The first time I heard the term “ransom ware” I was working as an IT assistant at a small oil and gas company. That was in 2013, ransom ware has since become one of the most popular, and notoriously damaging, forms of malware.
Ransom ware is constantly evolving, but the basic premise stays the same. The malware infects a device and encrypts the files on it making the system unusable. The hackers then demand that a “ransom” be paid in exchange for the encryption key that will decrypt the system. I’ve seen it happen and the results are not pretty. Sometimes the event is isolated, but it can spread from one computer on a network out to dozens of others, even infecting critical infrastructure hardware like servers.
The ransom is almost always demanded in the form of cryptocurrency, in fact, ransom ware has risen to popularity alongside cryptocurrency because the online asset’s decentralized nature makes it nearly impossible to track down.
Bitcoin, the most expensive crypto, is the chosen asset of most ransom ware attackers. The currency rose to prominence on the dark web for its anonymity, and despite having gone mainstream it is still the favorite of bad actors on the net.
The threat from ransom ware has become so prevalent that the Cybersecurity and Infrastructure Security Agency, an office of the U.S. Government, unveiled a campaign in January of 2021 to raise awareness around the attacks and hopefully create preparedness to prevent them.
Earlier this month, one of the country’s largest fuel pipelines was shut down after a ransom ware attack. The FBI confirmed that the attack was the work of a hacker collective known as DarkSide, which originated in Russia.
While the FBI has stated in the past that is “does not support paying a ransom in response to a ransom ware attack,” that is exactly what the Colonial Pipeline Company ended up doing, according to a report from Bloomberg. The report claimed the company paid nearly $5 million in cryptocurrency within hours of the attack. The hackers apparently made good on their word and provided a tool to decrypt the system, according to the report the tool was so slow that the company continued using its own backups to restore operation.
Ransom ware is a serious problem, but there are some steps that companies as well as local, state and federal agencies can take to secure against ransom ware attacks. One of the most important ones is to be prepared. The U.S. government maintains that it is critical to keep an offline, encrypted backup of your data and to test it regularly.
One popular cybersecurity blogger, Brian Krebs, recently pointed out that many ransom ware attacks originating from Russia have a built-in failsafe that keeps them from infecting systems inside of Russia. According to Krebs, this is due to the legal system in the country tending not to prosecute cybercrimes unless they are committed against Russian agencies. This failsafe is actually exploitable by others. Russian malware will often run a check for Russian language systems, if it discovers one installed on a system it will not activate. Therefore, downloading a Russian language set for your Microsoft system can potentially keep it from becoming infected by ransom ware.
It’s not a full proof plan, according to Krebs, but there is no real downside to downloading a second language set.
It is unlikely that ransom ware will ever be fully preventable. The best means of protecting yourself against potential ransom ware attacks is to do your due diligence. Make sure to keep malware protection up to date on your systems. Keep offline backups of all of your systems and make sure that they stay updated regularly. And perhaps most importantly, have a plan in place to deal with a system if and when it does get hijacked by ransom ware. Forewarned is forearmed, especially in the digital age.