Canadian IT Blog

What Canadian Businesses Should Know About Ransomware

Written by Team CITI | October 23, 2018

Ransomware attacks are one of the most common reasons Canadian companies seek emergency help from an IT firm. Among all of the cyber threats faced by Canadian business, ransomware ranks as the most pervasive and widespread security threat. Together with spyware and viruses, ransomware is a category of malicious software known as malware.

 

 

Ransomware is typically spread via malicious email attachments. It's installed on your computer once you click on a malicious attachment or link in an email. Another vector for getting infected is by visiting compromised and malicious websites. This manner of infection is called a drive by, and it could happen even on highly reputable websites that sell advertising space. Online advertising permits a deep degree of access to a platform which in turn can be compromised. 

 

 

If it seems odd that UPS is sending you an attachment or that your bank is asking you to reset your password via a link encrypted in an email, it's because it is odd. Beware.

 

Below are 5 facts you should know about ransomware.

 

1. Ransomware is Becoming More Pervasive

 

Historically, malware such a viruses, were more of a nuisance than anything else. What fundamentally defines a virus is that it's self-replicating. Once it gets installed on your system, the software self-replicates, and exploits vulnerabilities in computers and networks. One of the common elements of a virus is that it tries to hide and avoid detection. The vast majority of computer viruses don't have any malicious payloads. They install themselves and try to find other computers via their level of privileged access. Typically the virus will do something in addition to replicating and hiding. In the past, the virus didn't necessarily download harmful software onto your computer but it was nevertheless an infiltration of your system and posed an integrity risk. You would close one tab and the ransomware would open a new one. It made you feel like you weren't in control of your computer's functionality. While not terribly dangerous, this type of ransomware definitely impaired your productivity.  

 

2. Ransomware Tries to Take Money From You—Don’t Pay!

 

There are many ways in which IT security vulnerabilities can be exploited for financial gain. As cybercrime has become more of a business, ransomware now tries to extort money from you. Victims will get a message saying they must pay a ransom in order to access their data. Just as governments refuse to negotiate with a kidnappers, you are advised to never pay the ransomware demands. Payment will just encourage the cybercriminals. Also, there is no guarantee that payment will result in access to your data. 

 

Statistics on the Rise of Ransomware Payments

In 2016, total ransomware demands were $1 billion. In 2017, it was $5 billion. In 2018, the demands rose to $8 billion. In 2019, it is estimated to be over $18 billion as ransomware becomes more common. Less than half the people who pay the ransom get their data back. Ransomware can also have an additional hard dollar cost because most people don't backup their data. 

 

3. Ransomware is Malicious Software Installed on Your Computer

 

Ransomware is software installed on your computer. It encrypts and scrambles your data. If you notice new and strange software installed on your computer—and you have no recollection of installing it yourself—it might be the result of malware. Behind the scenes this bad software hoovers up your data and locks it using military-grade encryption. Your data can only become unscrambled by using a password that the data kidnappers promise to provide once they are paid. hold. Most often the payments demands are in Bitcoin, which are untraceable. Not surprisingly, and as mentioned above, you rarely get your data back.

Typically, when ransomware encrypts the files, it changes the names of the files. For example, it changes from .docx to .encrypted. Clients have reached out to us for help saying that they can't find their Microsoft Word Document. After taking a look we discover that they can't find that file because it's been encrypted with ransomware.

 

One-way Encryption

Another reason that you shouldn't pay ransomware demands is that you can't tell if your data has been one-way encrypted. The cybercriminals may have applied a mathematical algorithm to your data files that allows for one-way encryption, and if this is the case, then your data isn't coming back. 

 

Ransomware can Infect an Entire Organization

The other thing about ransomware is it doesn't just go after the files on your computer. It will go after any files that your computer can see, including those on a server. If your computer can see a server share, the ransomware will jump onto a server share and encrypt all those files as well. 

If security is set up properly on a server, the ransomware shouldn't have access to all files and the extent of damage to shared data files will be limited. There are other steps at the network administration level that can be taken so ransomware doesn't encrypt everything. No matter what, ransomware will affect any and all files on a local drive.

 

4. Ransomware Uses Email to Get to its Victims

 

As mentioned above, a ransomware infection generally arrives through email attachments. Ransomware depends on another form of social engineering - exploiting the natural human tendency to look at an email and to click on what we are asked to click on. It's not necessarily aimed at specific people but rather involves self-selection. 

For example, an email from UPS could indicate that your package has been delayed in transit and asks that you see an attachment  for details. That email is sent by a bad actor to millions or billions of email inboxes. Statistically, the ransomware will reach a bunch of people who are going to wonder what's going on with their UPS delivery.

Ransomware exploits vulnerabilities in human psychology and relies on the willingness of victims to trust people and institutions of authority. People unknowingly become exposed to a ransomware infection because they are entirely unaware of any malicious intent. After opening a malicious attachment or clicking on a malicious link, often people feel foolish responsible and let the problem fester, often causing more problems.

 

5. Ransomware Scrambles the Contents of Your Computer

 

Ransomware gets in through a vector via a specially crafted email. Users are prompted to open an attachment or click on a link and those actions install the ransomware. After that, you have ransomware crawling through your entire computer without being aware of it. The ransomware goes through and scrambles the contents of whatever data file types it can get to and renders them inaccessible and unreadable. It is massively disruptive. The next thing you see is a skull and crossbones with the message: "We encrypted all your data, hahaha!" 

 

Ransomware Notification Messages

The skull and crossbones is the classic example like our feature image above. There are so many types of ransomware that the notification messages may present in different styles. Like a skull and crossbones, they all include some kind of a message indicating that your data is being held hostage. The notification message also may include instructions on how to pay the bad guy, such as submitting a certain amount of BitCoin to a certain address. The cybercriminals will also tell you how to get BitCoin. Ransomware is helpful when it comes to making sure the cybercriminals get paid.

 

Ransomware Time Limits

In addition, we have never seen ransomware that does not include a time limit. Cybercriminals want to apply pressure. They want to get in, get their money, and get out. For this reason, they ratchet up the stress on their victims by stating that the key (or password) is not developed by a person but automatically generated and will be destroyed automatically after a certain number of days. They also often indicate that they do not have possession of these keys. 

 

ABC – Always Be Cautious (Really Suspicious)

 

Emails are the most common carriers of ransomware. Inevitably, you will get a ransomware delivery payload in your email waiting to explode. People tend to open email attachments without much thought, and it is often that microsecond lapse of judgment that ends up resulting in a ransomware attack.

Here are some of the golden rules for ransomware prevention:

  1. Don't open email attachments from people you don't know.
  2. Never, ever, ever click on a link in an email. Type the URL. You're much less likely to get ransomware if you type it in yourself, as you'll notice tell tale discrepancies in the URL.
  3. Don't open attachments ever—not even from somebody you trust - without checking in with the sender. Their computer could be sending out ransomware-infected documents. If you're tempted to open that attachment and feel you must, send a separate email to the sender asking if they meant to send you the email and attachment.

 


If it seems odd that UPS is sending you an attachment or that your bank is asking you to reset your password via a link encrypted in an email, it's because it is odd. No reputable company will contact you by email to request sensitive information. Did you get an email from a Facebook acquaintance you hardly know that just contains a link and a message that reads "Look at this lol"? Don't let curiosity get the best of you. That link is nothing to laugh about. It will only bring on a lot of problems. The cybercriminals carrying out this threat are very sophisticated. They have done, in some cases, months of research in order to create authoritative-looking emails.


Always be suspicious. To avoid becoming a victim, take more time and pay more attention to what emails you open and what links you click on. Often, that small bit of consideration is all it takes to avoid the nightmare that ransomware can cause to you and your business.

 

If you think that you have been a victim of ransomware, get in touch with CITI immediately.