How to prevent ransomware: What one company learned the hard way

Ransomware is on the rise. Your best protection? Something everyone knows they should do.

In the real world, kidnapping is a risky crime--getting paid usually means getting caught. In the digital world, however, demanding ransom for data, or ransomware, is an escalating epidemic, a popular crime which is leaving many businesses and consumers at risk of losing data.

One small company in New England--a retailer with some two-dozen employees--learned that the hard way. A click-happy employee ended up infecting one system with a prevalent threat known as CryptoWall, according to the company's co-owner, John, who asked that his real name and details of his business not be revealed.

Ransomware may roam undetected

Quietly, the malware reached out over the Internet to get a unique key and then, over the next three days, encrypted data on the compromised system. Much worse for the company, the malware encrypted accounting data on a mapped drive on the firm's server.

The retailer learned of the infection when its accounting software failed to open financial data on the mapped drive the following Monday. "The ransom note never popped up on the screen," John said. "The accounting program just stopped functioning one morning."

When a support tech investigated the accounting software's problems, more than 200 copies of a ransom note were found scattered around the file system, directing the firm to pay $500 in Bitcoin to the criminals.

Ransomware is on the rise. Kicking off with Cryptolocker in 2013, a steady parade of pernicious ransom-demanding software has hit unfortunate victims. Cryptolocker likely made its operators tens of millions of dollars until authorities disrupted the network in May 2014, shutting down Cryptolocker command-and-control servers and the GameOver Zeus botnet infrastructure that spread the malware. Yet, other ransomware variants have arisen. Between mid-March and August 24, 2014, for example, more than 600,000 systems were infected with the CryptoWall variant of ransomware, according to research conducted by managed-security firm SecureWorks.

Data-nappers are going mobile as well, according to recent data from mobile security firm Lookout. In 2014, four of the top five malware programs encountered by Android users in the United States were ransomware, posing as a legitimate app and then, after installation, locking the phone and demanding payment. While the threat of mobile malware continues to be low--only 7 percent of Android users even encountered malware--ransomware accounted for nearly all of the 75 percent increase in encounters from the previous year, according to the company.

Your best defense: Back up, back up, back up

The solution to ransomware is fairly simple--at least, for now. Consumers and small businesses with a good backup process will be able to recover much of the data encrypted by the attackers. Companies who are doing backups on-premise should make sure they can recover an image of the data for months in the past and keep multiple copies. Any backups made between the time of infection and when the attack is detected will be encrypted, and thus unrecoverable without paying the ransom.

For that reason, online backups with automatic incremental backups can be a great help, Brian Foster, chief technology officer of network-security firm Damballa, advised. At the very least, companies should be keeping at least one set of backups offsite.

"I'm a big fan of online backups," he said. "You should expect that, if you get hit by ransomware, you are not going to get the PC back."

Another possible defense: Ransomware typically reaches out to get an encryption key from an online server. Detecting and blocking that request can prevent the encryption of the data.

Unfortunately for the New England retailer, the infection revealed that the company's backup program had not been working correctly for more than two years. The company had no choice but to pay. Yet, even that did not go smoothly: Unable to deal with the mapped drive, the ransomware's decryption routine failed to unscramble more than 100 of the thousands of encrypted files, leaving financial and customer information encrypted. Because the ransomware scheme requires trust that the criminals will hand over the data after receiving payment, the operators offered support to the firm's owner, and even offered to try to decrypt the data, if the company sent the files. The firm declined.

The infection also leaves the owner in a quandary. While the criminals have said that the infected system should be clean, John understandably does not trust them.

"The fear, as an IT person, is you feel like you need to format every drive in the network," he said. "I don't trust the other computers, but do we shell out $10,000 to rebuild our infrastructure?"

The company is still considering its options.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityransomware

More about SecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place