Interview with Wieland Alge: Four answers to ransomware

Cyber attacks are affecting companies more than ever before. This worrying trend is calling for international security experts. IT specialist Wieland Alge from Barracuda answers all questions about ransomware in this interview.

The development of ransomware

An outlook from Wieland Alge, VP & GM EMEA at Barracuda Networks

Ransomware attacks often cause headlines, and it will probably remain like that in the near future. In fact, according to Verizon’s recently released 2016 Data Breach Investigation Report, the number of attacks around the world increased by 16 percent – a worrying trend for security experts. But what is behind this explosive rise of cyber attacks? To answer this question, we first have to take a look at the development of ransomware.

What is ransomware?

Ransomware is malicious software for a particular type of cyber attack, in which victims are extorted for payment of ransom to release their encrypted data during the attack. The first ransomware programs were disguised as software for removing spyware or for a PC clean up. These did not rely on the encryption of data, but damaged the computers of their victims and offered a damage-handling software against payment.

In 2011, encryption-based ransomware first showed up. This is malicious software that prevents access to infected computer systems. As protection and recovery methods were improved, ransomware was developed further as well, until the now widely used crypto-ransomware was created. The following are the three recently most popular kinds of ransomware amongst a now innumerable number of variants:

1. CryptoWall: The oldest of these three variants, that also is said to be responsible for the largest number of systems infected by ransomware around the world (83,45 percent).

2. Locky: The latest of these three forms of ransomware, that spreads the fastest and is most developed. It is responsible for 16,47 percent of ransomware attacks between February 17th and March 2nd 2016.

3. TeslaCrypt: This malware was mostly spread through captured WordPress and Joomla sites and is responsible for 0,08 percent of all infections. However, current reports about the release of a master key for the decryption of TeslaCrypt by its developer mark the end of this ransomware.

Reasons for the increasing spread

There are many reasons for the spreading of ransomware attacks over the last years. One of them is the technical aspect. The development of effective ransomware has become much easier. Meanwhile, it is even offered as “ransomware-as-a-service”. However, other more threatening factors also play a role. Due to the digital change in crime, “professional” cyber criminals have specialized in the extortion of ransom and money laundering. The advent of digital payment systems, such as Bitcoin, also make it easier to transfer money anonymously and simplify blackmailing without leaving any traces.

Accordingly, on the one hand, it is easier for technically skilled persons to start a criminal career successfully. On the other hand, organized criminals are very effective in using digital methods.

Ransomware attack strategies: Focus on users

For a while, clever formulated e-mails were the means of choice for potential attackers, but now there are other, similarly effective ways to infect the victims’ computers. In addition, ransomware attacks are now part of most exploit kits, which attack computers via drive by downloads without any active intervention by the user.

Nearly all strategies are aimed at users’ behavior. Either they are tricked by clever phishing e-mails to open attached files or follow links to supposedly serious websites,  or they reach infected sites when surfing the Internet. Highly developed threat detection software can protect against some of these attack methods, but does not interfere with infestation via the Internet.

When attacking by e-mail, the perpetrators are acting now more skillful than ever: Instead of asking the victims to open attached files that can easily be blocked or checked, the victims now are sent to a fake website that infects the computers. E-mail security programs carry out elaborate site authentication. Among other things, they check whether the URL belongs to the domain of the sender, compare the website with known fake websites, check for valid certificates and the like. However, websites can use forwarding, and in most cases the security programs are not the problem, but the users are. They can be tricked into opening a website and clicking on the presented link very often.

Interested in more topics from Barracuda? Then you might like this article about the EMEA Conference 2016!

How users can protect themselves

Ransomware attacks are likely to spread to other platforms, such as Macs and IoT devices, and the most successful ransomware variants will continue to evolve and remain one step ahead of most means of protection – as the recently found version of Locky suggests. Users should therefore implement multi-layered measures to protect their networks at the best. This includes in particular three security components: Next generation firewalls, e-mail security and backup solutions that can cover the following:

• Sophisticated technologies to detect threats that run suspicious or unknown files in a sandbox environment before they are passed on to users.

• Web filter to block drive-by downloads and phone home attempts using a web security gateway or other web filtering solutions.

• E-mail protection, local or in the cloud (e.g. Office 365) to identify and intercept e-mails infected with ransomware and other malware before they enter the users’ mailboxes.

• Security guidelines to disable Office macros and other potential attack points.

• Backups for all data, and a disaster recovery plan to restore data in case of a ransomware attack.

Cyber criminals do not care who their victims are, the only thing that matters to them is that they pay. Organizations of all sizes have come to the forefront – in the recent past, health care and the public sector have been particularly affected. But even if ransomware continues to evolve, users can protect themselves effectively. A multi-level security approach in combination with the training of users or employees is the most promising strategy for protection against ransomware.