25 Jun 2014

Don’t let your organisation get held to ransom: The latest in ransomware hacks

The banner reads: “Your computer has been locked. You must pay to have your files decrypted.”

It is not a joke. A rising number of Australian IT administrators and small business owners are falling victim to this kind of terrifying scam. The threats are often real and can spell disaster.

The ransomware messages are sent by scammers who have turned the act of encrypting and ransoming a company’s data into what is, by many accounts, a highly profitable business. These scammers break into a victim’s corporate network and encrypt important data, demanding a “ransom” for its decryption.

For many victims, there is little recourse but to take the risk and pay. When done properly, the encryption can’t be cracked. Those victims who manage to backup their data often find the attackers have wormed their way through the network to encrypt those storage devices too.

“The criminals behind this ransomware, or cryptoware, seem to have found the sweet spot between $2,000 to $4,000 where businesses will pay up,” says Paul Ducklin, head of technology for Sophos.

The scammers have a variety of attack vectors to choose from, including Microsoft’s ubiquitous Remote Desktop Protocol (RDP) – a function often used by staff to access the office from abroad. If they are prompted for a password, a simple program that guesses passwords en masse is often enough to get in. “RDP is a blessing and a curse. It is a great help to many people but we also know that it is being used carelessly,” says Ducklin.

It is difficult to ascertain the number of victims, partly because the crime is rarely reported to authorities. But state police sources say in the course of a single day, as many as 30 businesses reported being fleeced by the scammers, each for thousands of dollars.

In recent months, a medical centre on the Gold Coast had patient records encrypted and ransomed. An Alice Springs-based business coughed up $3,000 to get its financial data decrypted, while a Byron Bay primary school had pleaded with the crooks to lower their demands before cutting its losses and losing the data.

Many victim businesses that pay up have had their data returned by way of an emailed decryption key, a fact that some say gives credence to the criminals’ business model.

Crucially, this controversial and risky resolution may only be successful in these cryptoware-style attacks where scammers personally demand the pricey ransom from victims. It is not known to be successful in mass ransomware attacks, or fineware, where victims may be hit with a $200 ransom masquerading as fake law enforcement infringement.

“It is important to remember the type of people you are dealing with,” Ducklin warns.

Ultimately, the money is better invested in preventative security defences and best practice that will lower the likelihood of attack and reduce the impact of damage.

“You need an alternate, secure backup that you can use to restore your system,” says Ducklin. “But if you use cloud backups and the crooks control your computer or network, they can make sure your encrypted photographs are synchronised.”

He recommends keeping an updated backup of records on devices that can easily be removed from the network and stored off-site. This prevents scammers from encrypting data. Businesses should test for and fix security vulnerabilities and ensure security technologies like firewalls and anti-virus systems are deployed.

Fast facts

  • ‘Ransomware’ is a growing threat. Scammers hack into a network, encrypt vital data then force victims to pay for access
  • Ransoms are generally around $2,000-$4,000
  • Prevention is the best cure. Sophos advises companies set up a secure backup, off the network so data cannot be hacked
  • Security technology like firewalls and anti-virus is essential