Ransomware is a type of malware that can be covertly installed on a computer that restricts access to the infected computer system in some way, and demands are made that the user pay a ransom to the malware operators to remove the restriction. The cryptovirology form of the attack involves the ransomware systematically encrypting files on the system's hard drive which become difficult or impossible to decrypt without paying a ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan whose payload is disguised as a seemingly legitimate file.
As with other forms of malware, security software might not detect a ransomware payload, or especially in the case of encrypting payloads, might do so only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed its malicious encryption would stop further damage to data without salvaging any data already lost. Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. Keeping “offline” backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.
While the admonition to keep “offline” backups in locations inaccessible to the infected computer makes compelling sense, enacting this policy incurs cost, and is often difficult and time consuming to implement. Additionally, such counter-Ransomware schemes presume that these backup files are maintained in pristine condition. For example, a leading cyber security firm recommends that victims of a ransomware attack: (1) refuse to pay the ransom, as this serves to encourage and fund the cyberattackers and there is no guarantee that the encrypted files will be returned upon payment, (2) remove the impacted system from the network to remove the immediate threat, and to prevent further spread of the threat, and (3) restore impacted files from a known good backup. Restoration of files from a backup is considered to be the industry standard regarding regaining access to data.
However, small and medium sized businesses (SMB) are challenged to meet this recommendation. Client data is often one of the most important assets the company owns, and is in constant use and undergoing constant modification in the course of day-to-day operations. Keeping sales and other records readily at hand is essential. Following a pro-active regimen of backing up all files to a secure storage device (or even a cloud storage option) is typically accomplished at the end of the business day when the PC/workstation is typically shut down.
This approach of implementing daily backups implies that the data files, both those in use and in the ‘secure’ backup, are not vulnerable to ransomware attack during the workday. This is definitely not the case. Unless the backup files (expected to restore data and business operations after a ransomware attack) are kept separate and apart from the minute-by-minute operations of the computer or workstation, the files are vulnerable. “Apart” in this context means that these backup files cannot be accessed in any way by the ransomware encryption process and so would be immediately available to use once the virus is removed from the computer or workstation in question or when connected to another computer or workstation that is known to be ransomware-virus free. The backup files must also be kept current; data files that are not current have limited value; especially in financial operations.
The impact of ransomware today is growing. An analysis by Kaspersky Lab, one of the world's leading software security organizations, estimates that more than 2.3 million users were the victims of ransomware attacks between April 2015 and March 2016, a jump of 18% over the prior year. This includes the malware that holds the user's data itself hostage by encrypting it—the so-called ‘cryptors.’ Cryptors today account for over 32% of all ransomware attacks, and that percentage continues to grow. Corporate users represent about 13% of the victim population in that period, nearly double the percentage from the year before. This is significant on several fronts, not only is the problem of ransomware increasing, but also, the attacks continue to become more sophisticated. Corporate IT staff have been unable to effectively mitigate this threat, as the frequency of attacks continues to increase in this market segment, indicating that an effective solution to this problem is not yet available.
Various suppliers and consultants promote the use of cloud-based storage as a means to defeat ransomware attacks, the idea being that backing up critical data in a public, private or hybrid cloud storage will keep data safe. However, even in cloud-based storage, data files are vulnerable if a ransomware virus can reach and encrypt the files.
This is especially problematic for individuals and small to medium sized businesses (SMBs), the vast majority of the victims of ransomware attacks, who lack sufficient IT staff, budgets and skills to set up effective cloud-based Storage-as-a-Service (SaaS) operations. However, even with this approach, data is still vulnerable.
Thus, there is an ongoing need for simple, low cost counter-ransomware solutions that can be used by any computer or workstation user to defeat current or potential versions and variants of ransomware threats.