How to prevent ransomware: What one company learned the hard way

In the real world, kidnapping is a risky crime--getting paid usually means getting caught. In the digital world, however, demanding ransom for data, or ransomware, is an escalating epidemic, a popular crime which is leaving many businesses and consumers at risk of losing data.

One small company in New England--a retailer with some two-dozen employees--learned that the hard way. A click-happy employee ended up infecting one system with a prevalent threat known as CryptoWall, according to the company's co-owner, John, who asked that his real name and details of his business not be revealed.

Ransomware may roam undetected

Quietly, the malware reached out over the Internet to get a unique key and then, over the next three days, encrypted data on the compromised system. Much worse for the company, the malware encrypted accounting data on a mapped drive on the firm's server.

The retailer learned of the infection when its accounting software failed to open financial data on the mapped drive the following Monday. "The ransom note never popped up on the screen," John said. "The accounting program just stopped functioning one morning."

When a support tech investigated the accounting software's problems, more than 200 copies of a ransom note were found scattered around the file system, directing the firm to pay $500 in Bitcoin to the criminals.

Ransomware is on the rise. Kicking off with Cryptolocker in 2013, a steady parade of pernicious ransom-demanding software has hit unfortunate victims. Cryptolocker likely made its operators tens of millions of dollars until authorities disrupted the network in May 2014, shutting down Cryptolocker command-and-control servers and the GameOver Zeus botnet infrastructure that spread the malware. Yet, other ransomware variants have arisen. Between mid-March and August 24, 2014, for example, more than 600,000 systems were infected with the CryptoWall variant of ransomware, according to research conducted by managed-security firm SecureWorks.

Data-nappers are going mobile as well, according to recent data from mobile security firm Lookout. In 2014, four of the top five malware programs encountered by Android users in the United States were ransomware, posing as a legitimate app and then, after installation, locking the phone and demanding payment. While the threat of mobile malware continues to be low--only 7 percent of Android users even encountered malware--ransomware accounted for nearly all of the 75 percent increase in encounters from the previous year, according to the company.

Your best defense: Back up, back up, back up

The solution to ransomware is fairly simple--at least, for now. Consumers and small businesses with a good backup process will be able to recover much of the data encrypted by the attackers. Companies who are doing backups on-premise should make sure they can recover an image of the data for months in the past and keep multiple copies. Any backups made between the time of infection and when the attack is detected will be encrypted, and thus unrecoverable without paying the ransom.

For that reason, online backups with automatic incremental backups can be a great help, Brian Foster, chief technology officer of network-security firm Damballa, advised. At the very least, companies should be keeping at least one set of backups offsite.

"I'm a big fan of online backups," he said. "You should expect that, if you get hit by ransomware, you are not going to get the PC back."

Another possible defense: Ransomware typically reaches out to get an encryption key from an online server. Detecting and blocking that request can prevent the encryption of the data.

Unfortunately for the New England retailer, the infection revealed that the company's backup program had not been working correctly for more than two years. The company had no choice but to pay. Yet, even that did not go smoothly: Unable to deal with the mapped drive, the ransomware's decryption routine failed to unscramble more than 100 of the thousands of encrypted files, leaving financial and customer information encrypted. Because the ransomware scheme requires trust that the criminals will hand over the data after receiving payment, the operators offered support to the firm's owner, and even offered to try to decrypt the data, if the company sent the files. The firm declined.

The infection also leaves the owner in a quandary. While the criminals have said that the infected system should be clean, John understandably does not trust them.

"The fear, as an IT person, is you feel like you need to format every drive in the network," he said. "I don't trust the other computers, but do we shell out $10,000 to rebuild our infrastructure?"

The company is still considering its options.