Ransomware and how your data becomes a hostage.

A day like any other day at the office, you turn on your computer, grab a cup of coffee and everything seems to be business as usual. You are focused on checking your incoming emails, until you get to a message saying that you received a PDF report from one of your colleagues at work. You undoubtedly download it but, when you open it, you realize the document is blank and apparently, it was all a mistake.

Minutes go by and when you try to access the other documents you have stored on your computer, you realize that you cannot open them because they all now have the name “locky” and your beautiful wallpaper is now a red alert showing a message:

“Your computer has been locked. You have 72 hours to pay the reward, otherwise all your data will be permanently deleted”.

From that moment on, the day is no longer so pleasant and now all the sensitive information on your computer, and probably those of the network you are connected to, have been encrypted or breached.

Cybercriminals have taken hostage your information and perhaps your colleagues are affected as well. You are now part of the large number of people that was targeted by one of the most growing cybercrime techniques in the last 5 years, the famous ransomware attack.

But what is it and where does the word come from?

The word ransomware is composed of ransom which means release or rescue and ware which is an abbreviation of software or computer program. Ransomware is a malicious program which infects the computer and the network to which it is connected, prohibiting access to your information and the device itself until a ransom fee is paid.

These types of programs have two main characteristics:

1. They are constantly evolving.
2. They are silent and difficult to trace by common means.

Target audience and where they target.

According to Datto, in its most recent status report, attackers using ransomware as a tool commonly target the following devices:

• 91% Windows PC (Desktop/Laptop/Tablet).
• 76% Windows Server.
• 7% Apple MacOS / 4% Apple iOS.
• 6% Android.

However, the same report predicts that in the coming years these attackers will also target home internet devices, i.e., home appliances connected to the internet, among many others, given their increasing use by users.

Why my information and why do you ask me for money?

Simply put, your information is valuable, even if just for you. Your information is of high value for you and for the company in which you work for, either because of the hours invested, the sensitivity of the data or simply because your computer stores that Excel document that you have been working for days, so this information becomes worthy. If you are not a public figure or work for an institution that handles high-value information, for the attacker your data has no commercial value as such, so the extortion does not revolve around selling your information to third parties, but rather making it impossible for you to access it.

Evidently if a close person is locked up and knows certain sensitive information on which you depend you could pay for him to be released from captivity and you can continue to make use of the information, basically they do the same thing but with electronic devices.

In this sense, the attacker expects you to agree to negotiate a direct payment to release the information. For this same reason they give some options for communicating with them and demand fund transfers using uncommon and difficult to trace payment methods.

Action guide for data taken hostage

Although these attacks present a growing trend, we also understand better how to act and protect ourselves in such situations.

While there is no protocol as such, a set of activities are commonly listed (but not limited) to:

1. Determine the caused damage (Information, to the brand, operability, etc.).
2. Isolate the affected systems (disconnect them from the network).
3. Review if there are current backups that are not affected.
4. Determine whether the requested amount will be paid.
5. Improve prevention strategy.

New game. New rules. Are you ready?

For now, and for many years to come, ransomware is something we will have to deal with. It is our duty as users of cyberspace to keep abreast of what is going on and how to protect ourselves.

In a hyper-connected world in which we are increasingly dependent on information, here are some recommendations you may want to consider:

• Educate users through training and/or educational campaigns.
• When possible, simulate attacks to understand your users’ awareness.
• Perform regular backups, if possible, using a 3–2–1 method:

Three additional backup copies of the original files, stored on two different media and one at a location outside the asset location (preferably in the cloud).

• Having an anti-virus/anti-malware solution that integrates an incident detection and response platform.
• Installation of security updates on a regular basis, both for the operating system and installed applications (patch management).
• Acquiring a good email management platform and, if available, acquiring advanced protection plans against email threats.
• Subscribe to a cybersecurity newsletter to be aware of what is happening.

Even though these recommendations are general and simple, they put us in a good position to defend ourselves against the attacker, so it is possible they just discard us as a target and move on to an “easier” or less prepared user.

If you want to learn more about ransomware, understand how it attacks us and devise better defenses against these situations, stay tuned to our blog.