The ‘Wannacrypt’ virus attack that made headlines this week by infecting over 200,000 machines globally and crippling the NHS among other organisations.
Now there are fears the kill switch code built into Wannacrypt will be removed and other variants of the virus strain will be launched shortly. Media confusion will spread as different security researchers encounter different threats.
Some background on Ransomware
Ransomware emerged in 2013 with the infamous Crytolocker virus. Since then it has grown to include many new variants and strains. All variants of Ransomware use very strong encryption methods to prevent users from accessing their data. Some of the viruses have been hacked and the keys used to release the data. But, these are rare exceptions and can’t be relied upon.
The growth of Ransomware
Cyber criminals have realised the opportunity that Ransomware presents, and the Dark Web openly offers Ransomware as a service. As growth in internet traffic increases, so does the amount of available Ransomware. At the start of 2013, malicious email traffic was around one billion total emails sent. At the start of 2016 this had risen to 14 billion. Spam emails no longer concentrate on online pharmacies or pirate software; they contain links to malware websites or worse carry embedded malware payloads.
The spread of Ransomware gets worse too. Websites carrying embedded malware code have increased. One of the leaders in the internet security business is now tracking daily over 40 million websites / domains carrying or known to carry malware. This is up from 30 million in 2013.
ZDNet reported last year on a report from Herjavec Group who estimated that the total loss from Ransomware attacks has reached $1 billion USD. This figure is derived from downtime, lost productivity and paid ransoms. Although out of that figure only $209million came from ransom payments.
There are three core strategies to help combat the threat presented by Ransomware:
- Education: Keep your users vigilant for the threat and where it comes from.
- Anti-Virus: For when education or technology fail to catch and quarantine the virus.
- Robust Disaster Recovery: When all else fails.
What can you do?
In simple terms, Ransomware changes files in a systematic way by encrypting them. By monitoring the backup as it happens and spotting any change, we can proactively detect a potential attack. It’s this constant monitoring that helps customers. When the customer’s backup completes (and we can back up as aggressively as every 15 minutes) software scans the backup.
The scan detects changes from the last backups. If it detects mass encryption, an encryption style that’s not within acceptable standards, or one typically used in Ransomware, it will alert Iron Mountain that a potential Ransomware attack is taking place. Using the previous healthy backups, we can roll the customer back to a clean state where we know there were no infections and the customer can carry on. Albeit considering carefully what they click on.
Look for more blog on information security issues.