Wednesday 29 March 2017

Ransomware flood

According to the FBI, ransomware costs $1 billion per year. I'm guessing that's just in the USA, so the total must be several billion.

And according to the FBI, the average ransom demand is $679.  Which translates to 15 million ransoms paid in the US. So maybe 100 million worldwide?

That's a lot. What are the causes?

1. It's a really good business model. $679 is a small sum to pay for all your data; I know that because when we ran a recovery service getting data from dead drives, people were willing to pay much more than that. And because it's bitcoin, there's no risk of the ransom being traced back to the criminal.

2. Antivirus products are pretty much ineffective. According to this article, "Some traditional anti-virus vendors were caught out by ransomware’s sudden rise from obscurity, which caused blocking rates to drop.". That's nonsense, of course - ransomware is just a particular case of malware. AV products should block all malware. And if you show some malware-bearing emails to Virustotal, you'll see that 95% of products just don't flag them.

3. Email and malvertising means that the malware is delivered to the user before any AV company has a chance to update their product.

So what can you do? There's two cases; before you're hit, and after you're hit.

After you're hit, you can either pay the ransom and hope that the criminal is honest enough to give you the key. I suppose there are some honest criminals. Or you can not pay the ransom and wave goodbye to your data. Both routes aren't attractive. If you get lucky, then the ransom demand was a bluff, or maybe somone has cracked the encryption for that particular ransomware. It's worth checking this out, but don't hold your breath.

Before you're hit, you have lots of good options.

1. Block executables in attachments. If someone sends me a file with an executable attachment, it goes to a folder set aside for such things.

2. Disable macro execution in Word and Excel. Don't re-enable it just on the say-so of an incoming email.

3. Set javascript (.js) files to open in Notepad.

4. Install a javascript blocker, such as Noscript. And don't disable it just because a web site asks you to.

5. Install an advertising blocker, such as uBlock Origin. And don't disable it just because a web site asks you to.

6. Don't use Adobe Acrobat to read PDF files. Download and install an alternative.

 7. If you use Flash, update it each time a vulnerability is found. That will mean pretty much each month.

8. Take backups. Your backup system should be designed with the possibility in mind that you don't discover that all your files are encrypted until a week after it happened. In other words, taking a copy of your files each day, isn't good enough.

I know that blaming the victim of a crime is unpopular, but your best option is not to become a victim, which means taking some precautions.

No comments:

Post a Comment