Did you know criminals can gain access into your computer and hold you hostage?
This has become a booming crime in Australia, and the worst part is, the Australian Federal Police (AFP) can do nothing about it.
The Australian Government’s Computer Emergency Response Team (CERT) issued a publication to warn of the ransomware campaign targeting Australian businesses: Ransomware is a type of software which restricts access to a victim computer system, and demands a ransom to be paid to the perpetrator in order for the restriction to be removed.
But what exactly does this all mean and how can it affect me? What happens?
By cracking your password or gaining unlawful remote access to your computer, an encryption program is downloaded on files you require for normal business operation, e.g. MYOB, PDFs or Microsoft Office files. When you go to access the affected computer a ransom message will appear preventing you from operating on the computer any further. The message will tell you that your computer, plus any external drives you may have attached to it, has been encrypted and will only be returned if you pay (the current amount of $500) to a specified overseas account number.
Am I an easy target?
You are at risk of being held hostage if you own a business network computer. Be aware though, this crime is expected to also spread to home computers. What are the two main danger alerts that make you stand out as an easy target: using passwords on your software easy to crack, and/or using the same password as login details on websites. If you have remote access on your computer system you are also highly sought out by these criminals.
Anything else I should know?
According to CERT, so far criminals have returned access to the computers when the person has paid. However, doing this is not recommended as it will only encourage the criminals to continue this practice. You should also be aware that even by paying, it won’t guarantee your computer being returned in its original condition, or stopping it from being comprised in a fashion that allows for further ransom demands.
The scary part is both national bodies; the CERT and AFP currently can’t do anything to access details of the perpetrators. The bank accounts being used by the criminals are located in foreign countries, and therefore prevent the CERT and AFP having any power over accessing the account holder details.
If your computer is encrypted, while it may only affect some of the data on your hard drive, the criminals will ensure it is data that elicits a payment from you for the recovery. It may include anything from email files, database files, document files, spreadsheet files, backup files and other business related data stores.
In a case investigated by our own CCSiT engineers, we found the data on the hard drive could be accessed using various methods enabling the identification of encrypted files; however none of the affected files were recoverable.
Further investigation of the affected hard-drives revealed the data had been removed and the drives were subjected to an overwrite process, likened to a military grade wipe/rewrite. The data was then replaced on the drive in different physical locations on the disc platters, further complicating any recovery attempts. Basically, it meant even specialist hardware data recovery firms couldn’t find the data to recover. The drive had been completely wiped of any history.
What can I do if it does happen to me?
The two most likely options for you are either to; pay the ransom and obtain access back to your data (NOT recommended), or have your computer completely reformatted, restoring your latest data from the most recent unaffected backup.
So what steps I can take to prevent this?
For access to your business network change your password to a pass-phrase. Instead of a single block of letters and numbers, use a short phrase that you invent and cannot forget. E.g. < My Daughter Turned 1! > You should include spaces, numbers, uppercase/lowercase and at least one character such as an exclamation mark or asterisk. Note, only ever use the password for access to your business network, never for any other application as well.
Backup Routine Integrity
You should be conducting frequent backups to a removable medium (Hard-drive, Tape, Disc, USB stick), physically removed from the network. There are many options, and for a corporate environment you should choose a solution designed for your particular requirements and operations. CCSiT can help you formulate the most effective solution.
Shut down computers when not in use
No one can access your computer remotely if it is turned off. This is also a great idea in terms of reducing fire hazard, heat reduction and electricity usage in the office, along with enabling computer system longevity.