According to the FBI the incursion of ransomware has just gone from bad to worse. In a recent alert, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network. More troubling still are increasing instances of "proportional" ransomware: ransom demands that vary based on the attacker's estimation of the value of the data being held hostage, and/or the ability of the victim to pay the going rate of the data based on its worth.
By extension - and you knew this was coming - not every victim of ransomware who pays for the decryption keys to release their files actually gets them. In fact, some have been extorted for even more money after paying. By targeting host servers and systems rather than individual users, this inevitably results in protracted recovery times, victims paying more (and more frequently) to get their decryption keys, and the eventuality that victims will simply never be able to fully decrypt all of their files.
Different Countries, Different Ransom Demands
Lawrence Abrams, owner of the tech-help site BleepingComputer, cites one of his sources to conclude that this variance in ransom amount based on the victim's perceived wealth, both personal as well as data, is already at work. Abrams stated that his analysis of multiple ransomware kits that were compromised by security professionals found default (or suggested ransom amounts) that varied based on the geographic location of the victim.
For example, victims in the U.S. generally paid more than people in Western Europe. In the U.S., victims were asked to hand over $200 in Bitcoin, while those in Italy were asked for just a tenth of that amount, or $20 worth of Bitcoin.
The "Countdown Clock"
Although Hollywood's "Saw" franchise has come to an end, its iconic puppet master/villain "Jigsaw" is alive and well and star of his own eponymous ransomware variant. It has the ability to randomly delete an encrypted file from the victim's machine at some predefined interval and to continue doing so until the ransom demand is paid or, of course, there are simply no other files left to eradicate.
For those victims who try to reboot their computer in order to rid the machine of the ransomware, Jigsaw randomly deletes 1,000 encrypted files for each reboot. In other words, if a clock on your screen displays a countdown clock, when that clock reaches zero, it would automatically delete a random encrypted file. And then, for every hour thereafter, it would double the number of files it deleted until you paid.
Of course, as Abrams points out, most ransomware variants come with some version of the countdown clock, however the individuals who hold your data for ransom are mostly inclined to extend their deadline beyond the point the clock makes its way to zero. Just be ready by then, of course, to pony up even more.
Don't be a Victim
The FBI encourages victims of ransomware to report the crimes to federal law enforcement in an effort to get a more thorough look at the threat and its impact, particularly on U.S. victims. But what can you do to make sure you're not the next victim? The FBI offers up the following tips:
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline, although in the case of the former be aware that some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software - especially free software - from sites you know and trust.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc. It is often due to vulnerabilities in old versions of popular software programs which allow ransomware variants to even make their way on to a device.
- Ensure anti-virus and anti-malware solutions are set to automatically update, scan often.
- Disable macro scriptsfrom files transmitted via e-mail.
- Implement software restrictions to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs.
Today, ransomware is the most profitable cybercrime scheme, with an average take of $300 to $500 per victim, despite only accounting for about one in every 20 malware attacks, according to RSA's Q2 Fraud Intelligence report. While following these steps is not a guarantee you won't be a victim of ransomware, it may make it more difficult for its developers to start a countdown clock on the destruction of your important data.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Cybercrime and Fraud, Fraud, Malware, Ransomware