Ransomware has been in the news a lot lately. The CryptXXX ransomware is no longer susceptible to easy decryption, and it’s been making a lot of money for its purveryors, in many cases using compromised, high profile business web sites as its delivery mechanism. On a more positive note, the people who created the TeslaCrypt ransomware stopped production and released global decryption keys. New ransomware delivery systems are able to bypass Microsoft’s EMET security software. The Cerber ransomware was recently delivered to a large proportion of Office 365 users via a Word document in an email attachment. And an even more hideous piece of malware surfaced in the last week: posing as ransomware, Ranscam actually just deletes all your files.
Ransomware is different from other kinds of attacks because of the potential damage. It can render all your data permanently inaccessible. Even paying the ransom is no guarantee that you will get all your data back intact. Other types of attacks typically try to fly more under the radar: trojans and rootkits want to control and use your computer’s resources; and viruses want to spread and open the door for other attacks. While other types of attacks can be fixed by removing the affected files, that doesn’t work for ransomware.
Like other types of attacks, ransomware first has to get onto your computer. These days, simply visiting the wrong web site can accomplish that. More common vectors are downloaded media and software, and email attachments. Preventing malware of any kind from getting onto your computer involves the kind of caution we’ve been advising for years; ransomware doesn’t change that advice.
What CAN make a big difference with a ransomware attack is limiting its reach. Once on a computer, ransomware will encrypt all data files it can access; specifically, files to which it has write access. Ransomware typically runs with the same permissions as the user who unwittingly installed it, but more insidious installs may use various techniques to increase its permissions. In any case, limiting access is the best safeguard. For example, set up your regular user so that it cannot install software or make changes to backup data.
Here’s a worst-case scenario: you run a small LAN with three computers. All your data is on those computers. Your backup data is on an external hard drive connected to one of those computers, and a copy exists on the Cloud. For convenience, you’ve configured the computers so that you can copy files between them without having to authenticate. Once ransomware gets onto one of the computers, it will encrypt all data files on that computer, but it will also encrypt data it finds on the other computers, and on the external backup drive. Worse still, some ransomware will also figure out how to get to your cloud backup and encrypt the data there as well.
How to limit your exposure? Require full authentication to access computers on your LAN. Use strong, unique passwords for all services. Store your passwords in a secure password database. Limit access to your backup resources to a special user that isn’t used for other things. In other words, exercise caution to avoid getting infected, but in case you get infected anyway, make sure that you have walls in place that limit the reach of the ransomware.
Most ransomware targets Windows systems, so most of the verbiage out there is about Windows as well. This article covers the basics fairly well.
boot13