By: Paul Wood, Cyber Security Intelligence Manager, Symantec Corporation
Trends are complicated things. Consider, for example, the threat often called Ransomware. In our annual Internet Security Threat Report, all signs were that it was following a steady growth path which would continue into 2014. However, more up to date intelligence (as documented in our May 2014 Intelligence Report) suggests otherwise. It remains to be seen if the threat is cyclic, so we shall continue to watch with interest.
To understand Ransomware, we need first to know how and why it emerged. Before Ransomware another form of extortion was prevalent, called Fake Antivirus. This would find its way onto a victim’s computer through email, website drive-by or other means, and then tell the hapless user they had malware – but to remove that malware they would have to unlock the product so it could clean-up the system. Unlocking required a payment of between $20 and $50 on average.
Of course it was fraudulent – the product wasn’t real and the malware was probably put there by the Fake Antivirus – if it existed at all. However, over time as people became more aware of these threats, they began to fear them less. When everyone knows it’s a fake, the scam fails and the bad guys have to find something else to fill the gap. That something else is Ransomware.
Ransomware, instead of pretending to be a security product trying to be helpful, usually masquerades as a virtual “wheel clamp” for the victim’s computer. For example, pretending to be from the local law enforcement, it might suggest the victim had been using the computer for something illicit and that to unlock it they would have to pay a fine – this time between $100-500. The increased availability of online payment methods made paying the ransom safe, simple for the bad guys.
If we dig into the figures, we find that 1 in 500 Ransomware attacks in 2013 were a form called ransomcrypt, in which the victim’s personal files are encoded using strong (RSA 2048-bit) public key encryption to encrypt – and only the attacker has the private key with which the files can be unlocked. There if no pretense of a fine – you simply pay the ransom to get your files back. This threat can cause even more damage to businesses where not only the victim’s files are encrypted, but also files on shared or attached network drives.
What can people do? A first step has to be through policy and education, as “people clicking on links” remains the number one way for this threat to breach defenses. Security software such as Norton and Symantec Endpoint Protection can identify ransomware threats and remove them from the computer, but the only real defense against ransomcrypt attacks is to have your data backed-up regularly and securely, with backups stored off-network so they are not subject to the same threat.