The use of ransomware in North America has grown exponentially, becoming a popular tool for kidnapping data by encrypting the victim’s data and demanding payment for the encryption key.
Ransomware is a type of malware that prevents users from accessing their systems, documents, photos, spreadsheets, and other forms of data. It can spread by visiting malicious or compromised web sites or via a payload, either downloaded by other malware/infected programs or delivered through e-mail attachments. The malware either then locks the computer screen or encrypts certain files with a password.
Victims may then receive an e-mail “ransom note” demanding payment in exchange for a private key or their locked screen displays a full-screen image or notification containing instructions on how the victim will pay the ransom. If the money (usually to be paid in Bitcoins) is not paid by a certain date, the attacker will then destroy the private key and the victim’s data is lost forever.
Reveton, also known as “police ransomware” or “police trojan” ransomware, is a variant where the software impersonates law enforcement agencies. Victims are shown a notification page purportedly from local law enforcement that advises they are the subject of a police inquiry and must pay an electronic fine because unlicensed software or other illegal content has been found or they engaged in other malicious activity online.
The software is clever enough to track the geographic location of their victims and “localize” the message received so U.S. users receive FBI warnings versus French users who receive notices from the Gendarmerie Nationale.
Common types of ransomware have included Simplelocker, CrytoLocker, and CryptoWall. At the time of the writing of this column, an aggressive new ransomware called TeslaCrypt is making news as it targets Windows users, searching for file types such as photos, financial spreadsheets, Office documents, files for tax returns, Quicken software, and iTunes.
Interestingly, TeslaCrypt is also targeting files relating to games (including saved games, configurations, maps, and replays), including such well-known games such as Call of Duty, World of Warcraft, Minecraft, and Diablo (and the configuration files for online gaming platform Steam). TeslaCrypt can even locate files on connected devices and drives and encrypt USB drives, network file shares, cloud storage folders, and other connected storage devices.
The price for decryption is 1.5 Bitcoins (about C$503) but if you pay in Ukash the price increases to £400 pounds (about C$755). The perpetrators have helpfully included a “support” service that allows you to send them a message if you have any questions — like how to pay.
Network World recently reported Symantec has estimated CyptoLocker-style ransomware grew 700 per cent in 2014 while McAfee Labs reported a 155-per-cent growth in ransomware incidents in the last quarter of 2014. Poorly protected Windows-based personal computers are main targets but Android telephones are also extremely popular.
Unfortunately lawyers are not immune. In British Columbia, three law firms were the subject of ransomware attacks in 2014. Two resisted paying their attackers although one did pay to get back control of its files. The firms that did not pay had their data backed up on external hard drives, but had to have their systems wiped and rebuilt from the data from backups.
Interestingly, the Law Society of British Columbia, which issued a fraud alert about the CryptoWall attack, did not require these law firms to advise clients of the attacks despite the duty of confidentiality if the encrypted data was not “necessarily breached” and client files had not been accessed.
I personally find this position highly unsettling and would expect that clients would wish (and expect) to know of these attacks, if only to take further steps to protect their highly confidential information and because any hacker that had the technological ability to access the file system to encrypt it in the first place would surely be able to access the content of files. However, the private sector B.C. Personal Information Protection Act does not have mandatory data breach notification requirements. It is not surprising the law firms in question didn’t notify B.C.’s Information and Privacy Commissioner (or their clients), even if this outcome is disappointing.
One study has found approximately 40 per cent of victims of ransomware attacks end up paying, if only because the process of trying to decrypt the file on their own or using a security expert is so laborious. Most hackers usually keep their word and provide the decryption keys to unlock the data. Moreover, as the perpetrators seem to be business oriented by keeping the ransom price within a reasonable range (usually around US$300-800), many victims calculate it is ultimately cheaper (and easier) to pay than hire professionals to decrypt the files.
One strain of ransomware called OphionLocker is even designed to recognize the devices it had infected in the past so it doesn’t demand payment from the same victims repeatedly. Honour amongst thieves?
How to protect against this scourge? Think before you click.
• Ensure your anti-virus and malware software is up-to-date and includes ransomware-related protection.
• Be suspicious of attachments that you don’t recognize and download only from trusted sources.
• Don’t click on any pdf attachment with a “pdf.exe” extension at the end of the file name, which may be a dangerous executable file.
• Restrict the ability of users to download and install software to prevent malware from being inadvertently installed.
• Back up your computers on an external hard drive and unplug/disconnect it from your computer.
• If you use backup software that backs up to the cloud, you may be able to restore from the cloud backup if it has not been infected.
• Ensure your IT systems meets current protection and backup best standards.
• Lastly, consider cyber-liability insurance to mitigate against these risks.
The Law Society of Upper Canada has an interesting podcast on this subject on its web site.