More about Ransomware

I have mentioned ransomware in an earlier post but there is now a new discussion taking place in security circles.  This relates to the different types of ransomware now being seen and whether the type really matters.

It is clear, from too many sources to mention, that ransomware continues to grow and is widely perceived as being one of the biggest threats facing organisations large and small in 2017.  Ransomware can affect any organisation.  A click on a link in a bad email and the world collapses in on you.  The term ransomware was coined because what the criminals were doing was, in general, encrypting files and then demanding a ransom to “release” them by providing the decryption key.  Whether or not the key is actually provided, and, anyway, even if it is, the integrity of the data decrypted is suspect, is another matter entirely.  This continues to be a major issue and is likely to remain so for the foreseeable future.

There are now though two more variants on the scene, extortionware and doxware.

The first involves demanding larger sums of money either for decrypting or for not releasing sensitive information onto the internet.  The information may be your customers’ personal information or specific information about celebrities, or anything else you care to think up.  The target for this type of crime though is much more the larger companies that the smaller SMEs for example who are far less likely to have such information in enough quantity to make the return on investment (ROI) by the crooks worthwhile.

The second variant, doxware, involves the threat of releasing documents onto the internet akin to being done over by wikileaks. Once again money is demanded to stop the leak and again the targets are much more likely to be larger companies than SMEs because of the higher ROI for the crooks.  It should be recognised however, that in all cases hacking an SME may well be a route to the big boys notably through email, electronic trading transactions or other methods utilising the supply chain connectivity.

The current debate is whether these are really different forms of ransomware or not.  To me that question is pretty irrelevant but what is far more relevant are the methods by which one should protect oneself from such attacks.

The precaution for ransomware has always been to take good backups regularly and to keep them offline, or at least not logically connected to the source information.  If linked in anyway, there will always be a risk the same encryption algorithm implanted by the criminal on the main system will encrypt the backups too.

With extortionware and doxware this will not address the risk.  It would seem the criminals also read the best advice on how to address the risk of ransomware and so have devised a scheme where it is the information itself that is used in the ransom demand.  The way to deal with this though is well known and certainly not new.  Encryption of the data at rest should reduce its value to a criminal – they can’t read it or use it.  Encrypting in transit may also be required if the storage location is in the cloud or outside the confines of the organisation itself (i.e. behind the corporate firewalls).  Transfer encryption is most certainly required if the sensitive information is moved outside the logical walls of the organisation. Whether everything needs to be, or indeed can be, encrypted is a tricky question but it is clear the importance of encryption has been raised significantly by this development.

If you need more encouragement to consider encryption then the EU’s General Data Protection Regulations (GDPR) coming into effect in about 18 months time (regardless of the UK leaving the EU) specifically mention encryption and the reduction in fines if effective encryption is found to have been employed.  The UK’s Information Commissioner’s Office has stated that the UK will implement something very similar and consistent with the GDPR.

Good luck in 2017 and I hope you mange to avoid the pitfalls of ransomware whatever its variant!

About Author: Andy Taylor

Leave a Reply

Your email address will not be published. Required fields are marked *