The psychology of a ransomware attack: A guide to what makes victims click

Cybercrime is very much a psychological game and ransomware is no exception. Psychology plays a major role in almost all aspects of ransomware from the moment an attack is launched to the moment the victim pays—or refuses to pay—the ransom.

Psychology of ransomware distribution
Most ransomware is distributed through phishing emails, instant messages, and text messages. Distributors use psychological tactics designed to create a sense of urgency and force the victim to click a malicious link or attachment quickly. This preys on a person’s emotions, especially fear. Victims are told they might lose access to an account; that an unauthorized payment has been made; or that medical benefits are about to change. These statements scare victims into clicking and, as a result, they get  hit with a dose of ransomware.

Ransomware distributors also understand victim’s desires. They know that most people would love an easy path to money, recognition, or free merchandise and they create phony offers to capitalize on this tendency.

Psychology of ransomware demands
Ransomware demands rely primarily on the fear of losing data. Ransomware infections are often noticed when access to data is needed. Suddenly, rather than seeing the files, a ransom message is displayed. Fear is also used in ransom messages that display warnings of illegal or embarrassing behavior. Those accused of a crime from fake FBI warnings or messages regarding pornography viewing are loath to seek help from others. Why? Because they fear that their activities would be put under a microscope and that friends, family or coworkers will less of them.

Ransomware also uses tactics that further build anxiety such as assigning deadlines to ransom payments. TruCrypt ransomware, for example, demands a ransom payment within 72 hours. After that, recovery keys would be unavailable.

Some have taken a completely different approach. CryptMix, released earlier this year, promised to donate ransoms to charity if victims paid their large demand of 5 bitcoins to decrypt data. When faced with a difficult decision, people want to know that they are doing the right thing and CryptMix allows victims to believe that they are helping someone in the process. Whether anyone actually believes that the authors will donate the ransom money to charity is beside the point because it is the desire to believe that really matters—and that’s the desire the ransomware authors count on.

Ransomware distributors know how to push our psychological buttons. That is why it is important to prepare yourself psychologically for a ransomware attack and for the phishing messages that are often used to distribute ransomware. Take the time to consider emails, instant messages, and SMS before clicking links or downloading software. Plan how you will respond if you have a ransomware infection. Verify that you have good backups and that you know how to perform a restore operation.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Backup and recovery means you can say no to ransom demands

Ransomware continues to be a huge problem for companies and consumers—and a major source of income for cybercriminals. Malicious hackers using CryptoWall ransomware extorted $18 million last year, according to the FBI, and that’s just one of many ransomware variants. Microsoft has detected a 400% increase in ransomware attacks since 2015. This sad fact is that the ransomware industry continues to grow because people continue to pay ransoms.

Logic would dictate that we simply stop paying ransoms and ransomware will end. But this is much easier said than done. Businesses, healthcare organizations, politicians and security experts debate this topic regularly, and there’s no clear consensus on what to do. Nobody wants to pay the ransom, but some are not in a position to refuse.

Healthcare organizations must consider the potential danger to patients if they do not pay a ransom. Meanwhile, banks are stockpiling bitcoins as an insurance policy against attacks. Some companies choose to pay because it’s cheaper than fixing the problem. Of course, this just makes it more likely that cybercriminals will target the company with ransomware again.

So, how do we get to a place where companies and individuals can afford to say no to ransom demands? This solution is surprisingly simple: Have a good backup of your data so that you can restore the data instead of paying a criminal to unlock it for you. Here’s a quick guide to protecting your data with a backup and recovery solution:

1. Data inventory
The first step is to understand what data you have so that you can adequately protect it. You may have data on workstations, laptops, file servers, cloud services, or within applications and databases.Try to get a good feel for what you have and what is most important—then prioritize that data for backup.

2. Data design
The second step is to identify the ideal location for the data. Workstation and laptop data may be migrated to servers; redundant data can be consolidated, and pointers or mappings created so that it is still accessible in multiple ways.

3. Backup design
Choose a backup solution that backs up data  automatically and often enough to ensure that minimal data is lost when recovery is required. Remember that backups should be segmented from production systems. There should be both a logical and a physical segmentation.

Logical segmentation places the backups in a location that cannot be reached by systems on the production network. For decades, tapes were used for offsite backups. Today, tape backups are often replaced with cloud backups.  If an incorrectly written script deletes data from the network, the tapes would be safe from harm. Similarly, if a virus like ransomware infects production systems, you will still have clean versions of your data backed up to the cloud.

Physical segmentation protects against a natural disaster such as a fire that could take out a facility. If backups are stored on a server, hard drive, or tapes located within the facility, a fire or some other disaster could destroy both production data and backups, leaving the organization with no way to recover data. Physical segmentation places backups outside the facility. Backups could be replicated to the cloud or another site, tapes could be shipped to a remote storage facility, or an employee could take backup drives to a safe deposit box.

4. Testing
A backup system cannot truly be relied upon until it is tested with a restore. Restore testing ensures that organizational data can be effectively recovered within acceptable time frames. It is often through the restore testing process that inefficiencies or complications are identified that can be resolved before the backups are required in an emergency. Restore testing also familiarizes IT staff with the recovery process. That means they’ll be ready when disaster strikes.

5. Say no
Say no when ransomware strikes. You don’t need to pay because you can restore the data. Delete the infected files, remove the virus, and restore your data from backup. With the right backup solution in place, there’s no need to deal with cybercriminals.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Warning: Some ransomware attacks are just a diversion

Ransomware computer viruses are becoming more sophisticated—and so are the attacks that make use of ransomware. In some cases, ransomware is used to disable access to a machine so criminals can perform further actions without being tracked. Criminals have also used ransomware to cause chaos and avoid detection after hacking into a network and stealing data.

Ransomware attacks are sometimes used to create a diversion while cybercriminals steal or exfiltrate data. While users and IT teams are busy trying to take machines offline and contain the infection, criminals are busy downloading files from users’ computers.

study on Distributed Denial of Service (DDoS) attacks by Neustar showed that ransomware was found in 15% of DDoS cases. And Dark Reading author Kelly Jackson Higgins says attackers are including ransomware with other types of attacks as well.

Ransomware can be an effective way for criminals to cover their tracks. For example, cybercriminals might install ransomware that encrypts valuable data such as log files in an effort to make those files inaccessible to investigators. Even if the files are later decrypted, investigators may not look for a second attack because ransomware incidents typically receive the most attention. Investigators need to be especially vigilant: In addition to searching for the cause of the ransomware infection, they need to look into whether more attacks were performed on the machine.

In many cases, the best practice is to wipe a machine that is infected with ransomware and then restore its files from backup. This provides assurance that backdoors and other compromised elements of the system will no longer be available for the attacker to take advantage of at a later point.

However, wiping the system can remove valuable evidence as well. In cases where additional evidence is needed, it’s important to take a forensic image of the computer prior to wiping it. This allows investigators to review data from the image when conducting the investigation. In some cases, ransomware decryption tools become available that will allow investigators to decrypt the data from an image. This data could be valuable in determining whether additional data was exposed and whether the ransomware was used to cover up other illegal activities.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Risks of public cloud adoption and what it means for you

Public clouds have been greatly promoted as an approach for organizations to reduce information technology (IT) costs and increase technology flexibility and scalability.  Cloud computing allows smaller organizations to employ IT services that would previously have been too expensive to implement due to high up-front infrastructure costs.  Companies can implement IT solutions faster in a public cloud because they do not have to spend time creating and configuring the technology environment.   Larger organizations, already familiar with remote computing operations, gain flexibility and scalability by utilizing cloud services or implementing private clouds to consolidate IT resources.

A public cloud, sometimes known as Infrastructure as a Service (IaaS), provides computing resources such as processing power, memory, and storage to clients in the form of a virtual machine.  The details on the infrastructure hosting this virtual machine may be a “black box” to the customer similar to the Internet.  When you sign up for Internet access, you are provided with a line and bandwidth but you do not know how that service is provided to you, what route your data may take, and so forth.  Similarly, when renting public cloud space, you are provided with a virtual machine but you do not know the specifics of what is involved in providing it to you.

It may be difficult and somewhat unsettling to provide one organization with control over data and systems that are critical to another organization’s success.  Nonetheless, there is constant pressure to reduce IT costs by moving to public cloud services while still exercising due diligence in selecting a secure and reliable cloud provider. With the emergence of large companies like Microsoft and Amazon entering the public cloud marketplace, many major companies have felt more comfortable moving to the cloud.

However, the security of the public cloud is still passionately debated.  Recently, concerns about public cloud security arose with the release of findings from an investigation into my cloud service providers, Amazon, Gigenet, Rackspace and VPS.  Revelations of the above findings have focused on the following issues.

Intra-server security and vulnerabilities

Cloud computing offers customers computing resources generally in the form of virtual machines for rent at generally lower costs than the organization would incur by hosting the servers in-house.  Companies can achieve considerable savings through economies of scale.  The rented computing resources are just a portion of the available resources hosted by the provider as much of the infrastructure is shared among clients of the provider.  This model presents potential security risks to cloud computing clients if the rented space is not adequately separated from other customers.  Inadequate separation could give an attacker, who has compromised one client in the cloud, access to other clients.  Attackers could also rent space in the cloud and then use that space as a base of attack on neighboring clients.

Location concerns

Another risk of sharing cloud space is that the actions of shared clients on a public cloud could indirectly impact fellow users if servers that host multiple clients are blacklisted, thus, causing unavailability to multiple clients due to the actions of one in the cloud. In addition to this potential problem are the concerns about where the servers are actually located geographically.  The laws in one country may differ greatly and the cloud network may be subject to international laws.   There may be limitations on whether data can or should cross international boundaries and contract terms may be less enforceable in another country.

Data backups, restoration, and portability

Backup protocols may also present challenges to businesses moving their IT structure to a public cloud.  Backup sets, rotations and off-site storage are all managed by the cloud provider. Thus it becomes important to understand how the backups work, how reliable the service is, and how long restores are expected to take.  Recovery time is extremely important when essential data is missing from a production system.  It is also important to understand whether backup sets can be moved to another provider or to in-house operations if the contract with the cloud provider is terminated.  Backup operations are often conducted across many clients at once so it may not be possible to extract historical backup data for a specific client from the cloud.

The report found intra-server vulnerabilities – that data on other clients’ storage was accessible through shared disks and networks. The study was able to access other clients’ virtual disk drives which should have been inaccessible as well as access data from other client systems on the network.  These providers did not adequately secure the storage of data and networking resources offered to their clients, thus, leaving them open to a data breach or attack.   The virtual machines were housed on systems running outdated hypervisor software that was vulnerable to attack.

Evaluating a Public Cloud Provider

When evaluating a public cloud provider, consideration of the following security concerns may be utilized to determine if a potential vendor has the essential cloud security measures in place.

  • How soon are patches applied to hypervisors after they are released?
  • How often are vulnerability scans initiated on cloud equipment?  What is the average vulnerability remediation time frame?
  • Are systems periodically audited?  What were the results of the last audit report?
  • Is an intrusion prevention system in place?
  • Has an incident response plan been created and are response team members familiar with incident response procedures?
  • Are access requests to resources logged and monitored?
  • How are viruses and malware prevented?
  • Is server hardening performed on virtual servers before being issued to customers?
  • Are firewalls implemented between customers?
  • Is hard drive encryption available?
  • With which security standards such as ISO27000, PCI or HIPAA does the potential client comply?
  • What data recovery procedures are in place for client systems and what is the recovery time objective?
  • What method is provided for client management of servers?  How is access to the management interface authenticated and controlled?

In addition to the above questions, consider running a security audit on the virtual node prior to using it to verify that the above questions are sufficiently answered.  The selection of a cloud provider should be based on the security parameters that are provided and the implementation of necessary security controls.  The recent study demonstrated that security cannot be assumed even when large, reputable companies are involved.  Therefore, it is important to ensure that a cloud provider has these security controls in place by asking questions such as the ones in this article.

 

 

Business Continuity and Backups in the Virtual World

Virtualization has really become a mainstream technology and an effective way for organizations to reduce costs. As mentioned in previous articles, it simplifies processes but also creates new information security risks to handle. This article is concerned with business continuity and how virtualization can create many new opportunities and efficiencies in your business continuity plan. This is the third article in a series on virtualization.

Specifically, three elements of business continuity that can be enhanced through virtualization. These elements are hot, warm, and cold sites, snapshots, and testing. If you have not considered virtualization in your business continuity plan, I hope you will do so after reading this article. If you have questions on how to implement such a service, please contact us and we will be happy to assist you.