Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Ransomware for hire: 3 steps to keep your data secure

Fabian Wosar Chief Technology Officer, Emsisoft

For most us, the idea of losing all our data sends shivers down our spine. The scenario is even more alarming for companies that could risk having to reinvent untold man-years' worth of intellectual property should their data be lost. Yet, for thousands of companies every day, this nightmare becomes a reality. The driving force behind this scenario is malicious software, appropriately known as ransomware, that encrypts files once introduced to a system.

Security, they say, is only as good as the weakest link. And in many cases, the weakest link is well-intentioned employees focused more on getting work done expediently than doing so securely. With this in mind, let’s take a deeper look at the newest ransomware threat, Ransom32, and three actionable ways to keep data from being held hostage.

In researching and reverse-engineering Ransom32, which is being sold online as ransomware as a service, it quickly became apparent that it is different from other ransomware. Notably, Ransom32 was coded with JavaScript and uses the NW.js framework, which allows for much more control and interaction with the underlying operating system. This benefits developers, as they can turn their web applications into normal desktop applications relatively easily—applications that are able to run the same JavaScript on different platforms and without the security-boundary restrictions of the web browser.

As a result, an NW.js application needs to be written only once and is instantly usable on Windows, Linux, and Mac OS X. This means that Ransom32 could also easily be packaged for Linux and Mac OS X. Ransom32 will encrypt users’ files, photos, documents, and other data so that when their machine starts, they will see a ransom note demanding payment in bitcoins in exchange for unlocking their data. To avoid this scenario:

1. Back up regularly

While it’s a little like flossing for some people—you don’t do it as often as you know you should—regular backups stored on a disconnected device really are the best first line of defense from ransomware. Ransomware will often explicitly target backups, which is why it is important to store them where they can’t be readily reached. 

An external disk drive detached from corporate systems or a cloud-based file storage or backup system are all good approaches. Regardless of the method, regular (preferably daily) backups are an ideal insurance policy against ransomware attacks. Ransom32 is currently undecryptable without paying the ransom, so don’t forget to test the data restoration process to ensure your insurance plan is actionable.  

2. Don’t rely on signatures to protect systems

As a legitimate framework, using NW.js makes it more difficult for Ransom32 to be added to signature-based malware detection solutions, and each sample may be differently configured by its "customer." In fact, nearly two weeks after Ransom32 was introduced, signature coverage for it remains incredibly poor. 

Indeed, ransomware like Ransom32, in which signatures can be difficult to detect, is one of the reasons ransomware is likely to be one of the biggest security threats this year. To address this issue, look for anti-malware protection solutions that don’t rely on signatures to detect and quarantine ransomware. Instead, use smarter approaches like behavior blocking, which watches out for certain behavior patterns in active threats rather than comparing known file fingerprints

3. Real-time protection 

The greatest threat in many companies is the unwitting employee. Currently distributed by spam email campaigns impersonating delivery notifications, unpaid invoices, and the like, Ransom32 quite literally banks on that. As with many other security threats, once an employee downloads and launches the package, the malware is able to execute its threat. 

Although employees should be educated about such threats, spam has become more sophisticated and the need for real-time protection is real. In addition, Ransom32 could easily be distributed through other channels, such as malvertising, exploit kits, or spear phishing. As a result, it is important to look for technology solutions that provide real-time scanning, blocking, and quarantining of threats as they occur. And it never hurts to remind employees of the very real threat presented by ransomware, regardless of its distribution point.

Ransom32 is not just the latest ransomware. It is unique in that it packs the runtime and NW.js into a single executable, which means it doesn’t need to rely on users having an existing framework installed, illustrating yet one more way that ransomware is maturing and becoming a larger threat. In fact, Rick Holland, vice president and principal analyst at Forrester Research, recently noted he doesn’t “go more than a week without speaking to a client who has experienced a ransomware incident.”

The Chinese have a saying: The best time to plant a tree was 20 years ago. The second best time is now. With Ransom32’s authors offering anyone the chance to sign up, create their own custom version of the ransomware, and download and distribute it, be sure to take time now to ensure these basic security principles are in place to proactively protect your data and decrease your risk of being held hostage.

Keep learning

Read more articles about: SecurityData Security