Happy New Year! You wake up to find that your files have been encrypted by someone else. And now the only thing that is readable is an html file, informing you that for a fixed price you “may” receive the magic key to unencrypt those files. This is Ransomware – where someone encrypts your files and then leave an html message – a ransom note – for the owner. Below is a description of the process that we created:
The reason for the html file is because it allows the message to be displayed in various ways, to fool the user into thinking that it’s from a legitimate website (such as a local government site):
This type of cyber attack is referred to as a “data hijacking attack”, where the data or files are hijacked for a particular purpose, either monetary or something more sinister. There are many virus versions that fall into this virus classification: CryptoLocker, CryptoWall 1.0, Chimera, TeslaCrypt, etc. to name a few.
These applications/programs are often shared among cyber criminals, so pinpointing a single source is often not possible, especially when they can be rented as a service for others to use for a small fee. With a simple process of infection, encryption and notification these viruses have been extremely successful. One Ransomware virus “CryptoWall 3.0” made over $325,000,000!
There are however prevention methods that can greatly reduce the impact of data hijacking attack:
Ransomware and data hijacking are a real problem – they have become so successful that organized crime, nation states and other hostile entities are using them as one of their primary weapons to extort their targets. Following these simple yet effective steps will help arm yourself against them. Unfortunately one of my previous companies didn’t, and it cost them…
While on vacation I received a call from my security analyst asking me, somewhat innocently, if I knew a way to decrypt files. When I asked why, he told me that a user’s laptop had been impacted by a ransom virus. Not only that, the attack has gone much further than the person’s individual laptop. Since the user had mapped her drives to application servers, ransom virus was able to access and impact any server she was connected to. So all the files on those application servers had also been encrypted by the ransomware! Of course we didn’t have any backups, system restore enabled or shadow copies. The company lost important files and suffered productivity loss and financial loss as a result.
Receive notifications of new posts by email.