FACT OF THE MONTH
With one in two British businesses suffering a ransomware attack in the past year, it’s time to assume you’ve been infected. What, asks Nik Rawlinson , can you do about it?
Half of British companies have suffered a ransomware attack, according to Malwarebytes research, so how do you tell if you’ve been infected? We speak to the experts in this month’s Business Question.
One in three businesses has suffered a ransomware attack. The exact number, turned up last summer by Malwarebytes research in the US, Canada, Germany and the UK, was 39%, but that figure hides a more worrying statistic: the UK was the hardest hit, with 54% of companies surveyed targeted in the previous 12 months.
Ransomware is a growing problem, but it isn’t new. The first examples cropped up in 2005, with GPCode something of a pioneer. It set a pair of Registry keys that it would launch at boot, and proceeded to encrypt documents on infected machines, dropping a plain text ransom note into every folder it encountered. If those affected wanted their files back, they’d have to pay between $100 and $200 for the decryption key.
“But the real boom happened in the last five or six years,” said Bart Parys, threat intelligence analyst at PwC UK. “A while back there was some opensource [ransomware] code that … people could literally copy and paste, so there are many new strains of ransomware now. In 2016 alone there were over 113 new strains and at least 60 new families. When you have a new family of ransomware you have variants in there, too. And this story won’t end soon; as people continue paying the ransom there will be more ransomware because it’s confirming that the technique [works].”
It should be no surprise that PwC, one of the “big four” accountancy firms, has an interest in ransomware, as 51% of financial businesses came under attack in the past 12 months (second only to healthcare, on 53%). It’s a form of malware to which PwC’s customers are especially susceptible.
“There are a few particularly ransomable businesses out there,” said PwC’s Felicity Main. “We monitor and analyse the latest security threats, producing intelligence that our clients can use to protect themselves, and respond in the right way when they suffer an attack.”
Appropriate response?
Some will assume that responding in the “right way” means giving in to the attacker’s demands, but that’s rarely the case.
“The general advice is to never pay,” explained Parys. “There’s no guarantee you’ll get your files back, and even if they send you something to decrypt them there’s no guarantee it’ll work.”
This is reflected in research conducted by Trend Micro in autumn 2016, which found that, although three-quarters of businesses that hadn’t yet suffered an infection said they would never pay up, 65% of those who had suffered did indeed pay the ransom. Even then, though, a fifth of them didn’t get their files back.
Paying up might even increase your chances of a second infection from an attacker because, in Parys’ words, “these people talk to each other, and they’ll know that you pay”.
“As people continue paying the ransom, there will be more ransomware because it’s confirming that the technique works”
“We’re seeing them use something like a Twitter account or the comments section on a WordPress site as the command centre”
Javvad Malik, security advocate at AlienVault, offers similar advice for home users and small businesses, but not for the same reason. Users “often underestimate how much they’ve got backed up through things like iCloud, Dropbox and Google Docs,” he said, so you can “roll back to previous known versions if you get infected. So home users often don’t lose as much as they think they would.”
So what is the best course of action? Instead of reinstalling the OS of a compromised system and recovering from a backup, your first step should be to isolate the PC.
“If just one system is infected, it might be too late to do anything for that machine but it’s not necessarily too late for your network or your other devices and storage,” said Malik. “If you have detection controls in place, they could orchestrate an automated response, so if something is trying to communicate with a known command and control server or doing things with the Registry that correlate with ransom activity, you can take that endpoint offline to prevent the infection spreading to your critical servers.”
As with any malware attack, then, salvation relies on forward-planning, and preparation for an infection that may never occur – or may be lying dormant and undetected on your machine. “Eight out of ten times, infection is via phishing emails,” said Parys. These claim to be “from UPS or FedEx or the court system asking you to open a document. Otherwise, it could be an exploit kit [code that automatically installs on your machine when you visit an infected webpage], which could be on virtually any site. That is a bit less common, though – it’s usually phishing emails.”
Expecting your ISP to block known command and control servers, which can turn infected machines into drones that go on to wreak further havoc, is unrealistic, Malik said.
Attackers are “always finding some way to route around a block, anonymise themselves or use a proxy,” he explained. “We’re seeing them use something like a Twitter account or the comments section on a WordPress site as the command centre – there’ll be a specific account and when it tweets something that will trigger the actual ransom demand [on your PC].”
Avoiding infection
Unsurprisingly, Windows is a prime target by virtue of its prevalence.
“It’s a lot more effort creating ransomware that targets Linux if only 5% of the market is running the OS, they’re savvy enough to run backups and don’t generally care because they can just trash the machine and set it up again,” said Malik. “The only times when we’ve seen [Linux targeted] is in an attack against a specific individual or organisation. In those cases it’s very rarely ransomware that’s used, though – it’s usually some kind of corporate espionage.”
“The safest platform is probably Linux,” Parys agreed. “Linux ransomware does exist but it’s a minority. Mac is also quite safe but recently there was Mac ransomware that used a macro in [Microsoft] Office. Then you have Windows. The safest thing to do is install antivirus and never enable any macros.”
So to the big question: how do you know if you’ve been infected?
The answer is to have the necessary controls in place for each individual strain of malware so “you can detect with a high level of confidence,” said Malik. “That’s where the big challenge is for most people, because you can say that something looks suspicious but then you often need someone to manually go into it [to confirm].”
Anti-malware applications automate at least the first part of that task. “Our labs team takes all the time to dissect all the ransomware that’s out there and pushes out signatures,” Malik said. “So if you have endpoint detection on your critical servers and your network is being monitored, as soon as activity is triggered it can correlate that activity and say ‘that’s ransomware’ with high confidence. From there you can decide whether you just want an alert or to have additional action taken, such as taking the endpoint offline or blocking some ports.”
Look beyond the obvious: a ransomware infection may be a cover for something more serious. “Targeted ransomware attacks specific organisations, but it might not be the only malware on the machine – a threat actor might have installed the ransomware as a smokescreen. It’s important to verify that you haven’t been breached in any other way. Ransomware is obvious: you can’t open any files and you see messages, but never forget the bigger picture. If you’re an organisation that has ransomware… always verify your endpoints. Reinstall and restore.”