Buying Your Own Stolen Data

May 10, 2016, 10:00:00 AM |

Wesley McGrew

Social Share:

Ransomware-2.jpgI’m becoming very used to reading about the latest “ransomware” attacks each morning when I catch up on information security news over my first cup of coffee. Malicious software (malware) authors seem to have found a successful way of making money, and unsafe, yet common, practices are enabling it. Office-wide sharing of data with security as an afterthought, and the absence of strong backup and recovery processes fuel the continued rise of ransomware. Trends point to an increase in healthcare data being held for ransom, though no one is completely safe from being targeted by ransomware.

How did the development of malware evolve to give rise to so many ransomware attacks?

It’s the result of malware authors and other cybercriminals honing their craft—getting the biggest return for their investment. Cybercriminals often found themselves with stolen data that was either hard to price or difficult to raise interest in among black market buyers. Ransomware came into prominence when cyber criminals began to realize: The perfect customer for stolen data is the organization it was stolen from.

How does it work?

Through an email attachment, malicious document, or compromised website, the malware installs and begins searching for documents. For each document it finds, it encrypts it in a way that can only be decrypted by the attacker. Ransomware is often brutally efficient in its ability to impact an entire organization by encrypting network-connected drives. Out of all of the computers and accounts within your organization that can write to shared storage, an infection of any single one is enough to encrypt all of the connected data.

After the data has been encrypted, a message will be displayed that will give instructions on how to pay the criminals to regain access to your data. This will frequently involve exchanging funds into Bitcoin, and communicating with the attackers and their systems via the Tor anonymity network. These measures are used by the criminals to protect themselves from investigation or compromise.

How should you react when you find your network drive encrypted, and your systems displaying dire warnings?

For organizations that have good backup and disaster recovery procedures, it’s time to activate them. All impacted systems and drives should be restored from backups. If the infection comes back quickly, an older backup may be restored in order to find one that pre-dates the attackers’ compromise. If backups do not exist, cannot be restored, or are infected as well, then it’s time to seek help. Do not attempt to decrypt the files yourself or comply with the criminals’ instructions without consulting with information security professionals and law enforcement first.

How can you protect your organization?

Antivirus software alone can help, but will not protect you from the newest attacks. Having a strong backup policy and procedure is critical. The ability to restore your data to a clean state that minimizing the loss of work is important. Having multiple backups of varying ages can help mitigate the loss if recent backups are also infected with ransomware. An advanced internal penetration test can give you the opportunity to see how a team of attackers could locate and impact data within your organization, ahead of time and without the associated loss.

Ransomware will continue to become more popular, and impact more organizations. It is important for all levels of an organization to be aware of the threat and make preparations, as the impact can stun an organization’s ability to respond.


For weekly insights into cybersecurity, please sign up here:

Subscribe to HORNE Cyber Blog



Wesley serves as the director of cyber operations for HORNE Cyber. Known for his work in offensive information security and cyber operations, Wesley specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.

Find me on: