A new threat to your company: Ransomware
IGNACIO JIMENEZ PI
ÁLVARO TRIGO MARTÍN DE VIDALES
Assistant Director General of Security and Environment MAPFRE
On 12 May 2017, a ransomware called Wannacry infected the IT system of companies in over 70 countries, affecting banks, hospitals, insurance companies, governmental organizations and top-level IT corporates worldwide, in what comes to be the largest cyber attack known to date.
What is Ransomware and why should I be concerned?
Last year, 2016, we saw Ransomware become the main threat to users, and this trend is continuing in 2017. Ransomware infections are reaching global pandemic rates, and rapid monetization of the attack and the resulting profitability suggest that the phenomenon will grow, becoming ever more difficult to combat, and that it will be aimed at higher-level profiles, even coming to affect large corporations and governments (as predicted by Mr. Robot).
But, what is Ransomware? How does it affect users? The explanation seems to go back almost to the beginnings of home computers: A virus that does not allow the user to access the system and/or its files and that – and here lies its main threat – asks us to pay an amount in exchange for access (hence the term “ransom“). The price for restoring access varies between 300 and 1500 euros, and payment does not always guarantee that it will be restored. The key to its success lies in the lower complexity needed to develop the infrastructure to start a campaign and the ease and speed of monetizing such attacks.
To understand the effects of this malware it is useful to understand its history. First, there were “lockers”. These were a type of virus that locked a user’s operating system or browser until the victim paid a ransom, using SMSs or transfers to electronic purses. In Spain, the “police virus“, which tricked users into thinking they had to pay a fine for some infraction they had committed, was well known. This type of virus took a big hit when the law on electronic payments was changed to make it very difficult to collect ransoms.
Then came the ciphers, which involved two basic and essential changes. Here, the proliferation of virtual currency (Bitcoin), allows payments to be made in a practically undetectable way, meaning the rules of the game change once again and a rise in scams of this type. In this case, instead of locking access to the computer, which could be solved by removing the virus or reinstalling the operating system, the malware encrypts all the private files on the computer. These are unique and cannot be recovered by reinstalling. If the ciphers are sufficiently robust it becomes technically impossible to recover the information without the criminals facilitating the operation.
Lastly, in 2014 the existence of a constantly growing number of “ciphers” started to be detected in mobile devices with Android operating systems. They operate in a very similar way to that described above, with the applications that perform this “hijack” encrypting images, videos, music, and documents in the device.
A figure indicative of the scale of the problem we are attempting to explain: the FBI estimates the losses caused by Ransomware in the first quarter of 2016 to be worth 206 million dollars.
How can Ransomware attack me?
Once the threat to us as users, as well as the possible impact of being infected by a Ransomware virus, is understood, we must ask, how can we be infected?
Although there are many methods, and variants thereof, of infecting us, the main one is Trojans on malicious web pages or on legitimate web pages that have been compromised by criminals for the sole purpose of infecting their users. Anomalous behavior is often not detected nor does it affect our browsing experience; the virus simply installs itself in the background, going unnoticed by the user.
The second most widespread method of propagation is to send links in massive mails to compromised websites (spam), and even instant messaging, social networks, or sharing files on P2P networks (torrent, etc.).
Attacks targeting companies, although they are less common for users, include attacks aimed at servers exploiting known vulnerabilities in the remote desktop protocol (RDP) used by the systems administrators to access organizations’ servers.
Since we have talked about the growth of attacks detected on mobile devices, it is important to know how a virus can be introduced into our devices. The form is similar, based on deceptions published on malicious web pages causing the user to access copies of the Google Play Store with malicious content, where the user ends up installing a malicious application that executes the “hijack” of the device. Interestingly, many of these deceptions are based on making users believe they have a virus on their device and to access and download a supposed antivirus.
What can I do to avoid becoming infected and/or minimize the impact?
Having understood how these types of programs work and the most common ways of being attacked, what should be done to prevent an attack?
- Making backups of our files regularly is definitely the most effective way of combating them. Unfortunately, in most cases affected files or computers cannot be recovered, so recovering through backups is almost always the only way possible.
- Use of antivirus systems in devices. As we have seen, one of the most common ways is to execute certain files on our computers. With a recognized, updated antivirus it will be easier to repel attacks.
- In order to reduce the chances of being attacked, both our equipment’s applications and operating system must be updated to the latest available version and have all the security patches installed. Web browsers (Chrome, Firefox, Internet Explorer, Safari, etc.) are especially important, because infections sometimes occur when browsing certain web pages (either because they have been created for this purpose or because they have been compromised previously).
- Use common sense and, as a general rule, do not trust strange or unknown websites, files or links. If for example, a link is sent to your email address regarding an order you do not expect, ignore it, or, in case of doubt, inform us before accessing it. Often, a simple Google search on the subject or body of the email message will be sufficient for us to find that what we thought to be legitimate is actually a threat.
- Having file extensions enabled can help us to identify better an attempted attack. If for example, we expect to receive an image in an email but we receive a compressed file (a “.zip” for example) this may indicate that something is wrong.
- If we suspect that a recently received file may be some kind of virus, the first thing we should do is disconnect the computer from the network. This will mitigate the risk, especially in business environments, of it extending to other computers in the network.
What to do in case of infection?
If, unfortunately, we have not been able to implement the controls mentioned, and infection occurs, what should we do? First, it is recommended not to pay the ransom asked for by the cybercriminals, since doing so does not guarantee that the files will be recovered and it foments this criminal practice. According to recent studies by the anti-virus company Kaspersky, one in three users pay the ransom for their files and approximately 20 percent fail to recover them. Instead, depending on the scale of the incident, it is recommended first to assess the possibility of informing the State Security Forces, especially if certain fundamental rights are considered to be violated or people’s safety is in any way jeopardized. In the particular case of public bodies and companies of strategic interest to the country, this communication should be channeled through the National Cryptologic Center – CERT, a public body reporting to the National Intelligence Center with a mission to ensure the security of information systems in public administration.
If, after this, the decision is made to try to recover the files, the approach to their “disinfection” will be different from that used for virus attacks of another nature. In a typical infection scenario, files are damaged or have different behavior from that expected due to the action of a malicious file. For these cases, running a traditional antivirus application will usually solve the problem by attempting to return the files to their previous state or directly eliminating the threat. In the case of Ransomware, the problem is that the files have been encrypted rather than infected, so deleting or disinfecting them will not work.
In this case, the recovery strategy must be, first, to remove the file that produces encryption of the files in our device and, second, to obtain the key with which they have been encrypted. Luckily for us, private agencies and firms work actively on this task, offering free applications and resources that can serve our purpose. Especially well known in the cybersecurity world is the “No More Ransom” project, led by Europol and the technology unit of the Dutch police, together with one of the most important private companies in the sector. Through this organization, they offer a set of free tools to allow files attacked by the great majority of Ransomware to be deciphered, as well as tips/guides on how to approach an incident of this nature.
Is there any way to insure against possible computer incidents?
The increased incidence of new cyber threats has led to a proliferation of insurance products in our markets to provide cover to companies. A recent report from the PwC consultancy says that about 30 percent of American organizations currently have some form of coverage to protect themselves against the consequences of cyberattacks (mostly in the health, technology and retail sectors). In Spain the figure is lower, and currently it is only Ibex 35 companies that seem to be aware of the problem, about half of them already having, or being in the process of taking out, some kind of policy. It should be noted that policies of this kind are often not standardized, but individually adapted to allow the companies to customize the coverage to be applied, so they can choose the coverage most appropriate to the specific needs of their business.
Since cyber attacks often have a direct impact on company operations, cyber risk insurance should be prepared to cover potential financial losses, along with expenses related to forensic investigation or the process of communication to clients (it should be noted that the future European Union regulation 2016/679 will oblige companies to report security breaches and notify third parties of breaches of their data). Particularly in the case of Ransomware attacks, the main aspect distinguishing the type of policy to be applied from others is coverage related to extortion costs.
MAPFRE now offers a Cyber Risk Insurance to protect its clients, SMEs and self-employed, against this new type of threat:
- Image restoration costs.
- Fines and penalties as a result of the attack.
- Legal defense expenses.
- Theft of confidential information.
- Damage to IT systems.
- Financial losses due to business interruption.
You can get more information via the following link: https://www.mapfre.es/seguros/empresas/seguros-de-responsabilidad-civil/seguro-ciberriesgos/
Since Ransomware on mobile devices is one of the vectors in which growth is predicted to be exponential, if you are interested in learning about and exploring the world of cybersecurity on mobile devices, we recommend, as a basic bibliography, the book “Mobile Hacking” published by ANAYA, which looks at questions of this type. http://www.anayamultimedia.es/libro.php?id=4312499