The days of a single employee complaining that their computer has been locked up by ransomware might be over; in the future, it might be the boss melting down, as all the company’s devices are encrypted by bad actors. A new ransomware that targets enterprises will encrypt all linked devices on the company network, rather than targeting one or two only.
As data management becomes more effective in 2020, so has criminal innovation attempted to maintain the ability to cripple businesses, only to restore normality upon payment of a ransom, usually in the form of digital currency.
Snake (or SNAKE) ransomware is a “family” of ransomware, most often used by cybercrooks to penetrate a company’s network, glean access details, and then employ those to encrypt every file on every computer in the network. Tablets and phones - depending on their inter-connectedness - can also be affected, and the result is a wholesale stoppage of business and present-yet-useless data.
Logical rescue methodologies like bringing functionality back from the cloud often don’t work, as users don’t know whether as data lands if it will be encrypted, nor whether it’s safe to then take such data off-network and try to access it. Typically, no functional data access can happen on that network until the ransom is paid and a decryption tool sent by the hijackers.
Snake and other malicious ransomware
When Snake ransomware was first detected, it was shared with a well-known “ethical hacker,” Vitali Kremez. The idea was Kremez might be able to reverse engineer it to eliminate its potency. Apart from discovering the app is written in Golang, Kremez noted a far higher level of obscuring build in Snake, making it far harder to unpack successfully.
Ransomware families that target business networks include Locker Goga, DoppelPaymer and Maze, although several others exist, too. Still widely seen as a shame for businesses to succumb, the hush-hush surrounding ransomware attacks often makes exact figures doubtful. However, it’s fair to sayan economically significant number of companies in the US, UK and Canada (the three most prominent attack centres for ransomware) are affected every year.
Indeed, IT support firms like EC-MSP must oftenmake sense of ransom attacks, and typical recovery hinges on two skills: the ability to thwart further infection, and the ability to decrypt the ransomware’s effects and return files, PCs and the network to normality. Unfortunately, there’s no guaranteethat this can be done, as ransomware decryption tools are usually individual to specific malware, and identifying ransomware exactly - while also applying restorative tools precisely - is often as difficult as it sounds.
In the early 1980s, typical ransomware had very weak encryption and wasn’t developed further until the turn of the century. Malspam, phishing mails, as well as fake mails (appearing to be from a known or otherwise legitimate source) are the most common routes for ransomware in 2020, and cyber criminals typically ask for payment in BTC or via a credit card number.
Today, several different types of ransomware exist. The one closest to conventional business practice is known as scareware. This is where a pop-up ad will suddenly appear on a user’s PC, warning them of myriad infections, and they should download the maker’s app to remove. Part extremely pushy advertising and part obnoxious advertising, there are seldom repercussions for not downloading and merely closing the tab. Lock screen ransomware, on the other hand, does just that - it locks users out of their PCs, and then an often official-looking screen will appear (sometimes claiming to be from the FBI) warning the user that they need to pay a certain amount (a “fine”) before they can access their PC again.
The worst form of ransomware comes as encryption of all files on a PC - or an entire network, as Snake shows is possible. Neither resident security programmes nor a system restore will eliminate ransomware of this kind, and there are varying levels of success in restoration once ransomware takes hold.
What to do when infected with ransomware?
IT support companies (alongside authorities) advise against paying cyber criminals ransom in the event of a lockdown of the company network. Although demands are often reasonable, there’s no guarantee of files ever being decrypted, nor that bad actors won’t then mark the company as a soft touch, open for return attacks at some sooner rather than later stage. There are free decrypter apps available online, but not all ransomware has a matching app and, importantly, some ransomware is simply too sophisticated to remove like a common virus.
Prevention is the best cure. From the dawn of computing, “Keep a backup!” has been a standing command. Running a remediation app might eliminate ransomware, but it will also very likely remove a host of files, too. Running remediation or wiping a PC (or all machines in a network) is time consuming and frustrating, but with a cloud or (preferably) disconnected cold storage device backup, reinstating working lives becomes simply a matter of a day or two.
With high firewalls and tight, ongoing daily malware scans - as well as clear operating procedures for incoming mail and other internet access parameters for staff - virus of any type can be avoided, including ransomware.
When recovering from a ransomware attack, first prize goes to highly-secured cloud storage in conjunction with cold, offline device storage for backups. Sophisticated modern antivirus apps should always be running, too, to avoid a ransomware attack being able to access a network. Businesses running Malwarebytes for Windows Premium, for example, managed to evade the ransomware spike of 2017.
Don’t be caught unaware by a SNAKE or other ransomware – keep yourself, your staff, and your data cybersafe.