Kroll Ontrack, the data recovery and ediscovery services provider, reports that it is receiving a growing number of enquiries from corporates about how to recover from ransomware attacks.
While ransomware is not new, attacks have tended to focus in the past on home and small business computers and, increasingly, on mobile devices. According to Kroll Ontrack, these attacks tend to happen in different clusters or strands that die out after about a month as anti-virus programmes are updated to deal with them.
Methods adopted by ransomware hackers have evolved over time, from encrypting user files in a simple zip file to crypto-locker and Curve-Tor-Bitcoin (CTB) Locker technologies, of which the latter is used by criminals to encrypt and hide user data through the Tor network. Attacks tend to originate in regions where cyberattack legislation is absent or immature such as Africa, rather than the Europe and North America.
The new attacks on corporate systems involve hackers deleting virtual drives completely and replicating the files on their own servers. The first time the companies know about the attack is when they find a note from the hacker where the virtual drives used to be, criticising their security arrangements and requesting payment for return of the data or threatening to sell it on the open market. In a recent case dealt with by Kroll Ontrack, payment was demanded in the virtual currency Bitcoins in exchange for stolen data within two weeks or the user’s information would be auctioned off. Kroll Ontrack was successfully able to recover the customer’s data saving them from having to surrender to the demands of the criminals.
Shane Denyer, Data Recovery Engineer at Kroll Ontrack said: “The methods used in ransomware attacks are constantly evolving, but our engineering team have developed their own methods to retrieve and restore data which mean that companies avoid having to make payments to criminal gangs just to get their information back. We are seeing a definite move away from attacks that target large numbers of small business or home users towards more of a spearfishing approach where individual, larger corporations come under fire.”
Kroll Ontrack advises corporates to avoid ransomware attacks by:
- Always keeping anti-virus software up-to-date;
- Creating regular back-ups of corporate data on devices outside the network; and
- Storing additional back-ups of virtual drives on devices at a different location
Denyer concludes: “Earlier versions of ransomware have been broken down and antidotes are readily available. However, we are seeing more and more attacks on corporate systems and predict that there will be even more incidents as ransomware technologies continue to develop. The key is to ensure that data is always backed up on a regular basis and that reputable partners are involved in restoring data that is hacked.”
