Roman Milert - Fotolia

US and Canada issue joint alert on ransomware

Organisations urged to backup data because paying ransom does not guarantee files encrypted by ransomware will be released, warns an awareness-raising alert issued by the US and Canada

Following a spate of attacks on hospitals, the US and Canada have issued a joint alert to raise awareness and understanding of malware that encrypts data and demands a ransom.

This type of malware, known as ransomware, is becoming an increasingly popular way for cyber criminals to make money and is affecting businesses, hospitals and healthcare facilities worldwide.

According to security firm Bitdefender – which has extended its tool for protecting against Cryptowall to include the CTB-Locker, Locky and TeslaCrypt families of ransomware – 50% of internet users are unaware of malware that locks up data.  

The joint alert follows attacks on at least five US and Canadian hospitals, two in Germany and at least one in New Zealand in the past two months that have underlined the potentially life-threatening effect of ransomware.

The attacks have forced some hospitals to transfer patients to other hospitals and caused delays in urgent operations because crucial medical records were inaccessible.

Unlike most modern malware that is designed to steal personal and commercial information, ransomware is designed to enable cyber extortion by making information systems unavailable.

Locky and Samas

The main strains of ransomware that have hit hospitals and healthcare facitilites are Locky and Samas, also known as Samsam and MSIL.B/C.

Locky propagates through spam emails that include malicious Microsoft Office documents or compressed attachments with extensions such as .rar, and .zip.

Samas, on the other hand, propagates through vulnerable web servers. After the web server was compromised, uploaded Samas files were used to infect the organisation’s networks.

The FBI issued it own alert about Samas, and appealed to businesses and software security experts for help in its investigation of the ransomware.

Paying the ransom does not guarantee the encrypted files will be released, the US/Canadian alert warned.

“It only guarantees that the malicious actors receive the victim’s money and, in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed,” the alert said.

Data backup

The alert’s top recommendation for counteracting ransomware is to have a data backup and recovery plan for all critical information.

“Perform and test regular backups to limit the effect of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline,” said the alert, issued on World Backup Day.

The campaign is aimed at raising awareness of the need to have duplicate copies of data. It also hopes to encourage people to make pledges to backup important data to external drives or cloud-based storage services.

According to the World Backup Day campaign, 30% of people have never backed up their important data, while 113 mobile phones are lost or stolen every minute and 10% of computers are infected with viruses every month.

Travis Smith, senior security researcher for Tripwire, said because most ransomware gives a time limit to pay, it is important for organisations to have confidence that they can restore the majority of data on short notice.

“Organisations should focus on improving backup and restoration procedures to reduce the cost of restoring data and services after a potential breach,” he said.

Other recommendations for protecting against malware include:

  • Using application whitelisting to help prevent malicious software and unapproved software from running.
  • Keeping operating system and other software up-to-date with the latest security patches.
  • Maintaining up-to-date anti-virus software, and scanning all downloaded software before running.
  • Restricting users’ ability to install and run unwanted software applications, and applying the principle of least privilege to all systems and services.
  • Avoiding enabling macros from email attachments.
  • Not following unsolicited links in emails.

Read more about ransomware

  • Businesses still get caught by ransomware even though fairly straightforward methods exist to avoid it.
  • Criminals use devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off-guard, but there is a defence strategy that works against it.

Read more on Privacy and data protection