Files for ransom

As if phishing, pharming and phraud weren't frustrating enough, the latest cybersecurity threat - ransomware - is an extortion scheme.

Ransomware involves the use of malicious code to hijack user files, encrypt them and then demand payment in exchange for the decryption key. The good news is that documented attacks have been rare. The bad news is that cases are on the rise, says FBI spokesman Paul Bresson.

One of the earliest recorded cases of ransomware was documented by Web-filtering software vendor Websense in May. A call from a panicked user revealed the swiftness and thoroughness of the attack. "All of a sudden, the files on his computer were in a format that was not human readable," says Dan Hubbard, Websense's senior director of security. Only one file - named "Important" - could be read. It contained the filenapper's instructions to send an e-mail to receive the decoder key. When the victim complied, a ransom note demanding $200 arrived. What might have been a malicious prank turned into a serious crime.

Assessing the risk

Fortunately, most end users only know about ransomware through media reports, not by direct experience. Perry Jarvis, network operations manager for the city of Burbank, is almost cavalier in his assessment of the ransomware risk. "Blocking this type of attack is already being performed by most companies," he says. Before files can be encrypted and then held for ransom, the attacker would have to gain access to the system - and most security professionals already are watching for intrusions and other forms of cyberextortion, he explains. More common than ransomware is a scheme where hackers break into a system - proving they can do it - and then demand payment not to attack. Gaming sites have been hit with this sort of crime, and some accept it as a cost of doing business, paying tens of thousands of dollars a year, according to sources.

Of all the ways a hacker could choose to do damage, ransomware is a fairly high-risk operation, says Gary Morse, president of penetration test company Razorpoint Security Technologies. "There are at least four or five points of contact necessary to pull this off," he says, noting that the criminal has to break into the system, leave malicious code behind, notify the victim, wait for a response, and get paid. Certainly, he adds, if one wants to earn a living through hacking, there are safer ways.

Just because the scheme is high risk, doesn't mean attacks won't dramatically increase or become more sophisticated. Ransomware would become a real danger, Jarvis says, when applied to mission-critical information assets stored on database servers. That, he says, would require almost combat-like planning to pull off.

Protecting your network

As with most security issues, the best defense is a good offense. Although cyberextortion attacks can be carried out through traditional channels, such as e-mail attachments or direct access to the network, most instances are browser-based.