Posted on: October 14, 2021
QUESTION: What do the movies: All the Money in the World (2017), Buried (2010), A Walk Among the Tombstones (2014), The Disappearance of Alice Creed (2009), Stolen (2012), and Oxygen (1999) have in common?
ANSWER: their plots all involve a ransom.
In the movie “The Longest Night (1972)”, a daughter (Karen) is taken and buried alive in an underground coffin with only enough air to survive the night. Her parents await the kidnapper’s demands as law enforcement frantically searches for Karen before time is up. Ransomware is the (digital) equivalent of this plotline. A hacker gains access to your device and searches for documents, spreadsheets, pictures, and other files of possible importance. These files are then encrypted (transformed into an unusable format) that only the decryption key can restore. Shortly after the encryption, you are notified either through email or by a disturbing pop-up message, that you have 24 hours to pay the ransom to obtain the decryption key that will recover your data. Fail to pay the ransom in time and your files (like Karen) will be lost – permanently. The ransom is usually paid through a hard to track cryptocurrency such as Bitcoin. The method of infection can be through virus, worm, or Trojan (see blog#1 “What’s in a name?”).
Ransomware is what keeps cybersecurity specialists awake at night. A large part of their time is spent on hardening systems against this threat. Despite their efforts, there have been some high profile cases of successful attacks.
The well-known electronics giant Acer fell victim to the largest ever demand of ransomware – $50 million. The company has never disclosed whether the ransom was paid. CNA Financial, a large insurance company, was struck with an undisclosed ransomware demand in March of 2021. Full service was not restored until May. Although not confirmed by CNA itself, news agencies have revealed $40 million was paid to the attackers. Under the category of “God has a sense of humor”, ExaGrid, a cloud based backup company, whose services include protection from ransomware, was itself ransomed. The company allegedly paid $2.6 million to have their customers’ backups restored. Finally, closer to home, the University of Calgary (UofC) paid a comparatively small amount of $20,000 to have their research data decrypted. These same UofC hackers also attacked numerous computer networks in the US netting approximately $6 million for their efforts. Finally, in 2017, the most destructive ransomware worm codenamed “WannaCry” infected 200,000 computers worldwide in only 4 hours and caused billions of dollars in damages.
These attacks are not limited to large corporations. Individuals are frequently targeted as they are less likely to report the crime and thus don’t make headlines. So what can be done? If big business can’t protect themselves what hope do we have? Knowing how ransomware spreads is a good start (virus, worm, Trojan). However, it is clear that ransomware prevention requires more effort and possibly the sobering realization that it may be inevitable. Thus, the protection must come from somewhere else – backups.
Backing up your files is essential. Not only to defend against malware, but also for recovery after a system failure (ever have your hard drive crash or spilled coffee onto your laptop?). When performing backups, two factors need to be considered: frequency and number of copies. Frequency determines the amount of data loss you are willing to accept. For example, suppose you are a photographer who takes pictures every day and assume you have a backup frequency of 48 hours (2 days). Suppose on Monday you create a backup, on Tuesday you take more pictures and later in the same day you fall victim to ransomware. Suppose you don’t discover you have been attacked until Wednesday. In this scenario, the latest good backup you have is Monday meaning you would have lost all the photographs taken on Tuesday (assuming you don’t want to pay the hacker the ransom). Now suppose your backup frequency is 24 hours (every day). You would think you would be in a better situation but ironically you are not. Monday, you backup your photos, Tuesday you are attacked, and once again you don’t realize until Wednesday. The best “good” backup is still Monday’s *but* because you have also taken a backup on Tuesday (1 day frequency), this latest backup has replaced Monday’s backup. You are left with a backup that contains only encrypted photos! To avoid this disaster, you must keep multiple copies of your backups. How many copies to keep is somewhat arbitrary but as a general baseline the “rule of three” is often cited. Namely, keep the last three of your backups which in this example would mean the photographer would have a backup for Sunday, Monday, and Tuesday.
Fortunately, maintaining this backup regiment is a lot easier than in years past thanks to automated tools and cloud storage. Today, most services, software, and operating systems offer scheduled automatic backup to the cloud with multiple copy retention. Some also offer a versioning option in which a file is backed up whenever it is altered with all changes individually tracked. This allows you to “rollback” your files to any point in time from creation to latest revision.
So what do you do if despite all these efforts you still become a victim? Perhaps your chosen frequency was too short or you kept too few backups, or you failed to periodically test your backups to ensure they are working. Do you pay the ransom? Cybersecurity firms and law enforcement agencies recommend NOT to pay. First, there is no guarantee that the attackers will give you the decryption key even after payment is received. Second, fellow hackers on the dark web will see you as an opportunity and their next target. These are valid arguments. However, like in the movie “The Longest Night”, not paying the ransom is easy if it’s not your daughter in the coffin.
Written by: John Cuzzola, Director, Information Security