Ransomware is a bit like sand. It gets everywhere, and makes your sandwiches crunchy. Okay, perhaps not the latter. But ransomware is invasive, and can encrypt more than you think. Having your personal files destroyed is painful enough without ransomware attacking your backups, too.
There are several ransomware variants that not only attack your main hard drive, but any other system drive. Cloud drives aren’t removed from the firing line, either. The time has come — you need to consider exactly how you backup your files, as well as where those backups are kept.
Ransomware Hits Everywhere
We know a ransomware attack can be devastating. Ransomware is a particular nuisance because of the files it targets: photos, music, films, and documents of all types, just to name a few. Your hard drive filled with personal, work, and business files is a primary target for encryption. Once encrypted, you’ll encounter a ransom note demanding payment — usually in almost untraceable Bitcoin — for the safe release of your files.
And even then, there is no guarantee you will receive the encryption key or a decrypt tool.
The CryptoLocker ransomware is one such variant that encrypts more than just your local hard drive. It first appeared in 2013, propagating via infected email attachments. Once CryptoLocker is installed on a system, it scans the local hard drive for a specific list of file extensions. Furthermore, it scans for any connected drives, be that a USB or network drive.
A network drive with read/write access will be encrypted in the same way as a local hard drive. It presents a challenge for businesses where employees access shared network folders.
Luckily, security researchers liberated a copy of the CryptLocker victim database, complete with every single encryption key. They created the Decrypt CryptoLocker portal to help victims decrypt their files.
CryptoLocker emerged and claimed over 500,000 victims. According to Dell SecureWorks’ Keith Jarvis, CryptoLocker may have extorted as much as $30 million in its first 100 days of operation ($150 million if all 500,000 victims paid their $300 ransom). However, the CryptoLocker takedown wasn’t the beginning of the end for network driver mapping ransomware.
CRYPTOFORTRESS encrypts uses 2048bit RSA-AES encryption. This type of encryption would take a computer 6.4 quadrillion years to decrypt.
— CyberShiftTech (@CyberShiftTech) May 25, 2016
CryptoFortress was discovered in 2015 by respected security researcher Kafeine. It has the appearance and approach of TorrentLocker, but one crucial advancement: it can encrypt unmapped network drives.
Normally, ransomware retrieves a list of mapped network drives e.g. C:, D:, E:, and so on. It then scans the drives, comparing file extensions, then encrypts those that match. In addition, CryptoFortress enumerates all open network Server Message Block (SMB) shares — and encrypts any that are found.
And Then Came Locky
Locky is another ransomware variant, infamous for changing each file extension to .locky, as well as targeting wallet.dat — Bitcoin wallets. Locky also targets local files and files on unmapped network shares, completely scrambling files names in the process. This scrambling makes the recovery process a more difficult proposition.
As of yet, Locky has no decryptor available.
Ransomware in the Cloud
Ransomware has surpassed our local and network physical storage, transcending into the cloud. This presents a significant issue. Cloud storage is regularly touted as one of the safest backup options. Keeping your data backed up, away from your local and immediate network shares should provide isolation. Unfortunately, certain ransomware variants have removed that security.
The RightScale State of the Cloud report found 82 percent of enterprises were using multi-cloud strategies. A further study (Slideshare ebook) by Intuit found 78 percent of small businesses will be fully in the cloud by 2020. The drastic migration of businesses big and small makes cloud service creates a well-defined target for ransomware purveyors.
Malicious actors will find a way in. Social engineering and phishing emails are the primary tools, and they can be used to evade solid security controls. Trend Micro security researchers found a specific ransomware variant named RANSOM_CERBER.CAD. It is used to target home and business users of Microsoft 365, the cloud and productivity platform.
The Cerber variant is able to “encrypt 442 file types using a combination of AES-265 and RSA, modify the machine’s internet Explorer Zone Settings, delete shadow copies, disable Windows Startup Repair and terminate processes” including Outlook, The Bat!, Thunderbird, and Microsoft Word.
Furthermore, and this is behavior exhibited by other ransomware variants, Cerber queries the affected system’s geolocation. If the host system is a member of the Commonwealth of Independent States (former Soviet Union countries such as Russia, Moldova, and Belarus), the ransomware will terminate itself.
The Cloud as an Infection Tool
The Petya ransomware first emerged in 2016. It was notable for several things. First, Petya can encrypt a PC’s entire Master Boot Record (MBR), causing the system to crash to a blue screen. This renders the entire system essentially unusable. On reboot, the Petya ransom note is displayed instead, showing a skull and demanding payment in Bitcoin.
Second, Petya was spread to some systems through an infected file hosted on Dropbox, posing as resume. The link is disguised as the applicant’s details, whereas it actually links to a self-extracting executable that installs the ransomware.
In a turn of luck, an unidentified programmer managed to crack the Petya ransomware encryption. The crack is capable of revealing the encryption key needed to unlock the MBR and release the captive files.
Using a cloud service to spread ransomware is understandable. Users have been encouraged to use cloud storage solutions to backup data because it offers an additional layer of security. Safety is central to cloud service success. This faith can now be cruelly exploited, with peoples belief in the security of the cloud turned against them.
Ransomware Gets Everywhere
Cloud storage, mapped and unmapped network drives, and local files remain vulnerable to ransomware. This isn’t new. However, malicious actors actively targeting backed-up files does increase the level of worry. In turn, it means additional precautions must be taken.
Keeping a separate, offline backup of important files is now vital to both home and business users. Do it now — it might be the action that helps you restore your vitals following an unexpected ransomware infection, from an equally unexpected source.
Have you had cloud storage infiltrated by ransomware? What did you do? What is your favored backup solution? Share your cloud storage security tips with our readers below!
Image Credits: iJeab/Shutterstock