About 3 months ago, Techzim attended an IT security workshop in Harare where a local IT networking and cyber-security company called Procomm spoke about the rise in ransomware attacks targeting companies in Zimbabwe.
Ransomware, like other types of cyber-attacks, is something that’s not discussed much in the public in Zimbabwe. Companies and individuals get attacked, they resolve the situation somehow, and move on quietly.
This worrying issue was brought to the fore by the WannaCry attacks because hospitals and medical practices in the UK were attacked. It turns out Zimbabwe is one of the 104 countries that hit by this attack.
Since Procomm alerted us to the ransomware trend months ago, we decided to contact them and get more information so Zimbabweans are clearer about these issues, and can be safer. Here’s the QnA we had with Procomm Managing Executive, Tawengwa Toronga:
There’s an increase in cases of ransomware globally, but now also in Zimbabwe. Why is this the case and how much more of this do you think will happen?
In the past 18 months we have seen ransomware reach a new level of maturity and menace. The perfection of the ransomware business model has created a ‘gold-rush’ mentality among attackers, as growing numbers seek to cash in. Ransom fees range from $300 to $1000 per PC and a couple of thousand of dollars for targeted organization attacks. It is estimated that ransomware cybercriminals took in about $1 billion in 2016.
A growing number of cybercrime groups appear to be attempting to capitalize on ransomware. It is now also easier than ever to create your own ransomware with ransomware creation kits, or ransomware-as-a-service (RaaS), which is now emerging on the cybercrime underground.
RaaS is designed to make ransomware accessible to anyone. One does not need to be tech-savvy or have expensive equipment to turn to this type of misconduct. It is also easy to spread. Advanced cybercriminals usually author the malicious code, then make it available for others to download and use. The authors may provide the ransomware for free or charge a small fee up front, often opting to take a cut of each ransom. This incentivizes a higher volume of attacks and higher ransom requests. The payouts are also quicker compared to selling stolen credit card data or personal information. Perhaps most importantly, there is a lower risk of being caught due to the anonymity of Bitcoin.
On the other hand, attacks against organizations are also rapidly increasing. While indiscriminate ransomware campaigns remain the most prevalent form of threat, new and more advanced attacks are emerging. A growing number of cyber-gangs are beginning to focus on targeted attacks against large organizations. These attacks involve a high level of technical expertise, using techniques more commonly seen in cyberespionage campaigns to break into and traverse the target’s network.
Although more complex and time-consuming to perform, a successful targeted attack on an organization can potentially infect thousands of computers, causing massive operational disruption and serious damage to revenues and reputation. Once cybercrime gangs notice some businesses succumb to these attacks and pay the ransom, more attackers will follow suit in a bid to grab their share of the potential profits.
See this article for the predictions in Ransomware in 2017.
Has your company worked on any such cases locally? What would be your estimates of the frequency of ransomware in Zimbabwe and Africa?
There has been isolated cases where we have been called to assist with incident response, both from consumers and organisations.
Unfortunately, there is no public available report with the actual statistics available specifically for Zimbabwe or Africa for the current prevalence and ramifications of actual ransomware incidents. Although prevalence to the attacks differ worldwide, the one common thread is that ransomware is growing as a threat everywhere.
What/who are the typical targets of ransomware locally and how does such an attack typically occur?
While ransomware attacks to date have been largely indiscriminate, there is evidence that attackers have a growing interest in hitting businesses with targeted attacks.
Consumers/Individuals are the most likely victims of ransomware, accounting for about 57 percent of all infections between January 2015 and April 2016, according to the Symantec Special Report: Ransomware and Businesses 2016. While most major ransomware groups tend to be indiscriminate in their attacks, consumers are often less likely to have robust security in place, increasing the possibility they could fall victim to ransomware.
There are many different variants of ransomware; some are designed to attack windows PCs while other strains infect Macs and even mobile devices. This type of malware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom.
Victims typically download ransomware by opening an infected email attachment or clicking a compromised pop-up or link, triggering malicious code. From there, a sequence of events unfolds that encrypts the user’s files, locks down the victim’s device and displays a message listing demands that must be met in order to regain access.
Once these files are encrypted, the only way to get them back is to restore a recent backup or pay the ransom. Problem is, backups often fail. Storage Magazine reports that over 34% of companies do not test their backups and of those tested, 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.
Below are some of the common ransomware delivery vectors
- Email– Phishing and spam email is by far the most common delivery method of ransomware. The scenario involves sending an email with an attachment disguised as an innocuous file or tricking the user to click on a URL on the email that opens a compromised website.
- Free Software – Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software to entice the user.
- Exploit Kits – Exploit kits are sophisticated toolkits that exploit vulnerabilities. Most often, exploit kits are executed when a victim visits a compromised website. Malicious code hidden on the site, often in an advertisement (malvertisement), redirects you to the exploit kit landing page unnoticed. If vulnerable, a drive-by download of a malicious payload will be executed, the system will become infected, and the files will be held for ransom.
In terms of the involvement of Bitcoin in such cases: why do the hackers ask for Bitcoin?
For those considering cyber extortion, the anonymity commonly associated with Bitcoin is very enticing. Earlier schemes relied on bank accounts or money orders, so criminals felt they were at greater risk of being tracked down by law enforcement authorities.
The ease of acquisition of Bitcoin on the Internet and the lack of personally identifiable information tied to bitcoin wallets make it really appealing to hackers.
Although there are cases where law enforcement authorities have on some occasions been able to trace bitcoin extortion transactions to criminals, this has not deterred cyber criminals from using the crypto currencies.
Once hit and Bitcoin payment is asked for, what do you recommend for those that have come under such a predicament?
I personally advise against paying the ransom where possible, simply because this removes the incentive for cybercriminals to continue engaging in these kind of scams. As long as victims continue to pay the ransom and fund the growth and development of these ransomware families there will be more creative and effective ransomware attacks in the future.
However, if you can’t restore the important data from the backup copies, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.
Many of the cybercriminals behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom agreements, but still there are no guarantees of getting your data back as victims are quickly left alone with the decryption keys once the exchange has been made.
What do you recommend companies and individuals do to better protect themselves?
Organizations need to be fully aware of the threat posed by ransomware and make building their defenses an ongoing priority. While a multilayered approach to security minimizes the chance of infection, it’s also vital to educate end users about ransomware and encourage them to adopt best practices. As ransomware gangs continue to refine their tactics, organisations and individuals cannot become complacent. Businesses should continue to review and improve their security in the face of this rapidly evolving threat.
Here are a few best practices to minimize the risk and loss from ransomware:
- Backups, backups, backups — and test those backups regularly.
- Install antivirus and make sure it’s up to date with the latest definition files.
- Regularly patch your operating systems, especially Windows.
- Keep web browsers and plug-ins such as Adobe Flash and Microsoft Silverlight updated, and prioritize patching new releases.
- Uninstall any browser plug-ins that are not required for business purposes, and prevent users from re-installing them.
- Disable Microsoft Office macros by default, and selectively enable them for those who need macros.
- Scan incoming emails for suspicious attachments, including examining all compressed attachments.
- Automatically quarantine any email that has an attachment containing a script or a .scr file.
- Disable or remove the PowerShell, wscript, and cscript executables on all non-administrative workstations.
- Do not give all users in the organization local administrative access to their workstations.
- Use threat intelligence to gain visibility into your organization’s external threat environment and monitor for any emerging ransomware threats to your organization.