You don’t need to be a hacking genius to create ransomware. You can simply buy a ransomeware kit, craft an extortion message, add preferred payment details and click go.
If you don’t want to buy your own kit – which purportedly cost around $1,000 a pop – you can use them on a commission basis, paying the ransomware kit author a percentage of the illegal income it generates. You can become a proud owner of your own custom ransomeware in a matter of minutes.
Your next challenge is getting ransomware to your targets. You can either email it to as many people as possible, hoping one or two will bite, or create your own custom phishing campaign.
To do this, you will need to know a bit more about your intended targets and create some realistic looking email “phish” that your targets are likely to open.
This is where most non-native English speakers fall foul. I’ve seen some terrible looking phish, even with basic things such as HMRC spelt wrong, but even so it still seems to get through and the number of CryptoLocker-style infections is on the rise.
So what can companies do to defend themselves against this?
Educate users against phishing emails
Firstly, you need to educate your users. At a guess, this is exactly what the other contributors of this month’s Security Think Tank series are saying too.
Remember that all it takes for ransomware to end up on your systems is for one of your users to open an infected attachment. This might be in an email called “2016 redundancy plans”, spoofed from your HR Director’s email address, or something equally as unexpected, yet realistic. Users must be aware of this risk and not led to open up unexpected email attachments. It’s your first line of defence.
Keep systems up to date
Keeping your systems patched and up to date is equally as important. Ransomware uses the most recently announced exploits to get a foothold on your devices, and if you haven’t updated your systems for a while, you’re asking for trouble.
Anti-malware systems are, again, equally important. They will stop the vast majority of fly-by ransomware attacks, as – if the ransomware author is spreading his or her net far and wide – it’s likely the anti-malware companies will pick this up and issue updated signatures in a few hours.
But it’s the carefully crafted specific attacks using custom ransomware you really need to worry about. Custom ransomware doesn’t have a signature that anti-malware engines will pick up, as it’s in limited distribution. Custom ransomware has had some thought go into it, so will be behind a realistic looking email.
Take custom ransomware seriously
Custom ransomware works, and if it’s not on your company’s cyber security risk register, it’s only a matter of time. Not only does ransomware encrypt local hard drives, it will also go off and encrypt attached devices, Dropbox folders, network shares – the lot. If you’ve captured ransomware into your backup cycle, then you’re even further up said proverbial creek.
Take the threat seriously. It’s not going to go away, and a holistic security programme and layered defence is critical in ensuring you don’t end up falling victim. Not even the best cryptographers in the world will be able to get your data back.
Tim Holman is CEO at 2-sec security consultancy.
This was first published in February 2016