Ransomware gets creative, targets smartphones

Today’s hackers don’t just encrypt your files and hold them hostage, promising to supply a decryption key after ransom is paid. Many of them also encrypt the file names and extensions and delete all shadow copies of your files. Here’s what you can do to both defend and mitigate.

Share this article:

Happy Cyber Security Awareness Month! Yes, that’s really a thing. But before you bust out the cake and candles, this is, sadly, not exactly an occasion to celebrate. The numbers show that security threats continue to grow exponentially as networks expand their reach, and one of the fastest growing cyber threats is ransomware.

Intel Security researchers say the number of ransomware incidents worldwide topped seven million during the second quarter of 2016 alone. Additional figures from Symantec suggest there were 100 new ‘families’ of ransomware discovered during 2015.

No wonder there were four separate presentations on ransomware at the recent SecTor infosec conference in Toronto. One was given by James Antonakos, an incident response consultant at Trustwave. After taking the audience through a brief (though scary) history of how ransomware has evolved in recent years, he talked about what organizations can do to both defend and mitigate.

Shape shifting

Ransomware developers are a creative, though evil, group of people. “They keep adding new twists to make it more difficult to get your files back,” said Antonakos.

Today’s hackers, he said, don’t just encrypt your files and hold them hostage, promising to supply a decryption key after ransom is paid. Many of them also encrypt the file names and extensions and delete all shadow copies of your files.

The newest bad kid on the block is CryPy. As explained in Naked Security, this ransomware applies a different encryption key to every single file and gives each one of those files a new name.

“Hello? It’s me, Ransomware”

“People with smartphones are susceptible. So it’s not just a Windows problem,” Antonakos warned.

Yes, ransomware has made its way to smartphones. As covered by IT Portal, new figures from BitDefender suggest ransomware is now the most common mobile malware threat to Android devices in the U.S., U.K., Germany, Denmark and Australia. Android ransomware locks the phone’s screen or changes its PIN code, with hackers demanding ransom to turn the device from a brick back into a useful object.

Antonakos said this obviously has worrisome implications for the enterprise by way of BYOD: “You’re not safe with your phone either. And unfortunately, some people are carrying around their personal phones with work documents (on them).”

To pay or not to pay

Anotonakos is unequivocal in his belief that ransom should never be paid. “Sometimes you pay the ransom and get the decryption key but it doesn’t work,” he said. “Paying that ransom is no guarantee you’re not going to get hit again and have to pay another ransom.”

The FBI has issued similar warnings and advice. Apparently some of London’s top financiers didn’t get that memo. In an interview with Business Insider, the CEO of Malwarebytes said London banks admitted to him that they stock up on bitcoin, specifically to have it on hand in case of ransomware attacks. Blimey.

What to do

Antonakos wrapped up his talk with his top tips for defending against ransomware:

  • maintain multiple current backups
  • manage limited (read only) access permissions where warranted
  • use a firewall, intrusion defence systems (IDS), intrusion prevention systems (IPS) and anti-virus software to assist with real-time detection and mitigation
  • have an incident response team in place, ready to respond quickly to a ransomware infection
  • disable syncing on Internet-based file storage to prevent spreading ransomware
  • employ software restriction policies

The strongest weapon against ransomware, he insisted, is knowledge.

“One of the most effective things you can do is educate your staff,” said Antonakos. “Don’t just do it once when they’re newly hired. Do it when they’re hired and periodically, once a month or every two months. Do it via group emails or get-togethers with lots of variety so people don’t get bored and start ignoring it.”

The insider threat is the biggest threat you have to deal with, he continued, because employees already have permission to be on your network — and already have access to systems on your network. “Even if they’re completely innocent and well intentioned, they could do something wrong.”

Image: iStock

Share this article:
Comments are closed.