Ransomware is nothing new, having been around for about three decades – essentially since the point in the 1980s when people began to own their own personal computers. However, due to the emergence of Cryptolocker Trojan and its clones back in September 2014, ransomware is fast becoming a household name and established online risk. Historically, ransomware has been easy to bypass as it would typically lock the screen of the computer while demanding a ransom. A user needed only to circumvent the malware’s foothold in order to restore the computer to its normal working order. Often this was as easy as booting into Safe Mode and removing the offending files and services, much like many other non-complex Trojans. The simplicity of removing this rudimentary malware made it appear as more of a nuisance than malware, hence why “ransomware” seems like it has only just appeared in the past year.
The eloquence and effectiveness of Cryptolocker began to flood the mainstream media (and our support department) with ransomware attacks in September 2014. Now, instead of simply making a half-hearted threat with a splash screen that made a threat and demanded a ransom, the new family of malware encrypted every document on its victims’ machines that it could find. This way, even if someone were to uninstall the malware component, all of their files would still be unusable due to the fact that they were encrypted with one of the industry’s most trusted algorithms, AES.
In addition to that, the AES key, required to decrypt the files, was again encrypted with yet another strong industry standard, RSA-2048. This made the retrieval of the encrypted files nearly impossible without the decrypted key from the bad guys.
Some industry professionals were able to figure out how to crack the original Cryptolocker keys after having gathered a good deal of these keys and reverse engineering them against samples of the encrypted files. This took so long happen though, it was too late for most businesses who had by then chosen between paying the ransom or starting over on all of their encrypted files—from scratch. Additionally, these tools were introduced after several new versions of the malware had already been released and were actively making the rounds.
Even though any network or IT security professional at the time already knew the importance of good routine backups, everyone got to learn how many of those professionals were actually doing it. In fact, a good backup is all it takes to completely render a crypto attack such as these null and void. The sad fact was that tons of people fell prey to successful Cryptolocker attacks, which means that none of these businesses were practicing some very basic security protocols.
In October of 2015, FBI special agent Joseph Bonavolonta, told attendees at the Cyber Security Summit 2015 in Boston that those who find themselves infected with heavy hitters such as Cryptolocker or CryptoWall, may be better off simply paying the ransom. He was saying this likely because there had already been a solid year full of these crypto attacks and they were still widely successful. Obviously, people still hold on to the “It can’t happen to me” attitude instead of performing simple and necessary security procedures, such as making backups, otherwise people wouldn’t have anything to worry about.
We believe that businesses should never help cybercriminals profit off of extorting their victims by paying a ransom. Instead, businesses should back up their files regularly, eliminating the need of paying the ransom. Ultimately, if IT professionals would schedule regular file backups, no matter how good the encryption code was, ransomware campaigns would all fail, since there would be no need for a business to pay a ransom.
There isn’t much in the way of a positive outlook for businesses that do not back up their files regularly. Victims are still paying the attackers and the several versions of crypto-ransomware techniques old and new continue to deliver success for cyber-criminals. As a result, we expect to see ransomware having a persistent presence on the internet, threatening users of all kinds.