John Lim, CTO

John Lim

By John Lim, CTO

Memories for Ransom

I have a question for you: If someone held your wedding photos ransom, how much would you be willing to pay to get them back?

Here’s a different question: How much would you be willing to pay to ensure you never have to make that kind of decision?

That, in a nutshell, is the problem you face with the oft-adapting malware called “Cryptolocker,” a strain of ransomware that gains access to your computer and fileshares, encrypting every file it touches and holding the decryption key ransom until you pay.

Cryptolocker commonly infects systems via ingeniously-masked email attachments, hacked websites or banner ads. We’ve seen unwitting human resource professionals double-click attachments entitled “Resume.pdf” that launch Cryptolocker through all their system’s network shares, encrypting the files and holding the data hostage until they pay for the key to decrypt their own files. Worst-case scenario? They can’t afford to decrypt their files or opt not to negotiate with terrorists. Second worst-case scenario? They pay the going rate of $500 per system (in bitcoin, the untraceable crypto-currency of the internet) and retrieve their files.

Stranger than Fiction

Does this sound like science fiction? Unfortunately, it’s all too real. At TekTegrity, we see 5,500 malware infections prevented each day on the 6,000 systems we manage, but malware slips through to infect an average of three machines per day, with one machine requiring a complete reinstallation each month.

If no one ever paid the ransom, ransomware would not exist; it’s a great business model because many people do pay. And ransomware is definitely big business. According to Wired Magazine, “Symantec has estimated, conservatively, that at least $5 million is extorted from ransomware victims each year.” A Vice article from 2013 describes how hackers provide customer service to those trying to pay their files’ ransom. And Radiolab profiles blindsided ransomware victims on the podcast entitled “Darkode.”

Cat and Mouse Game

Ransomware is a cat-and-mouse game. Sure, you can do a lot of preventative maintenance, ensure that your antivirus software is up-to-date, that your workstation servers have all the Windows security patches, that Flash and Java are current, scan the most recent grab and discriminate on the most recent Cryptolocker variance. We do all of that (and more) as a precaution for our clients. But no one’s system is ever going to be bulletproof; thousands of hackers adjust the malware and send it back out, hundreds of thousands of times.

This isn’t fear mongering – it’s a reality check. Remember my original question? People pay to decrypt their intellectual property, their memories, and their irreplaceable data because, when presented with a ransom situation, they have no other option.

Getting in the Driver’s Seat

But, with a little forethought and prevention, you can walk away from a Cryptolocker with your files intact. It’s simple:

  1. Backup your files,
  2. Do it regularly, and
  3. Make sure each backup validated. Oh, and…
  4. NEVER, ever open unknown attachments.

Backup is your greatest, final line of defense against ransomware. Just be sure that the process is checked and validated. Validation can happen through your IT provider or IT department; they should back up at least daily and validate that your backups are good, that you can get files off of those backups. Alternatively, if you’re a home user, programs like Carbonite offer routine, cloud-based backup at a price that’s far more cost-effective than paying a ransom. (Keep in mind that programs like Dropbox are file-syncing services, not backup services and that backing up via email is ineffective against Cryptolocker.)

The importance of validating your backups can’t be overstated. Hollywood Presbyterian Medical Center recently paid $17,000 to ransom their files, a massive HIPAA violation over which the government will most definitely bring them to court. And all because their backups weren’t sufficient or complete.

As for Cryptolocker remediation, TekTegrity can spin-up a virtual server of clients’ backups and start transferring that data back to their systems while also analyzing where the attack vector came from. If there are multiple machines at risk, we cycle through which was hit first and contact our antivirus software partners (like Webroot) to see if they have any more recent updates on Cryptolocker variants. The downside of remediation is how long it can take: downtime can be an hour to a couple of days.

Here’s the bottom line: If you never want to encounter the threat of losing your files to ransomware – or worse, having to pay for their decryption – stay clear of the internet. Period. If that’s not an option, however, I highly recommend looking into cloud-based backup for home users, and reputable IT providers that perform daily backups for businesses. And never, never open an attachment unless you know exactly who’s sending it to you and why.