No one is safe from ransomware: Symantec

Source: Symantec DeepSight Early Warning Services Threat Analysis on the evolution of ransomware. The top dozen countries targeted by ransomware in the past 12 months.

Symantec has released a DeepSight Early Warning Services Threat Analysis on the evolution of ransomware that warns the phenomenon could affect users in many regions worldwide, particularly those living in developed and high-tech economies.

Symantec Analysts Kevin Savage, Peter Coogan, and Hon Lau, who authored the analysis say that most new ransomware threats that Symantec encounters are of the 'crypto ransomware' category, which denies access to existing information on a computer if a ransom is not paid. 

"Crypto ransomware tends not to use social engineering; instead it is upfront about its intentions and demands. The threats typically display an extortion message, offering to return data upon payment of hefty ransoms...A typical crypto ransomware threat requests payment of around US$300 for a single computer," states the report. 

Over the past 12 months, Symantec’s records have shown that the following countries are most affected by ransomware. Japan is at no. 2, Australia at no. 8, India is at no. 9 and Turkey at no. 12. "Eleven of the top 12 countries impacted by ransomware are members of the G20 organisation, representing industrialised and developing economies that make up roughly 85% of the world’s global domestic product (GDP)," noted the report's authors.

Notably, Japan is considered such a potentially lucrative market that cybercriminals have localised their malware for the country. In November 2014, Symantec discovered Trojan.Cryptolocker.H, the first crypto ransomware variant designed to specifically target the Japanese-speaking population. Other variants are targetting other Asian languages, Symantec notes.

Eugene Teo, Senior Manager, Symantec Security Response, cautioned that businesses in countries outside of the top 12 list are still in danger. "According to the Symantec Internet Security Threat Report 2015, Singapore recorded 6,400 ransomware attacks. Cybercriminals behind ransomware are constantly innovating. 

"With more connected devices around, we can expect to see ransomware appear in new device categories where they were never seen before. Singapore is no exception to this given the greater interconnectivity and access to technology. Though the number of detections in Singapore is not as large at this point, ransomware is arising and it can still be a precursor for more widespread ransomware incidents in the near future," said Teo.

Teo also noted that prevention is better than cure. "Because new strains of ransomware are using advanced cryptography, recovering files is pretty much impossible without the necessary key to unencrypt them," he explained.

He also warned that paying the ransom is no guarantee that the criminals will actually honour promises. "If you’ve backed up your data on a separate hard drive you can at least recover the data you lost from the point of the last backup. And this can prevent the major headache of debating whether or not to chance paying the criminals who locked your computer," he said.

"But if you decide to risk paying the ransom you should know that the cybercriminal will likely require you to pay using Bitcoin or another virtual currency over the Tor network, which is a software used to make web browsing anonymous. This means that tracing the thieves is nearly impossible and if they decide not to unlock your computer you are pretty much out of luck and money.

"And even if the hackers do give you the keys to unlock your encrypted files, there is always a chance they can lock your computer again in the future to demand more payment. Considering the risks, Symantec advises against caving in to the hackers."

Teo advised companies to:

Educate and inform 

"Read up on ransomware, how they work, and how they spread. Ransomware is a constantly evolving threat so it is important to keep up to date with new developments. Ensure that users are aware of the techniques that the malware uses such as the social-engineering tricks in the spam emails. Awareness of these attacks can help users recognise and avoid future attacks," he said.

Use patching software 

"One of the most common methods for ransomware to make its way onto a computer is through drive-by-downloads caused by accidentally visiting websites rigged with exploits. Bear in mind that you don’t have to enter in the URL of the malicious website yourself. Your browser could be redirected to the malicious site by a malvertisement or hidden iframe even by simply visiting well-known and legitimate sites. The best defense against an exploit-based infection scenario is to ensure that your software and operating system is up to date with security patches," he said.

Use a layered defense approach 

"Most of today’s ransomware attacks involve many different elements. An attack could start with a spam email that includes a link to a malicious website which exploits multiple vulnerabilities to download the ransomware. A multi-layered defense strategy addresses each of these attack vectors at various points in an organisation’s infrastructure," he said. 

"Network protection could help prevent users from visiting malicious websites and file-based protection could block malicious code from executing at the endpoint computer. Each layer creates an extra obstacle for the malware to overcome, making it much more difficult for the ransomware attack to be successful."

Teo added that backing up is always a good idea, even without the threat of ransomware. "Backups are also an essential part of a business continuity and disaster recovery plan, which all businesses should have. At a minimum, we recommend that users at least make backups of the files that are important to them and do it regularly. How often backups are made and to which storage solutions are all things that need to be considered, depending on your own risk profile," he concluded.

Interested?

Download the ransomware report