It's hard to believe that only a few years have passed since ransomware started creeping in to the collective consciousness of the IT industry. In 2014 we talked about the dangers of the “Cryptolocker Trojan” and how to prevent or respond to an attack. The Bleeping Computer thread that we reference there is now an interesting microcosm of the emerging ransomware threat:
- It's a real pain this one. We are restoring from backup now but there are still files which will have changed which we wont get back.
- I Paid the ransom. The author of this is genius. Evil genius, but genius none the less..
- … People are less concerned with removing the virus and more concerned with decrypting the files. Removing the virus does not seem difficult but repairing the damage is another thing entirely.
- This thing is nasty and has the potential to do enourmous amounts of damage worldwide!
When the 230-page thread tapers off in 2016, it's only because newcomers are directed to other threads dedicated newer versions of the threat.
Cryptolocker victims weren't the first to be hit by ransomware; AIDS ransomware was spread via floppy disks to unsuspecting PC users back in 1989. Modern ransomware was discovered in 2005 in the form of Trojan.GPCoder, which encoded files and delivered this message:
Some files are coded.
To buy decoder mail: [user]@yahoo.com
with subject: PGPcoder 000000000032
Ransomware has come a long way since then. Last month Malwarebytes reported (pdf) that Cerber Ransomware now owns 87% of the ransomware market. This is likely due to a combination of factors, including the mysterious disappearance of Locky and the RaaS distribution model of Cerber. The Cerber ransomware is getting smarter too; it evades AV solutions that use machine learning and it detects sandbox detonation. In short, it learns to avoid your learning systems. See this SecurityWeek article for more on the topic.
The FBI reports that ransomware criminals brought in nearly $25 million in payments in 2015, and that payments were expected to reach $1 billion in 2016. A recent report from Symantec states that the average ransom went up from $294 to more than $1000 in that same time frame, and more than 60% of victims are willing to pay.
This global threat has brought about a global response. Organizations like No More Ransom are helping victims recover with minimal loss, and the IT security industry is showing unprecedented collaboration with law enforcement in order to stop these criminals. Even if you are an individual user and not attached to a business network, you can help with this effort to stop ransomware:
- Keep your endpoint antivirus and anti-malware solutions up to date and scanning in real time.
- Know the warning signs for phishing, malware, and compromised websites.
- Keep a current and reliable data backup.
- If attacked by ransomware, try a free decryptor from No More Ransom or a similar organization.
- If you cannot decrypt files, try to restore from backup.
- Regardless of whether you pay the ransom, be sure to close any gaps the attack revealed in your security or your data backups. Once you've paid a ransom, there's no reason to think you won't be a target for a larger ransom later.
- Remember that ransomware is a crime, and you should always report the attack.
If you'd like to learn how Barracuda can help your company protect itself from ransomware, visit our website here.