoWall More Pervasive, Less Profitable Than CryptoLocker:
I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?
When faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem.
Calling in law enforcement won't likely result in the recovery of your files. In fact, the Swansea, Mass., police department paid to have its own files decrypted last November. If the encrypted files are unrecoverable from a previous backup or are important to the continued operation of the business (or livelihood of the individual), paying the ransom might be the best course of action.
Keep in mind, however, that criminals utilizing file encryption tactics are under no obligation to actually decrypt your files once you have paid the ransom. Researchers suspect that some ransomware does not have the related infrastructure to store, nor eventually provide, the key to decrypt an infected user’s files after the ransom is paid.
The ZeroLocker issue
One such ransomware variant that raises this question is ZeroLocker. After ZeroLocker encrypts your files, the encryption key along with other information is sent through a GET request, rather than a POST, to a pre-determined server. This request results in a 404 on the server, which could mean that the server is not storing the key. So if you pay the ransom, you may not see your files restored. On the other hand, you might.
There will likely never be a Yelp or Angie's List review for a "reliable and honest online extortion racket," so unless you actually go through the motions of paying the ransom yourself or hear about the experiences of other infected users, you really won’t know the outcome.
With the current strain of CryptoLocker crimeware, tools such as the FireEye/Fox-IT Decrypt CryptoLocker site can be used to recover encrypted files without having to pay the demanded ransom. The service is not a silver bullet for all future strains of CryptoLocker, however, nor will it help with the decryption of files affected by other crimeware kits such as ZeroLocker, CryptorBit, or CryptoWall.
If your files are not recoverable from a backup, and you’re using a relatively new Microsoft Windows Desktop operating system release (Microsoft Vista and later), you may be able to leverage Microsoft Windows’ System Restore functionality to restore your encrypted files. Using a tool such as Shadow Explorer or Windows’ Previous Version functionality, you may be able to recover your file.
For information on how to restore files via these methods, the Bleeping Computer CryptoLocker guide located at the Bleeping Computer website is an excellent resource on this subject.
There are steps you can take to mitigate or prepare for the next massive ransomware outbreak. Organizations should revisit and reinforce policies surrounding the frequency of data backups (and the testing of data restoration), acceptable email use, and user education to help combat future infestations. The policy should also apply to all devices within the infrastructure including laptops, servers, and workstations as well as cloud instances, employee-owned devices, and even IoT systems.
Individual end-users, including home and remote users, need to be particularly vigilant because the majority of ransomware malware packages are delivered as email attachments -- or as the second-stage malware downloaded after executing an initial email attachment. If you (or users in your organization) are skeptical about an unexpected email asking you to download or view a PDF, DOC, or PPT file, don’t follow the email instructions. Pick up the phone and physically call the individual (if you know them) or delete the email entirely. If it is important, it can always be resent after confirming its validity.
The delivery methods for ransomware continue to evolve from native email attachments, to downloaders that fetch additional malicious malware, to automated bots that pepper the Internet with documents just begging to be opened. Since delivery mechanisms are ever-changing, organizations need to adopt a predictive approach to defending against ransomware. Having the ability to discern patterns employed by criminals before an attack occurs enables organizations to be far more prepared to mitigate any ransomware infections after the fact. This concept is known as predictive intelligence. In my next post I will explain how it works.