Stand and deliver - the ransomware wave ravaging Irish SMEs
Organised criminals are targeting the computers of small firms and even big government departments. If you don't pay up, they'll delete your files and have even set up call centres to take their payments from desperate victims
Published 10/03/2016 | 02:30
Ireland is in the grip of a ransomware wave, with businesses, public bodies and ordinary citizens being attacked relentlessly. As Apple Mac owners heard this week that their computers may be vulnerable to such malicious software for the first time, security firms say that the number of cyber attacks seeking to extort computer users has increased in volume and intensity in recent months.
"We're seeing three to four attacks happening per day," said Conor Flynn, chief executive of Information Security Assurance Services.
"It's incredible the number of people being hit at the moment and the money being made. There's a concerted effort from organised criminal gangs that are paying a lot of money, renting out exploit kit and variants of ransomware code."
Ransomware is malicious code that gets into a computer or a server and disables access to files by encrypting (or locking) them. The code then presents the computer user with a demand to pay a ransom to unlock the files.
Failure to pay carries a penalty of permanent deletion of the files. Ransoms are typically set in the range of €300 to €500 but can escalate to thousands of euro, depending on the target organisation.
Examples of rampant ransomware strains include 'Locky' and 'TeslaCrypt'.
In recent weeks, a number of individuals and executives from organisations as diverse as hospitals, government departments and self-employed workers have contacted the Irish Independent with stories of being hit by ransomware "campaigns".
"The criminal gangs are targeting different groups," said Flynn. "A large amount of the public sector is being hit, with retail and financial services also seeing a surge in attacks."
A recent survey by the firm Data Solutions said that 23pc of Irish companies had experienced some level of ransomware attack.
The attackers have become increasingly sophisticated, with some setting up help desks to talk people through the ransom payment process.
"The professionalism is frightening," said Flynn. "They have international language call centres to help people pay the ransoms, even support centres to help set up a bitcoin payment."
Organisations with sufficiently comprehensive backups can avoid paying the ransom, but are knocked out of operation for days or weeks.
"Their business model is to honour the ransom payments because they want people to know that paying will unlock the computers," said John Ryan of Zinopy, another IT security firm that is dealing with a rise in reported ransomware attacks.
"They have online portals and helpline numbers. They definitely have the support structures underneath them to guide victims through the process."
Globally, ransomware has been wreaking havoc among private and public sector organisations. Last month, a Californian hospital was forced to pay €15,000 to ransomware attackers who encrypted the hospital's patient files. UK local councils have also been badly hit in recent weeks.
"There's a bit of a rampage going on at the moment," said Ryan. "I would personally know of 20 to 30 businesses affected in the last 12 months." The economics of ransomware are straightforward. About 1pc of victims pay up, according to research from security firms.
"It's an insidious spread of attacks that has largely gone under the radar over the last couple of weeks," said Flynn. "An awful lot of individuals are paying up."
In the US, the FBI reported that from 992 complaints, the Cryptowall ransomware variant netted over €15m from victims between 2014 and 2015.
Drawing on data from Kaspersky, the US-based Institute for Critical Infrastructure Technology says that the cost of creating a phishing page and setting up a mass spam email costs about €130.
A piece of ransomware sells for "about $2,000" on darknet forums. "This means that an attacker only needs to ransom eight everyday users at the average $300 to generate a profit," says the Institute.
While ransoms tend to be pitched at around the price of a bitcoin (currently €370), the sums can fluctuate, say experts.
"I've seen $500 to $1,000 as typical," said John Ryan. "But if you don't pay up, the numbers go up. You might be given 72 hours or a week to pay the first ransom."
Having comprehensive backups often negates the need to pay up, say IT security experts. But while no Irish businesses have admitted to paying ransomware ransoms, that doesn't mean it is not happening.
"I would say a lot more people have paid than would admit it," said Ryan. "People are conscious of brand damage."
One constituency that insists no money has paid to ransomware attackers is the Irish government which, in recent weeks, has admitted to being affected by ransomware attacks.
"A number of government offices have seen evidence of these attacks," said a government spokeswoman. "A small number of offices across the public service have [also] been affected.
"At no time has any money been paid to attackers, in bitcoin or any other format. In all cases the infected files have been quarantined relatively quickly and services restored. The effect was largely restricted to single desktop machines."
"There was one such attack in 2015," said a spokeswoman for the Department of Children and Youth Affairs. "No ransom was paid and files were restored from a clean backup."
Other individual departments declined to specify whether they had been affected by attacks.
"In recent months, there has been an upsurge in ransomware attacks on a global basis, some of which use relatively advanced PHP malware to infect visitors to compromised websites," said a spokeswoman for the Department of Communications, Energy and Natural Resources.
If the cyber attacks continue, the issue might land on the table of Barry Lowry, the newly-nominated chief information officer for the Irish government. Lowry is the third person nominated to take up the role of government CIO in three years. Lowry's two predecessors, Bill McCluggage and Michael McGrath, each stayed less than a year in the role.
But for now, it is the Department of Communications that appears to be taking a lead on the issue.
"In the first instance, individual departments and agencies are responsible for the security and integrity of their own IT networks and data," said the department spokeswoman.
"However, the National Cyber Security Centre in the Department of Communications, Energy and Natural Resources has a role in assisting entities in dealing with network and information security issues, and also circulates advisory notices to constituents as new threats emerge."
Anti-virus software has become limited in its usefulness to combat such attacks, said Flynn.
"This stuff has become so sophisticated that it's virtually undetectable by anti-virus software," he said. "In one campaign I saw, ransomware variants were morphing at 1,000 new variants per hour. Antivirus companies can't keep up."
But there are some things that companies can do to protect themselves.
"On Windows you can set folders so that no encrypted files or executable files can be saved there," said Zinopy's John Ryan. "This is generally easy to do, especially on a group policy on active directories."
An idiot's guide to ransomware
For those new to ransomware, here's a basic guide to what it is, what it does and how you can avoid its worst effects.
What is ransomware?
It's malicious software that gets into your PC and locks (or encrypts) all of your files. It then tells you that unless you pay a ransom the files will be permanently deleted.
How much are we talking about?
It's usually in the region of €300 to €400, but can be up into the thousands. One hospital in the US recently paid out €15,000 to recover patients' files. The bigger the known target, the bigger the ransom likely to be demanded.
How is the ransom paid?
The standard method of payment now appears to be in virtual currencies such as Bitcoin, as they are much more difficult to trace.
What if you don't know how to make a Bitcoin payment?
You'll be one of the 99pc of ordinary people. The attackers know this and some operate almost consumer-level helpdesk services to assist in the payment. There are even reports of call centre services to talk a payee through.
What happens if you don't pay?
Your files are permanently deleted.
Is there any way to beat it without paying?
There appear to be scant examples of anyone decrypting ransomware files without the correct key.
Why is an encrypted file so unbreakable anyway?
Because it's a level of security that is designed to thwart would-be snoops or hackers, even those using the most powerful computers. For example, it would take years to crack an encrypted file using today's best code-breaking techniques and algorithms. (This is one reason why there is so much tension between Apple and various security agencies. Neither the FBI nor the British secret services can easily break Apple's encryption, even with their vast resources.)
How do I guard against this in the first place?
Don't open attachments you're not expecting or which are from sources you don't know. Also, make sure you have up-to-date backups of your files. This way, even if the worst happens, you can simply restore your files from the backups.
So if you pay up, what do you get in return?
You get a decryption key, usually in the form of a long string of letters, numbers and other characters.
How do you know you'll get the decryption key if you pay?
Because it's in their interest. If they don't give up the key, others will know there's no point in paying.
How does it get onto my machine in the first place?
It can be triggered by clicking on the active link in a hoax email (like other forms of computer viruses) or can sneak in if you're downloading exotic types of software.
What sort of examples should I be looking out for?
In the case of one common variant, 'Locky', you receive an email with an attached document. When opened, the document looks garbled, like a collection of numbers and letters. It advises you to "enable macros" if the "data encoding is incorrect." If you do that, you can get caught.
Is it just Windows PCs or can other devices be affected too?
While Windows PCs still make up the vast bulk of machines affected by ransomware (and malware in general), other devices have been proven to be vulnerable. Earlier this week, Apple Macs got their first taste of active ransomware via KeRanger, which was able to sneak onto Macs through a piece of torrent software from Transmission. There have also been some reports of ransomware (such as Lockdroid) knocking on the door of Android phone and tablet owners.
So what do you do if you get hit?
The key is to have backed up your files online or on an external device, such as a hard drive. If you have recent (and comprehensive) backups, you can take the hit on your files being erased and then simply replace them from the backups.
This is what most businesses affected say they do. The downside is time; even if you have backups, it can take a day or more to put things back together, knocking your systems offline for a while.
Should I call the guards?
Yes, so that they can log the incident. But don't expect any help or guidance.
Are Irish people or companies being affected?
Absolutely, from government departments to hospitals to small businesses to ordinary personal computer users. This newspaper has been contacted by several companies and private citizens in recent weeks about having been hit by ransomware. The Government itself has confirmed that individual departments have been hit, although it denies that any money has been paid out.