What is Ransomware?

Nov 27 2015

It’s 10 AM on a Monday morning. You have a presentation after lunch and there are murmurs in the break room that everyone is getting messages that files are corrupt when they try to open up Word documents. You rush to your computer and find that the PowerPoint you’ve been working on is also failing to open.

As your boss comes back from his early morning meeting, you follow him into his office and he winces as you begin to explain the problem; on his screen is a red window with a countdown timer saying your files have been locked and asking for a ransom to recover access. When you call your IT department, you find out that because your boss had access to all the files on the server, everyone is locked out.  Is this a bad movie?  Your worst nightmare?  Sadly it’s reality!


Ransomware first made its appearance in 2012 and quickly ramped up in 2013. It operates by encrypting files that you have access to and requesting a sum of money for the password to decrypt the files. Often there is a timer; when the time runs out the password is lost and the data cannot be decrypted. IT departments have two options to deal with this: 1) pay the ransom 2) restore from backup.  According to the FBI, victims in the US alone reported more than $18 million dollars in losses over the last year, with experts estimating $325 million worldwide.

How can you protect yourself and your business? The best practice for this is offsite backups. With a proper backup the server can be wiped and a bare metal restore can be performed from before the attack, ensuring the ransomware has been eradicated. This does mean that any new files created before the infection but after the backups will be lost and need to be recreated. In the ideal situation backups would be done to an offsite online data storage, with at least a month of history. The ransomware would not be able to attack this storage; however if you are backing up to a USB drive attached to the server (like many small businesses do), it’s quite likely the USB drive would simply be encrypted as well.

The issue is once again coming to the forefront with a new report by Forrester Research. Forrester predicts that this will be the year that we see real world attacks of malware and ransomware into medical devices. Imagine if you will; ransomware installed on someone’s pacemaker. It can happen! The security community has been focusing on this field a lot recently and found that most medical devices have little security in them.  This is due to the long time habit of keeping radio waves to a minimum in a medical care environment (thus physical access was a reasonable method for preventing attacks on the devices). But recently, doctors are finding that radio waves are unlikely to interfere with equipment and wireless access to medical devices and even implants are proving both convenient and less invasive.

This change in wireless access has not been accompanied by significant efforts to reduce the attack surface on the devices.  With consequences shifting from somewhat insignificant and purely monetary to life and limb, it will be interesting to see how security in the medical arena responds. Will this be the year ransomware turns into ransomwear?

Recent posts