UK organisations are still not taking ransomware seriously enough, and continue to fall prey to this method of low cost, low risk cyber extortion.
Businesses still get caught by ransomware, even though straightforward avoidance methods exist.The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
Another factor promoting the popularity of ransomware among attackers, is that unlike many other forms of malware, ransomware does not require any special user rights.
“If your system gets infected by a keylogger, it has to escalate privileges to become an administrator on the system so it can survive a reboot, but all ransomware needs is access to the files the infected user can access,” said chief research officer at F-Secure Mikko Hypponen.
“This makes them a unique problem because you can’t fight ransomware by locking down systems, restricting user access or removing administrator privileges from users.
“I fully support this approach to security. Only give users access to what they need, take away admin privileges, but none of these things will protect against ransomware.”
The most effective way to counter ransomware, said Hypponen, is to backup all critical data, but many organisations are failing in this.
“They may be backing up data, but they are typically not doing it often enough. They are not backing up all the information they really need because files are not being saved to the right folders, and they are not testing their backups regularly. Even if they have backed up the information, they are often unable to restore it to a usable form,” he said.
“In addition to regularly tested backups, organisations should also ensure they would be able to detect and respond to a live ransomware Trojan on their network before it has succeeded in locking up all the data,” said Hypponen.
One way of approaching this is to plant dummy “canary” files throughout the network. These should never be touched by legitimate users and act as alarms. If these files are touched, it points to malicious activity on the network.
Ransomware is also popular, he said, because its developers are able to outsource the risk to partners whose role is infect computers in return for a share in the money extorted from victims.
In addition to ransomware, another new business model for cyber criminals is circumventing the fingerprint locks on iPhones.
“Once fingerprint readers were added to iPhones, users were able to lock and unlock them quickly and easily. This meant that if the phone was stolen, it was useless and could be only sold for spares, which did not yield very much,” said Hypponen.
But researchers are now starting to see criminal organisations that are able to trick victims of mobile phone theft into revealing their iCloud credentials.
“Victims typically receive an email message a few days after their phone is stolen to say it has been located using the ‘track my iPhone’ facility, telling them to click the link embedded in the message,” said Hypponen.
“But the link takes them to a phishing site that asks them to log into their iCloud account, and once they have done that, the criminals have the information to reset the stolen phone and sell it as a fully working device.”
The second lesson learned in 25 years of cyber security, said Hypponen, is that people will never learn, and that user education is a waste of time.
“It doesn’t matter how many times you tell them, they will always double click on every executable. They will always follow every link, they will always type their password and credit card number into any online form that asks for that information, and they will always post their credit card picture and even CVV numbers on Twitter,” he said.
Admitting this may be overly pessimistic, Hypponen said that instead of trying to “patch” people by educating them, the responsibility should be shifted to those better equipped to handle it.
“We should be thinking about where we really want the responsibility to be,” he added. “Do we really want people to be responsible for security when most of them can’t handle it, or should we be thinking about taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place?”