Ransomware - Hackers are Holding your Data Hostage

Many business executives are concerned about protecting their sensitive data and intellectual property. They ask IT to address threats to these assets by implementing firewalls and anti-virus solutions to protect the organization's electronically stored information. What many executives don't know is that their major risks come from internal threats.

Employees already have a sign-on ID and password to the network. By having this basic information, your staff already has access to resources such as customer data and email. However, the greatest risk may be physical access to IT systems.

Ransomware is a new type of malicious software (malware) that restricts access to your programs and data. Frequently, the malware demands payment in order for the restrictions to be removed. Some forms of ransomware encrypt files on hard drives while other variations of the software lock the computer and display messages enticing the computer user to pay a fee.

Ransomware is typically installed when the computer user opens an infected e-mail attachment or downloads and executes a file from the Internet. Once activated, newer versions of malware encrypt files on the computer's hard drive using a strong 2,048 bit key that is almost impossible to break. Once encrypted, the computer user no longer has normal access to the files. In many cases, computer users receive little or no warning while malware runs in the background encrypting files. Only the malware author has the private key needed to decrypt the files and allow the computer user access to the documents.

Some ransomware does not use encryption. Instead, the malicious software restricts interaction with the system, typically by modifying the start up sequence (e.g. master boot record, setting the Windows Shell to itself, etc.).

Ransomware may display warnings or other messages that appear to come from law enforcement agencies claiming that the software is unlicensed, has been used for illegal activities, or has pirated content. Ransomware attempts to convince the user to pay a fee to receive a program that will decrypt the encrypted files or receive an unlock code that will undo the changes made to the computer system. Payments are often made using hacker friendly payment systems including MoneyPak, Ukash, cashU, and Bitcoin.

CyrptoLocker is one of the newer forms of ransomware. It connects to a server that generates a public and private key pair (both are needed to encrypt and then decrypt files). The private key is stored on the server while it uses the public key to encrypt files stored on the user's computer. CryptoLocker displays a message to the user demanding payment to recover the private key needed to decrypt the files. The malware threatens to delete the private key unless payment is received within three days. CryptoLocker may also attempt to locate backups on a network drive connected to an infected PC. Once found, these files are also encrypted.

How do you protect yourself?

• Ensure systems are patched per a formal Patch Management Policy
• Ensure you have updated anti-malware software
• Implement robust backups with archiving of system and data files
• Maintain effective e-mail spam filters
• Provide role-based security education and awareness training

If a system is infected, it may be possible to go back to an earlier point in time using the System Restore feature of the operating system. Network security audits help protect against ransomware and related threats by evaluating your anti-malware protection, patch management, and effectiveness of your security education and awareness training.