Ransomware: How does your network fare?

Ransomware has become one of the fastest growing crimeware tools today and is bound to become a growing menace in the corporate cyber-extortion scheme arena. There is nothing more troubling than having a cyber-criminal hold your network hostage. This insidious crypto-malware can encrypt client records, company trade secrets, documents, graphics, videos, spreadsheets, and other sensitive data — and direct you to pay the ransom in Bitcoin, MoneyPak, or Ukash within a specified time frame (currently nine days for TorLocker 2.0), or you will lose the encrypted files forever. If you do not have a backup plan in place —  the encrypted files become toast.

CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing…Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall. In that same timeframe, CryptoWall encrypted more than 5.25 billion files. —Dell SecureWorks 

It just takes one click on a malware-laden email attachment, a website watering hole, or a rogue online ad for ransomware to visit your network.


A malevolent hybrid of ransomware

There is a nasty new hybrid ransomware strain called VirRansom on the loose that combines both CryptoLocker and CryptoWall and it is a parasitic virus. It infects EXE program files and it also infects data files (such as ZIP, DOC, JPG) and wraps them in an EXE shell. The virus goes as far as to turn off extensions (if you had them turned on). It also sets the icon of the infected file back to the original icon. For example: if you open a VirRansom-infected document (the icon looks like a word document), you are not really opening it — you are executing an EXE that posing as a Word document.

There is a little good news about this new strain: Sophos states at their blog that the encryption is only a secondary component of the malware. The malware contains the keys to unlock the encrypted  files. VirRansom is currently demanding ransom of 0.619 BTC ($224.50 USD). To read a full analysis on this nasty strain of ransomware, you will want to head over to the NakedSecurity blog:

A parasitic virus, in contrast to a worm, doesn’t spread merely by making copies of itself. Parasitics find other programs and modify them to include a copy of the virus, using the original file as a host or carrier. —Paul Ducklin, Sophos NakedSecurity Blog

Backup is crucial

On November 10, 2013, the Swansea, MA police department paid $750.00 USD (2 BTC) when CryptoLocker invaded their system. It was unknown how the crypto-virus actually got into their system. On December 26, 2013 in the tiny town of Greenland, NH — a town employee opened an email attachment that appeared to be a voicemail from AT&T. Shortly after she opened the attachment, the Cryptolocker ransom Trojan began encrypting eight years worth of town hall files. Though there was some backup digital copies and copies of paper forms secured in the town safe, overall, the town lost eight years of data. In October 2014, the Dickson County Sheriff’s office in Tennessee was hit by CryptoWall when an employee clicked  an online ad, this action affected 72,000 case files on the host computer. CryptoWall also introduced the malware to the network, the report management system, and to all the attached drives. Though the FBI consulted with the county in this case — the final determination was that the county needed to pay the ransom of $500.00 USD.

The Fierce Take: Ransom malware such as Cryptolocker can affect SMBs and enterprises alike, since data on shared storage could also end up being forcibly encrypted. Obviously, regular data backups could reduce or eliminate the damage caused by such malware. —Paul Mah | FierceCIO

Ransomware Advice

Matt Sherman, an Incident Response Specialist from Symantec recently wrote an excellent piece at Forbes on Ransomware: 7 Do’s And Don’ts To Protect Your Business:

  1. Do not pay the ransom, remove the impacted system from the network, and restore the files from back-up.
  2. Do install, configure and maintain an endpoint security solution.
  3. Do educate employees.
  4. Do employ content scamming and filtering on your mail servers.
  5. Do make sure that all systems are up-to-date with relevant patches.
  6. Do limit end user access to mapped drives.
  7. Do deploy and maintain a comprehensive backup solution.


This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Leave a reply