Ransomware: Do not pay

Our guest writer this week is Dr. Greg Bolcer. Greg has a BS and PhD from UC Irvine in Information & Computer Science and an MS from USC in Software Engineering. While at UC Irvine, he worked on several DARPA funded research projects on Web technology, protocols, and standards. Since leaving academia he has been the key architect for multiple software-as-a-service, security-as-a-service, augmented reality, and big data venture-funded startups. He works as a Chief Technology Officer at a data intelligence company.

 

Breaking Bad

By Dr. Greg Bolcer

 

When it comes to computer security, users are their own worst enemies

Years ago a friend told me, “I don't need virus protection on my computer.” I asked her why she thought she didn't. She said, "I'll know it when I see it."  

She thought that computer viruses were nothing but malvertising - malicious advertising software that, once on your computer, will show you a bunch of popup advertisements, pop-under advertisements (they show up after you've closed your windows), and toast (little popups that show up in the corner and take over a little bit of your screen real estate).   

After grabbing my head and rubbing my eyes for five minutes, I could see the problem: She was blind to computer security. 

 

Your information, sold on the digital black market

Popup advertisements like spamware and scamware were state of the art circa 1998-2001. When they showed up on your computer, you could actually see the effects. 

Soon after that, malware authors tried to hide their software as best they could. The only visible effect would be that your computer might run a little slower, but you wouldn't see anything else while it monitored your computer and network usage for social security numbers, bank account passwords, credit card numbers, and any number of other things that could be sold out on the digital black market.   

 

Too expensive, too slow

Users didn’t protect their computers because virus, security, and privacy protection programs cost money. When you installed these programs, the only visible effect would be that your computer would run a lot slower. 

Luckily, modern security software has a whole slew of protections and performance enhancements that make it an essential part of any computing environment, but most users still won't spend the money to purchase the software. Free versions are abundant, though, and perform well even on the oldest of computers. 

For most Mac OSX users, the paucity of Mac viruses "in the wild” - a term used to represent actual computer harm in the real world versus a piece of code in a security research lab - didn’t justify the use of antivirus software either.  

 

The four horseman of Interweb security

Sometime between 2011 and 2013 everything changed. The four horseman of the Apocalypse came galloping into the world of consumer computing faster than security vendors could defend against it: Spyware, Rootkits, Trojans, and Ransomware.  

Spyware -- Software that sits in the background of your computer looking for private information like passwords, bank accounts, credit cars, social insurance, tax forms, or other stuff, and sends it to other computers when you least expect it. 

Rootkits -- A set of tools to allow remote access and full control of a system without being detected. 

Trojans -- A program designed to trick a user into granting permissions to a malicious program by performing some innocuous function.

Ransomware -- A type of malicious software that encrypts or blocks access to a user's own data or network until a sum of money is paid. 

 

2016 is set to become the year of ransomware

As you can see in the graph above, we've crossed the rubicon.

Out of the four, ransomware has the potential to be the most disruptive, as it is by far the most profitable. 

Individual users are willing to pay hundreds of dollars to have their files unlocked.  Businesses are willing to pay thousand of dollars to unlock their Web or email servers.  Hospitals are willing to pay hundreds of thousands of dollars to unlock their patient data and medical records.   

 

Under no circumstances should you ever pay

Under no circumstances should you ever pay, but that doesn't keep people from doing so. Some people pay out of guilt, ignorance, or expedience. 

 

Things have changed for the worse 

As of earlier this year, there weren't many ransomware strains that could disable your backups, scamper your recovery, or block your system repair.   

The best they could do is run a program preventing you from using the computer on startup or reboot. The more sophisticated ones could even disable your virus protection or corrupt your backups.

 

There are now more than a dozen strains of the most sophisticated ransomware the world has ever seen

They are undetectable until they want to be. They are patient as all hell, and will wait until they have properly identified your security protections, backup procedures and locations, and figured out how to corrupt them.   

Some ransomware even knows how to install itself on the boot sector of your startup disk or the firmware of the motherboard. Not even taking the motherboard battery out and reloading the BIOS (the hardware instructions that tell the computer how to recognize software) can help recover your system. 

The only hope in those cases is that you had an offline backup somewhere so you can restore it to a new set of hardware.   

Once the ransomware is installed onto your boot sector or motherboard firmware, it will encrypt all the information it wants to prevent you from accessing. Encryption, despite what you see in the movies, is still almost impossible to break without a supercomputer, a ton of electricity, a government installation, and near infinite patience.  

 

What can you do about it? 

There are several foolproof steps you can take to prevent from falling victim to this type of hi-jinx.  

Never turn your computer on
Unfortunately for most of us, this defeats the purpose of having a computer. 

Never connect to the network
Most people don't care about their computer per se, but they like the things it connects to, including data, files, email servers, Web servers and social networking, so this is another non-solution. 

Never put anyone else's USB stick in your USB drives
Yes, USB drives are the most common way to fall victim to the worst type of ransomware - the type where you basically have to throw your computer out. If your USB drive is ever out of your sight, just throw it out (but not before taking a hammer to it--or better yet, a blowtorch). And for goodness sakes, if you ever find a stray USB stick in your mailbox or the company's parking lot, treat it like a vial of Ebola.

Always have a USB stick that is a boot recovery drive
Include proper boot recovery tools and drivers. Keep it in a glass frame on your wall behind your monitor and put a sticky note on it to only use in case of emergency. This will allow you to get around most casual ransomware you might encounter while using the Interwebs.  

Always keep a hot boot drive backup in your system
Have software that copies, once a week, the whole drive to a completely separate hard drive.  Attempt to boot from your backup drive every once in a while to make sure you can. If you are lucky, recovering might just be as easy as booting from your backup boot drive and recopying to your original drive. 

Always have a backup
In fact, have multiple backups. Use multiple cloud services like Google Drive, iCloud, Dropbox, or any other number of services.  Have a compressed file differential backup (one that keeps track of every single change to any file on the system) using professional backup software, but also keep important files in the cloud. This will allow you to revert to unencrypted files or at least recover them to a different system. 

Finally, if all else fails, there are anti-ransomware programs
These programs are typically security vendors able to reverse-engineer the encryption that allows you to unlock the encrypted files without paying the ransom. The downside is that you still have to pay for the anti-ransomware program. Some of these programs are made by the very same authors who have firsthand knowledge about the ransomware, so you pay either way. 

Bottom line: It has become a more dangerous world. Luckily for consumers, they are such small targets. Ransomware vendors are more interested in pursuing the large targets. 

Best advice: DON’T be an appeaser and feed the beast. As Winston Churchill said, “An appeaser is one who feeds a crocodile, hoping it will eat him last.”

This article is written by or on behalf of an outsourced columnist and does not necessarily reflect the views of Castanet.