Cryptoware: the harsh truth

Ian Trump

Whether you call it ransomware or cryptoware, there's no denying that this particular form of malware sucks elephants through a straw. Cryptowall and Cryptolocker work in much the same way; once a target computer has been infected, all the victim's files are encrypted and effectively held to ransom. Pay the 'release fee' while crossing everything you've got that the bad guys are gonna give you the unlock key and aren't gonna abuse your credit card details, and that's pretty much your only option. Other than, of course, not to get infected in the first place. That, dear reader, is where the harsh truth starts to slap you around the face like a cold fish.

Cryptoware-TruthLet's look at the facts: the FBI Internet Crime Complaint Center reckons Cryptowall has cost US victims alone some $18 million between April 2014 and June 2015. There is no standard 'ransom' demanded, other than what the attacker thinks they can realistically get away with: the FBI says that this varies between $200 and $10,000. When the University of Kent's Interdisciplinary Research Centre in Cyber Security looked at cyber security across the whole of 2014, it discovered that 1 in 30 of those questioned had been infected by Cryptolocker, and that a rather worrying 40% of those victims had paid the ransom to get file access back. This despite it being fatally wounded by law enforcement action half way through the year, when the critical server infrastructure upon which Cryptolocker was running got taken down. Of course, Cryptolocker was soon replaced by Cryptowall and Cryptodefense and the only real surprise is that the Cryptosporidium outbreak in Lancashire hasn't come with a ransom note attached. Ransomware is, that last quip aside, no laughing matter; so why do vast swathes of folk seem to treat simple cyber security measures that would prevent it as a joke?

I'm not saying that victims get what they deserve, that would be pushing tough love a little too far. I am saying that the blame culture has to stop, that end users have to start taking responsibility for protecting their valuable data and just whining about the bad guys is not going to help. what do I mean by 'blame culture' in this particular instance? Well, the most common complaint following a cryptoware infection is that 'AntiVirus didn't save me' which, frankly, is missing the point. Missing the point of security thinking that is. You should not expect to be able to install some software and then forget everything you ever knew about safe computing practise in the expectation that you, and your data, are now somehow bulletproof courtesy of that ÂŁ50 per year investment. Yet that's what appears to be happening, with end users not taking into consideration the removal of local admin rights, or a meaningful patch regime, or a firm enough email and web protection posture or, and here's a real big kick in the security 101 nads, keeping regular backups of your valuable data. Remember, this is data that is valuable enough for a ransom to be paid when it becomes inaccessible, yet apparently not valuable enough to be properly secured and backed up in the first place.

Call that a harsh truth if you like, but I don't really think it is harsh at all. If I were blaming you falling victim to a complex zero day attack, despite your multi-layered and up to date security posture, then that would be harsh. Guess what, cryptoware doesn't, thank goodness, tend to come packing zero days. The vast majority of such incidents occur courtesy of email attachments (39.9%), malicious links (37.4%) or if you are really unlucky a drive by download (16.6%). To hear MSPs throwing out the 'your AntiVirus failed you' line, as has happened in online forums, only demonstrates a level of security awareness failing that frankly I'd want to be keeping quiet about. It does not, by any measure, demonstrate value being brought to customers. Stop blaming your customers, start taking responsibility yourself. Simples.

The tools to significantly reduce infections, cryptoware or otherwise, are right in front of you and available on one pane of glass. The point here, and I don’t want to side swipe all MSPs in my vitriolic rant, is that security should be about best practices. MSPs need to take an all hazards approach and not defend against one type of threat, because here is the thing: a layered defense works against all threats not just some dumb ass email link, attachment or website your users are visiting or accidently click on. Wake up MSPs. The web is hostile, so is a lot of email coming in and you can't hide behind the “I have a great AntiVirus product” line.

If you want to be a harder target against cryptoware attacks, or any malware for that matter, then:

  1. Remove Adobe Flash, Shockwave, QuickTime and Silverlight
  2. Patch and Update OS & 3rd Party Applications within 48 hours of a patch being released.
  3. Remove Administrative Privileges.
  4. Deploy Managed Anti-Virus, Web Protection, Email Protection and Managed Online Backup for critical data.
  5. Harden your Firewall Rules & monitor the log, especially for strange outbound network traffic.

*Drops Mic*