 |
| Protecting Your Laptop or PC from Ransomware |
In this article, we analyze a ransomware attack on TaskRabbit that occurred in 2017, as well as the accessibility of victims’ data following the attack. By studying the attack and the possible outcomes, we hope to help protect businesses and organizations from these types of attacks.
Ransomware History
“All of our customers were subjected to a ransom attack at around 11AM Pacific Time on Wednesday, September 10th, 2017. Around 4PM Pacific Time on Thursday, September 11th we updated the notice on the managing and promoting page of our website to just: ‘It’s happening again! All of our customers have been hit by a new attack. We are working to resolve the issue now.'”
As of writing this Cyber Security Risk Brief (CSB), no one has claimed responsibility for the attack. However, the ransom note would indicate that the attack was targeted.
Unexpected Recovery
In early September, TaskRabbit discovered that a large quantity of data had been encrypted and that approximately 80% of the network’s users had never received their data back. Using its virus-scanning technology, TaskRabbit discovered this was caused by a specific type of malware known as ransomware.
The good news is that by restoring all of the TaskRabbit users’ systems to normal, their data was successfully restored and they were back to work as usual. TaskRabbit continued to monitor and respond to their customers’ health and safety concerns and made security and hygiene improvements to better protect the network.
Ransomware Recovery Timeline
As of writing this CSB, the TaskRabbit server, connected to our newly-updated DNS records that resolved to the new TaskRabbit Hosting DNS servers, is starting to return data. Occasionally, our DNS server will be temporarily locked down by a website attack when new ransom notes are released. This common response is when our executive team connects via teleconference to plan how to fix these issues.
On September 15, 2017, we updated and restarted our DNS records so our TaskRabbit website would be using the newer DNS servers that had not been breached. We determined the simple DNS lookup process at TaskRabbit’s server was at fault, not malware.
By September 16, our TaskRabbit website was back to normal, and the ransomware attack was stopped. We have no other instances of ransom happening at this time.
Due to the nature of malware and the speed at which it spreads, there is no way to predict where or when malware like this may occur.
What is ransomware?
Ransomware like the not-so-similar NotPetya malware that affected systems in several countries in May of 2017 is first and foremost a form of malware known as ransomware. Ransomware encrypts multiple aspects of a system (like files, databases, or user credentials) and holds them hostage until a specific payment is paid. The encrypted files can then only be opened with the specific payment keys, and once the payment is made, the files are deleted.
Although not very scientific, these behaviors in malware have some similarities that are not entirely dissimilar to the human debt model. When someone is penniless, they usually have to prioritize immediate bills. However, in the case of ransomware, once the payment is made, the real priority for the victim becomes paying off the creditor.
The victim will then try to work out a payment plan with the creditor and efforts will continue until either the creditor destroys the debtor’s data or the relationship between the debtor and creditor is broken. This type of behavior creates a vulnerability for businesses because it creates the impression that the precarious nature of the situation is the creditor’s problem, which they may view unfavorably.
Effects of ransomware
“Ransomware is intended to make people uncomfortable, and that is its intended goal.”
Challenges that businesses may face due to spam and cybercrime are countless and unique, but even something as seemingly technical as this type of malware can have serious impacts on a company. The medical device industry was seriously impacted following a Florida dentist’s attack that infected computers of patients and physicians and demanded $300 ransom to restore service.
It is important for a company to have security systems and networks, to begin with ideally using the lowest common denominator security solutions to protect sensitive assets including financial data, customer’s payment details, or other critical systems. Ransomware such as NotPetya and NotPayza are designed to make people uncomfortable, and that is its intended goal. While any business with online assets is susceptible to cybercriminals, not having the technology to secure and protect data is the primary reason why not only are such attacks growing exponentially, but Bitcoin, LiteCoin, and other emerging cryptocurrencies have gained significant adoption as well.
Challenges for digital businesses
Companies are also prone to attack due to a basic lack of due diligence on information security. Luckily, there are many things you can do to add layers of protection that will help generate the response you’d prefer once a ransomware infection has been neutralized.
What Are Ransomware Attacks?
Ransomware, also known as a cyberattack, encrypts data on your computer so you’re dependent on the cybercrime to unlock it. Once the cyber crime has gained access, the malware locks the program and prevents you from accessing your files ever again.
The goal of ransomware attacks versus other types of malware is usually the same – get access to your files before you’re forced to pay money to regain access! So, in a sense, cyberattacks are a form of extortion.
Unfortunately, while the motivation behind the attack could be the same, the method of attack and the ensuing response depends on many things. Ransomware attacks share quite a few fundamental characteristics:
The malware launches as soon as possible after you’ve connected to your internet service provider (ISP) The malware hides in long-executed processes to make it hard to detect
As a result, the response to ransomware usually varies from user to user. Some people will neither see nor hear anything, while others could see some affected files disinfected, but not see others.
Since the infection occurs deep within your system, it is difficult to get a restore from a ransomware attack. In fact, if your system was infected, restoring your files can be extremely difficult or impossible depending on the severity of the infection.
In extreme cases, people may not ever regain access to their data. In these cases, experts recommend paying the ransom or providing the cybercrime with all information they have on you.
How Can You Protect Yourself?
While you may never completely recover from a ransomware attack, there are a variety of steps you can take to minimize the potential risk of a cyber attack occurring in the first place.
The most important way to stave off ransomware attacks is to avoid connecting websites to your computer. While it’s true that only paying for decryption can stop attacks, it’s not always possible to get access to your files if the cybercrime hasn’t already acquired them.
Additionally, you can try talking to the person who owns the malware as well as any spam messages they send you. Also, add TLS encryption to your web server and make sure you both have and can recover your private keys. If your website uses HTTP when communicating with a server outside your country, the server will typically also have to get switched over to encrypted TLS.