Consumers face a growing malware threat that echoes the fear and helplessness of a kidnapping. The latest malware ploy, called ransomware, literally holds a user’s data hostage. In return for the promise of unlocking the computer or cell phone, digital kidnappers demand money or potentially lucrative information. Experts estimate that ransomware netted criminals over $5 million in 2012 alone.
How Ransomware Kidnaps Data
Ransomware is digital extortion that locks out users from their computers until a demand for money is met. This type of malware is also known as a cryptotrojan, cryptovirus, or cryptoworm and uses two ploys. Lockscreen ransomware displays a full-screen image or website that blocks the user from further computer access. The Reveton Trojan attacks, which peaked in 2012 and purport to be from the FBI, are of the lockscreen type. Encryption ransomware encrypts a system's files and promises a decryption code in exchange for money. Some of the encryption algorithms are so strong that the victim in effect loses all files.
Ransomware is drive-by malware that infects users who visit compromised websites. The victim sees a frightening message, which often purports to be from a law enforcement agency, stating that the user has accessed an illegal website or violated a law. In exchange for online payment of a fine, the user will receive a code to unlock the screen or decrypt files. Unfortunately, paying up does not result in a password, and meanwhile the malware installs on the infected system to capture personal data. Duped users must spend even more money to hire a computer expert to clean the system.
The ransomware threat has exploded within the past two years and continues to grow. According to ABC News, security software firm Symantec has traced the largest exploits to 12 hacker gangs. Although British police caught one gang in December 2012, exploits are spreading globally. One attack hit over 500,000 users within two weeks, and 3 percent of them obeyed the ransom demands to no avail. Their computers remained locked, and the scammers got away with the money.
How to Rescue Kidnapped Data
Experts recommend that users not give in to ransomware demands as attackers have no intention of releasing the system. If users capitulate, they will lose money or sensitive information and will not regain access. Further, malware will continue to run silently and capture personal information. Victims should always assume that a system is still compromised until a computer expert has recovered it.
As an example, Symantec in February identified a variant called Trojan.Ransomlock.Y that lurks on pornography sites and prompted a January 2013 spike in ransomware attacks. The lockscreen ransom note claims to be from the FBI and states that the user has violated criminal law and must pay $200 via MoneyPak within 72 hours. Doing so does not unlock the system, and the FBI advises victims not to pay. Instead, users should engage a skilled technician to disinfect the computer. They should also report ransomware incidents to the IC3 at ic3.gov, a joint initiative between the FBI and the National White Collar Crime Center to combat Internet crime.
Security software vendors have publicized steps to remove specific ransomware variants. Power users may wish to attempt this on their own. However, the safest bet is to hire a professional to clean the system and ensure that malware is not running in the background. If the attack is encryption malware, even an expert might not be able to rescue the files.
How to Defend Against Ransomware
The best defense against ransomware damage is to regularly back up data. While technicians can remove most infections, some systems will have partly or totally unrecoverable files. Further, current backups provide access while the infected computer is being worked on. Users should be wary of trying to remove ransomware on their own. Even if commercial software manages to unlock the screen, malware could still be running in the background and capturing sensitive data such as passwords and account numbers.
Commercial anti-virus products can detect common ransomware, and users can foil many attacks by simply keeping anti-virus and anti-spyware software up to date. Additionally, users should follow computer housekeeping procedures such as these:
- Back up data to an external source such as a cloud service or storage device that is usually disconnected from the computer. Consider automating backups to run every 24 hours at a convenient time.
- Keep anti-virus and anti-spyware software current and configure automatic updates.
- Make sure that security software automatically scans all downloads either as part of browser integration or in real time.
- Install software updates. Many operating system, software and browser patches contain crucial security fixes.
- Disable Bluetooth when not in use and do not automatically accept unknown connections.
- Disable AutoPlay and disconnect removable drives when not in use.
Data kidnapping preys on users desperate to regain access to personal or professional files. Sophisticated techniques can intimidate even people savvy enough to sidestep most malware. To contain the threat, users must learn to lock down their systems before hackers do it for them.
About the Author
This is a guest post from Megan Horner, Marketing Coordinator at TrainACE. TrainACE offers advanced advanced cyber security training such as Mobile Hacking and Wireless Security. Follow TrainACE on Twitter @pentesttraining.