Like most technology security threats, ransomware is yet another fancy name representing something abstract that the average person doesn't really understand. We hear terms for all sorts of computer threats every day - zero-day, hacking, cracking, viruses, trojans, threat vectors... - the list is endless.
The potential bad guys range from nation-state actors and cyber armies all the way down to the teenager next door.
It gets so confusing so fast that most people decide they have more important things to worry about than some abstract notions of computer security.
Should You be Worried?
That's up to you.
Most ransomware today doesn't target a particular group or location. Individuals, small businesses, large corporations, hospitals, banks, governments: these are some of the folks that have been hit by ransomware in the past.
It can also get into computers through a variety of ways, usually involving some previously unknown exploit, but also through tried and true paths like email.
Everyone is at risk.
"Do I feel lucky? Well, do ya, punk?"
The thing that should worry people is not so much *if* they are going to get hit by it. What should worry them is what happens afterwards, namely, can they get their data back?
This is the fork in the road:
- Pay the ransom and hope the bad guys have enough honour to let you have your data back. Dirty Harry said it best: "You've gotta ask yourself one question: Do I feel lucky? Well, do ya, punk?"
- Decrypt the files. Most ransomware today is pretty sophisticated, making decryption without a key pretty much impossible. That's provided the files are actually encrypted, and not just destroyed.
- Recover data from a backup.
Turns out the first option (pay the ransom) doesn't seem to work out in the majority of reported cases. The second option was possible with some of the early ransomware strains, but they have gotten much more sophisticated about encryption strength and key management lately. With the last option at least people are in control of their own destiny, and can have that smug satisfaction of not letting the bad guys win.
There was a recent research survey commissioned by Citrix and carried out by Censuswide that quizzed 250 IT and security specialists in companies with 250 or more employees.
What was impressive about the results was that one-third of the organizations polled were stockpiling crypto-currencies like bitcoin (the preferred ransomware payment method) in preparation for a ransomware event. Contrast this with almost one-half of these companies not performing daily backups.
It's kind of like anticipating that you will have a flat-tire one day, and instead of carrying a spare tire you decide only to pay for roadside assistance.
Backup, Backup, Backup
I've been doing computer management for over 30 years. Seriously. When I first started out, I did weekly backups of a VAX 11/750 on to 6250 bpi tape. It was slow, it was costly, and it saved my butt more than once when the hard disks crashed.
(As an aside, ever wonder where that term "crash" came from? It's when the heads of the disks would touch down onto the spinning disks themselves. It was an impressive sight to see - Sparks would fly, the heads and disks would get destroyed, and your data was pretty much gone.)
As computers came into the home, one aspect I found missing was reliable backups. Nobody seemed to know what they were. Microsoft DOS had a backup utility built into each version of DOS that also seemed to be incompatible with the previous version of DOS. Many 5.25 and 3.5 inch floppy disks were sacrificed in the name of backups, which were even slower and more painful to do than on the VAX tapes.
Today, it's MUCH better. External USB hard disks are cheap and plentiful, and some come with backup software for a variety of operating systems. Plug them in and go.
On Mac OSX, TimeMachine is FANTASTIC. My wife's iMac disk crashed one day. While Apple was happy to replace it under warranty, they could not recover anything from the original disk. It turns out that the TimeMachine that we had set up was able to recover EVERYTHING she had been working on, losing only the last 25 minutes before the disk had crashed. 25 minutes! What is even more impressive is that all I did was plug in an external drive and turn TimeMachine on. That's it.
So if backups are so easy and relatively inexpensive to do, why don't more people do them? Do you?
Is That All I Need?
Well, no. It's not. It turns out that some ransomware strains will look for backup disks like TimeMachine and encrypt them too. Oops.
So doing backups is a great first step, but then protecting those backups is a great next step. A best practice is to take a backup to an external disk, and then store that disk in a safe place - we used to call this "off-site backup". How often to do this type of backup depends on a number of personal factors;
- How often does the data change?
- Can those changes be recreated manually?
- Is the data already being duplicated and stored somewhere else?
- What is the cost of losing the data altogether?
- How much data can afford to be lost (if any?)
- How long can not having the data be tolerated?
- ... and more.
What Else Can Be Done?
While performing regular backups will go a long way to helping recover from a ransomware attack, there are a lot of other things that can be done to mitigate the risk and loss;
- If the computer connects to shared drives, considerations should be given to backing up those drives regularly, only connecting when needed, and setting the file permissions to the bare minimum to get the job done. A lot of organizations have had ransomware hit and propagate through shared resources.
- If a computer travels and connects to a variety of networks, then strong consideration shold be given to a decent firewall and malware protection software package for the computer.
Will doing all of this prevent being hit by malware like ransomware? No. But it will mitigate the risk and loss, and it can go a long way to helping recover a computer that does get hit.
While it may not be possible to prevent getting hit by ransomware, losing most of the data can be prevented.