Alert, the bad people are back at it again. If all the new scams weren’t enough, ransomware has a new twist and it is booming. Instead of the authors deploying ransomware in its latest incarnation, they have gone to contracting it out, designing it to be custom configured by middlemen and deployed by ghosts, who collect their money and disappear only to reform under new names, identities, you name it.
This new style of ransomware comes with some really clever new techniques to avoid detection and some new approaches to maximizing the income potential of holding someone’s data hostage. And, this new incarnation of ransomware also steals data while encrypting it.
First, a hint of the new techniques. Since the ransomware is sold as a configurable suite of exploitative modules, it isn’t easy for anti-virus software, devices, or even behavior watching protections to recognize. Second, one of the features is a really slick module that can funnel disk requests to the operating system’s cache manager and then use (Windows or Apple) built-in operating system components to encrypt the data while in the file cache, tag it as new, requiring synchronization with physical storage and let the operating system finish the dirty work as part of its normal duties.
Deceptively, the ransom for most of these attacks is very affordable; because they (the bad people) really want folks to pay the ransom. This identifies for them the people and companies whom they can then apply further (virtual) blackmail upon with an expectation of getting further money. So, you pay the $150 ransom and are contacted by a representative of the ransomers who often sets up and performs the decryption of part of the files only to be told that your data was also stolen and will be publicly posted if you don’t pony up lots more money. And they aren’t bluffing, there have already been a few very embarrassing cases where they did just that (posted the “secret” data, identified the source, and advertised it on the open web).
So, how do you protect yourself against this kind of assault? Keep your operating system up to date, your antivirus and antimalware up to date, do regular “full” scans of the data holding machine, and all machines that have access to that machine. Keep your firewall on and as restrictive as possible (in an office consider an adaptive firewall appliance or gateway server). Honest, if you don’t get occasional firewall violations and refusals, your firewall is not restrictive enough.
Having good, current, and disconnected (not available to be “live” updated and thus also corrupted) backups is the best way to recover from most ransomware attacks and many other forms of exploitation. Also having company-wide policies in effect (no alien machines, no disks or drives introduced without proper verification of safety, no gaming, no use of unsecured email services, etc.) can go a long way to reducing your risk and attractiveness to “the bad” people.
Finally, if you do become a victim of hackers, or scammers, or ransomers, please do not pay the ransom. Instead, seek the assistance of law enforcement, your data insurance provider, IT security professionals, and other professionals as appropriate (each will likely have important insights to help you get through the event with a minimum of damage and cost).