If ransomware doesn't get as much publicity as it used to, that's only because it's not the latest thing. It's still an effective way to extort money, so criminals keep using it. If anything, it's gotten more devious. Attacks dropped by 31% in the first quarter of 2018 compared to the previous quarter, but this was almost entirely because blocking of some well-established varieties has gotten much better. Crooks keep developing new attack modes, some of which are already significant players.

A new generation of ransomware

In March 2018, a ransomware attack by the SamSam group hit the city of Atlanta. SamSam specialises in high-value targets that it hopes will pay large sums. This is a different approach from the mass intrusions that demand a few hundred dollars from each victim. The attack disabled large parts of the city's services for days, and some information was permanently lost.

SamSam has hit at least 67 victims in 2018. The group conducts extensive planning before each attack in order to cripple as many systems as possible. It constantly updates its approach to exploit new vulnerabilities. The new techniques are more adept at finding and encrypting backups than the older waves were.

Some malware is now capable of multiple attack methods. It decides whether to encrypt files or use the machine for cryptomining after scanning it. It's like a kidnapper who looks over the victims and then decides whether to demand a ransom or use them for slave labour.

The range of delivery mechanisms has expanded. The older code generally required someone to open an email attachment to get onto a machine. Now the attack may come from a website running outdated software, exploit system utilities, or infect off-brand copies of legitimate software.

Some ransomware always uses the same decryption key, and public sites provide information that lets anyone recover the files it scrambles. The newer, more sophisticated attacks generate a key for each victim, closing off that remedy.

Prevention and recovery

Ransomware's effects aren't that different from physical disasters such as fire and theft. They're one more reason every business should have a disaster recovery plan for its network. The plan includes offsite cloud servers which can be brought up if the primary system fails. The network will keep running while administrators remove the malware and clean up the damage.

Short of full disaster recovery, a network should at least have an offsite backup which is out of reach of direct file access. A versioned backup which keeps older copies will protect against having the scrambled files "backed up" and overwriting a good backup.

The usual ways of protecting against malware apply, with more urgency than ever. Email filters will keep out a large portion of the messages that have malicious attachments. Employee training will encourage them to be alert about any suspicious mail they receive. Strong passwords and multi-factor authentication will make it difficult to break into accounts.

It's impossible to guarantee that other people's websites are safe from infection, so browsers need to be up to date. The newest software has the best protection against known JavaScript vulnerabilities. Most browsers check Web addresses against a constantly updated list of infected sites and will block access or issue a warning when a user tries to access one. Even familiar sites run by trustworthy people sometimes get compromised.

What not to do

If ransomware does strike, there are two important things to remember:

1. Don't panic.

2. Don't pay.

A hasty response could make the situation worse. The first step is to quarantine the affected computers. The next is to check all the other computers on the network for malware. A quick but level-headed response has the best chance of stopping the attack before it does more damage.

Paying is never a good idea. The chances of getting the files back are low, and you identify yourself as a target who's willing to pay the ransom. You'll just be hit again.

Ransomware is a serious problem but not a super-powered enemy. A good set of security measures keeps the chances of losing files low, and it provides the best chance of getting them back if they are lost. Contact us today to learn how we can help keep your network security strong.