When Good Encryption Goes Bad: Ransomware #FBF

Originally published May 19, 2021

When Colonial Pipeline suffered the ransomware attack from Darkside, they paid nearly $5 Million to recover their data.[1] In all of 2020, the FBI's Internet C

rime Complaint Center (IC3) received 2,474 ransomware complaints. The total for the entire year? $29.1 million. This total yearly amount was just under $9 million in 2019. And only $3.6 million two years ago in 2018!

But what exactly is ransomware?

A computer monitor literally locked up with dollar bills filling the background.

Figure 1. When infected with ransomware, our computer is locked up and feels nearly useless.

Encryption for Good

As we discussed in "You've Got Mail! But Is It HIPAA Compliant," nothing was encrypted in the beginning (of computers). At that time, users even sent passwords in the clear for anyone to see. Early cybercriminals started taking advantage of this, so we needed to protect our data. We began encrypting it.

Writing for Norton, Alison Johansen offers, "Encryption is the process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key." Now that it's encrypted, we can safely transmit our data to others, and they can send their data to us. Encryption is magic! We can shop securely at Amazon or eBay through HTTPS. We can access private work data and email at a public coffee shop through our VPN. There's even software, like BitLocker, that encrypts our entire hard drives so data can't be physically stolen.

To learn more about encryption take a look at our What is Encryption, Types of Encryption, and Why You Need It article.

Encryption for Evil

So, here's the thing: While encryption is fantastic, it's just a tool. The same encryption that we use to keep cybercriminals out can be turned against us. They get on to our system and start encrypting anything. Whatever we can encrypt against them, they can encrypt against us.

And first and foremost, that's what ransomware is: encrypting data on a computer to make it unusable. Once encrypted, the cybercriminals want to receive payment for the decryption key. To up the stakes, these cybercriminals might threaten to destroy our data or, even worse, release it to the public. But at its core, ransomware is someone getting into our computer and encrypting parts of it from us.

Ransomware has become so successful that it has created a business model. According to Malwarebytes's State of Malware Report 2021, in Ransomware-as-a-Service (RaaS), the "malware’s developers focus on creating the best ransomware application possible and then selling it to affiliates' or other criminals who distribute the ransomware in a variety of ways."

Figure 2. Ransomware has become such an issue that Trever Noah explored this issue on a recent The Daily Show.

Got Ransomware! Now What?

It used to be that the recommendation from police and government agencies was to pay the ransom. The philosophy is that these are business people who want to do business. If word got out that a ransomware gang took the money and ran, no one would pay them the ransom. Malwarebytes explains, "[Unless] the victim had confidence they would have their files returned, they were unlikely to hand over payment."

Not so today. "The FBI does not support paying a ransom in response to a ransomware attack." Their logic is twofold. First, paying the ransom does not guarantee that you will get your data back. Second, paying the ransom encourages this group—and others—to infect more computers. Furthermore, paying the ransomware is illegal could result in civil penalties, according to the U.S. Treasury.

When we get infected with ransomware, the official word is that we are supposed to report this to the proper authorities. IC3 explains, "Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks."

The Best Defense

One of the best ways to secure our computers is to keep them patched with the latest updates. Our software has millions of lines of code. For example, I'm using Windows 10, which has approximately 50 million lines of code. If a particular vulnerability has a one-in-a-million chance, statistically, my operating system has 50 of those vulnerabilities. By updating this software, we are patching up these vulnerabilities as they are discovered. By the way, protecting computers this way is one of the many offerings of a Managed Service Providers (MSP).

Another is having a good antimalware program that has the latest definitions. Having a program like Webroot or Malwarebytes is invaluable against the malware often used to deploy ransomware. These programs are always watching for threats and neutralizing these in real-time, stopping ransomware before it can even start.

No matter how well we patch our computers or how good our antimalware is, the largest security vulnerability is us. As such, in many ways, the best defense against ransomware is user training. Simply educating ourselves about social engineering, phishing, and other techniques cybercriminals use can save our companies from attack.

But What Happens If …

No matter how good our computers and staff are, malware can still get through. The philosophy of cybersecurity has changed over the years. It used to be the belief that we could keep all the cybercriminals and malware out. Nowadays, the presumption is that they are already inside. They are here in our network right now. So, what are we going to do about it?

In this case, the best thing we can do is to have backups. The more and different the backups the better. Ransomware is very good at encrypting everything on our computers—and everything connected to our computers. Yes, even the networked backups, if possible. One solution is to incorporate physical backups that we attach to our computers only long enough to back them up. This inconvenience can add significant security.

Perhaps a more reasonable option is a cloud backup. These are always online and available. And because of the network security of the cloud, it is quite difficult for malware to encrypt these against us. In his book, The Art of Indivisibility, security consultant and hacker Kevin Mitnick recommends Spider Oak. PC Mag, TechRadar, and Lifewire also recommend IDrive, partially because of its free option. However, many MSPs like NexgenTec offer cloud backup like Datto, which features dedicated Ransomware Protection.

By the way, cloud backup providers are very different than file hosting services such as Dropbox, OneDrive, etc. These are not cloud backups. These cloud storage options don't protect from ransomware per se. When a file is encrypted, these hosting services see that the file has changed, and upload the latest version. Perhaps you can find the encrypted file and recover it through version history. But what if this encryption renames files, hiding them amongst the names of other corrupt files in your hosting service?

Take Away (before Ransomware Takes It Away)

Encryption is an amazing tool. It protects our passwords, our data, and our digital lives. We need encryption to safely function in our modern world. The problem is that this encryption that keeps bad out can be turned against us, locking us out as well.

The best way to keep cybercriminals and malware is to do everything we can to keep them out. This means patching up our software all the time with the latest updates. But if someone does get into our systems, Antimalware programs with the latest signatures can mitigate the damage. More important than both of these, though, is good user training. No matter how strong our guards or (fire)walls, enemies get in when employees hold the door open for them. We have to train our staff how to recognize and address social engineering, especially phishing. And when all this fails, we need backups that we can access but which cybercriminals and malware cannot. One of the best feelings is knowing that even if everything goes to hell, we can restore it all.


[1] As we discussed in "Buying Bitcoin," ransomware often demands payment in Bitcoin or another cryptocurrency. Instead of paying Darkside $5 million, Colonial Pipeline handed over only 75 Bitcoin!