Ransomware is on the rise, with cases increasing by a shocking 6,000% in 2016. Not only are the number of attacks increasing, but ransomware is also becoming more sophisticated, finding new ways to infect devices and entice victims to pay up. When the virus infects a computer, it encrypts all files on it and those stored at cloud storages such as Google Drive, One Drive, Dropbox are not an exclusion. Here is how it works.
How Ransomware Infects Your Computer
The most common method of spreading malware is currently through phishing emails. In this method an email is sent out to thousands of people with an attachment that claims to be an invoice, travel itinerary, delivery confirmation, or other document that will entice users to open it.
Other common methods of infection are client-side hacks, where malware is hidden in software and browser extensions downloaded by the user; malicious websites and ‘malvertising’ – malicious online advertisements that are injected into ad networks; and peer-to-peer file sharing networks and torrent sites.
Some of the most common and vicious types of malware in recent months include the following.
Cerber is a ransomware that is usually infected via phishing emails or web-sites. The most common file for infectioning is MS Word, where built-in malicious script downloads and installs ransomware virus. After installation, the virus encrypts some of the user’s files and attaches the extension .cerber to every file that has been encrypted. It creates .txt, .html, and .vbs files named “decrypt my files”, with instructions on how to pay the ransom, usually between $500 and $800. If the victim does not pay within a week, the ransom amount is doubled.
Cerber has been known to target Microsoft Office 365 users. One cloud security firm reported that over half of all their users who were also customers of Office 365 had been targeted with a phishing attack.
The Cerber malware is often hidden inside a Microsoft Word macro which makes it difficult to detect, and is more likely to be opened than other executable files by Word users.
Machine learning-based algorithms have failed to detect the latest version of Cerber, demonstrating that malware is becoming more sophisticated and its authors are specifically aiming to avoid detection.
Cerber even offers an affiliate program, providing would-be hackers with everything they need to run a ransomware campaign in exchange for a 40% cut of the profits. We can expect to see more of this “ransomware as a service” type trend in 2017.
Locky is another ransomware that spreads itself primarily through Word macros. The malware is most commonly sent as a Word attachment in an email disguised as an invoice. When the user opens the document, it is full of gibberish apart from the phrase, “Enable macro if data encoding is incorrect.” On enabling macros, the encryption trojan is run and files are encrypted and renamed with the locky extension. A message displayed on the desktop directs users to a website to pay the ransom.
Any encrypted files that are synced to the cloud will also become infected on the cloud, as this Dropbox user experienced, with over 170,000 files affected and no clear way of restoring his data.
A year ago the Hollywood Presbyterian Medical Center was infected with this malware and forced to pay $17,000 to retrieve patient data.
There are numerous variants of Locky with some of the more recent ones being Thor, ZZZZZ, and Aesir. Aesir opens a backdoor on the computer, allowing hackers to gather personal documents and spread them online if the ransom is not paid. This practice is known as doxing and is on the rise.
Jigsaw not only encrypts your files, but will also delete them if you don’t pay up. This ransomware deletes files every hour until the ransom is paid. With each hour that passes, an increasing number of files are deleted. If the ransomware is restarted by terminating the process or rebooting the computer, a thousand files are deleted.
Jigsaw infects machines after it is downloaded from a free cloud storage service.
A new threat was recently added where the program claims to collect all email, contacts, logins, passwords, and skype history, upload it to a server, and email it to your contacts if the ransom is not paid in time.
Another new addition is live support that helps victims to buy the bitcoins needed to pay the ransom.
This ransomware may be very destructive but luckily it is not as sophisticated as some of the other variants – there is a free decryption tool available online for those who stay calm enough to investigate the issue after being infected.
How Ransomware Infects Your Data in the Cloud
Once ransomware has successfully encrypted local files stored on your computer or mobile device, these files can quickly be copied to the cloud.
Most cloud services offer syncing software, which automatically updates newer versions of files to the cloud when they are changed locally.
Cloud storage may be used as a backup by many people, but it doesn’t protect your files from being infected with ransomware. If the cloud service you’re using saves previous versions of files then you may be able to revert to an earlier version, but many free providers do not offer this service.
Some services may only keep a certain number of revisions of a file. Some ransomware is actually designed to rewrite the file multiple times so that all older versions of the file will also be encrypted.
Ransomware authors and distributors are now using the cloud as a way to spread and store malicious software, as many users have become so used to downloading files from cloud storage that they do not stop to think if what they are downloading is safe.
How You Can Protect Google Drive, One Drive, Dropbox from Ransomware
One way to avoid being infected with ransomware is to educate yourself on how to avoid it in the first place. This means learning how to recognize a phishing email, not downloading files from unsafe sources, and keeping up to date with the latest malware and how it is being spread.
Backups are also essential to recover from a malware attack. Syncing files to the cloud is not sufficient backup and as previously discussed, may actually make the problem worse.
A third party cloud-to-cloud backup service is necessary if you use cloud services similar to Google Drive. In this way you can simply restore your backed up files to a previous version in the event that they are encrypted or deleted.
Here at Spinbackup, we are going to remove human factor for data protection. Our Automatic Ransomware Protection is the first service that automatically detects ransomware in Google Drive, blocks the attack source, identifies number of damaged files and automatically recovers damaged files from the last backup version.
This happens with the help of a Restore-In-Time Machine service that is invaluable for users infected by ransomware. This feature means that a whole snapshot of your account is created with every automated or manual backup. Even if you disable Spinbackup automatic recovery, you don’t need to monotonously select the required version for all your items, but simply open the latest snapshot before your account has been infected, and recover all of your G Suite with a single click.
Just give Spinbackup a try to protect your Google Drive data against ransomware today. Sign up for a free trial at any time.
3,372 total views, 20 views today