Ransomware Pay-Day for Cyber Criminals

By October 27, 2015Malware Alert
poindexter discusses new wave ransomeware and the FBI's unconventional response

The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.

— Joseph Bonavolonta, Assistant Special Agent, FBI CYBER and Counterintelligence Program

Ransomware is malware that hijacks your computer, encrypts or hides your personal files (photos, movies, music, school work, etc),  and attempts to ransom that data for hundreds of dollars. It is among the most destructive and costly kinds of malware and steps must be taken by families and businesses to avoid it or, if already infected, contain it.

Ransomware can affect Apple OSX (Macbooks and iMacs), Microsoft Windows, and Android mobile devices. Although the payload can differ depending on what program you’re infected with, all ransomware is dangerous and should be treated with extreme caution.

In a nutshell, ransomware works like this:

The computer gets infected, often through email attachments or suspicious websites. Once inside the computer, the ransomware will begin making changes which undermine the computer’s security and backup systems.

After valuable backups are eliminated, the ransomware will begin encrypting your data. This can result in severe computer performance problems because your processor is being forced to apply strong encryption to its own files. This is brainy stuff and it takes awhile for the computer to finish up. Once a file is successfully encrypted, you’ll lose access to that file unless decrypted and only the ransomers have the keys.

As soon as encryption has completed and your files are locked up, a popup will appear warning you of the ransom, offering also an explanation of what happened and “convenient” ways to pay the ransom, often demanding as much as $500. If you see this warning, you’re in for a rough time.

Unfortunately, the most common ransomware – Cryptowall and Cryptolocker – use methods and encryption too sneaky and too thorough for the FBI to defeat. Paying the ransom might result in your files being decrypted, but that’s entirely up to the thieves responsible. According to the FBI:

“These financial fraud schemes target both individuals and businesses, are usually very successful, and have a significant impact on victims. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website. Once the victim’s device is infected with the ransomware variant, the victim’s files become encrypted. In most cases, once the victim pays a ransom fee, he or she regains access to the files that were encrypted. Most criminals involved in ransomware schemes demand payment in Bitcoin. Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”

— Federal Bureau of Investigation, Alert I-062315-PSA, June 23rd, 2015

And we’re talking a lot of money, well into the tens of millions. With such a strong monetary incentive, ransomware distribution has become a viable business model in loosely regulated countries, especially Russia. Ransomware companies have staff, customer service, and accountants, but good luck filing a complaint with the Better Business Bureau. You’re much better offer contacting the Investigation Internet Crime Complaint Center. And because so many end up paying the ransom and because there’s so much money to be made, more and more people are getting into the business of data ransoming, driving infection rates up and up. Dark days indeed.

There are ways to protect yourself, however, and steps to take if you are already infected. According to the FBI:

“Always use antivirus software and a firewall. It’s important to obtain and use antivirus software and firewalls from reputable companies. It’s also important to continually maintain both of these through automatic updates.

Enable popup blockers. Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it’s best to prevent them from appearing in the first place.

Always back up the content on your computer. If you back up, verify, and maintain offline copies of your personal and application data, ransomware scams will have limited impact on you. If you are targeted, instead of worrying about paying a ransom to get your data back, you can simply have your system wiped clean and then reload your files.

Be skeptical. Don’t click on any emails or attachments you don’t recognize, and avoid suspicious websites altogether.”

— FBI, Internet Crime Complaint Center (IC3)

In our experience, an offline backup is the most valuable protection. A good, recent backup can prevent all data loss, whether due to hurricane or ransomware. Most ransomware, however, will scan for connected network drives (other connected computers) and connected external hard drives. If found, it will progressively infect and encrypt data on those devices as well. For high risk users, Poindexter recommends daily backups to an external drive, then disconnecting that drive from your computer or network. Stash your backup in a safe, dry place, in the event of an emergency.

If infected, immediately disconnect your computer from the internet and local networks. Any computers connected to the same network could also be infected; disconnect them immediately. The next steps are about damage mitigation and it is best to call a professional to assist with data recovery and improved security. Mismanaging an infection this severe can result in irreversible loses and reinfection. If you are or believe yourself to be infected, contact Poindexter immediately.

do not pay the ransomware's demands. call poindexter for professional service.

Leave a Reply

Available by appointment // 908-991-6373