THE BLOG

Stand And Deliver: Your Money Or Your Files!

10/04/2017 14:41 BST | Updated 10/04/2017 14:41 BST

In the eighteenth century, travellers could be waylaid by a highwayman - a thief who held up coaches on the public highway and demanded that those on board hand over their money and other valuables. The highwayman would typically issue the challenge - 'Stand and deliver: your money or your life!

Ransomware is the modern-day version of a highway robbery - with the difference that our data is held hostage and the 'highwayman's' ransom is displayed on the screen. It comes in two forms. The most common is crypto-ransomware. These programs encrypt data on the victim's device and demand money in return for a promise to restore the data. Blockers, by contrast, don't affect the data stored on the device but prevent the victim from accessing the device. The ransom demand typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicates that they must pay a fine.

Ransomware programs spread in the same way as other malware, including drive-by downloads and attachments and links in e-mail messages. The attackers behind Locky, for example, use mass mailings to distribute their ransomware program - spam, messages that contain a DOC attachment containing a macro that downloads the Trojan from a remote server and executes it.

This type of cybercrime has grown massively in the last few years: at the end of last year, we predicted that ransomware would even gain ground on banking Trojans. For the cybercriminals, ransomware is easily monetised and involves a low cost per victim so it is hardly surprising that ransomware attacks are increasing.

Kaspersky Lab products blocked 1,445,434 crypto-ransomware attacks in 2016 alone - that's almost double the number blocked during the previous year. 62 new crypto-ransomware families, and 54,707 modifications, appeared during the year.

The bulk of ransomware attacks are directed at consumers. Nevertheless, the number of attacks on businesses continues to grow. At the start of 2016, around 17% of crypto attacks targeted the corporate sector; by the end of the year, this had risen to around 24%.

Hardly a month goes by without reports of ransomware attacks in the media. These attacks have varied from an online casino to a hospital - with a 2016 October report suggesting that as many as 28 NHS trusts in the UK had fallen victim to ransomware in the last 12 months.

Successful malware tends to spawn many variants. Unfortunately, one way in which malware can become successful is when someone publishes the source code. Earlier this year a Turkish security expert called Utku Sen created the Hidden Tear ransomware and published the source code online. The idea behind it was to 'teach' security researchers how ransomware works. It didn't take long before variants based on Hidden Team began to appear. Suffice to say that the creation of such 'tutorials' aren't helpful: security researchers don't need this code in order to understand how ransomware works.

One aspect of the massive growth in ransomware is the emergence of 'Ransomware-as-a-Service'. This involves the attackers offering to pay affiliates to distribute their Trojan on their behalf, in return for a cut of the profit made. There are also services that work the other way around: offering a complete set of tools to the encryptor, who takes responsibility for distributing the Trojan and takes a 10% cut of the ransom as commission.

2016 has also seen technical innovation in ransomware programs with one of the most significant innovations introduced in the Petya Trojan. This strain of ransomware is much more dramatic as it aims to block access to the whole hard drive. Once the encryption process has been completed, the Trojan displays a skull-and-crossbones demanding a ransom of 0.9 Bitcoin, equivalent to around $380. to decrypt the hard drive.

Public awareness of the problem is growing but it's clear that consumers and organisations alike are not doing enough to combat the threat; and cybercriminals are cashing in on this. The average ransom demand is around $300, but the amount can vary greatly - especially where businesses are the target.

It's important to reduce your exposure to ransomware and we've outlined important steps you can take to avoid becoming one of the 20% of victims who end up paying but never get their data back.

1. Back up data regularly.

2. Use a reliable security solution, and remember to keep key proactive detection features - such as System Watcher in Kaspersky Lab products - switched on.

3. Always keep software updated on all the devices you use.

4. IT security awareness for all staff is vital. Staff should be encouraged to adopt a security mindset - in particular, to exercise caution when opening e-mail attachments or clicking on links.

5. If you are unlucky enough to fall victim to an encryptor, don't panic. Use a clean system to check the No More Ransom site, where you may find a decryption tool that can help you get your files back.

6. Be very wary about paying the ransom. You might not get your data back; and every payment the cybercriminals receive validates their business model.

7. Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.