Why are ransom attacks successful?
Most people don't have backups. Most people who do have backups, haven't tested them to make sure they work.
The real difference between disk failure and ransomware is that paying the ransom is cheaper than paying a data-recovery company, and is more likely to get your data back.
A few people are mentioning back-ups as a fix for ransomware. Ransomware works because the target is not prepared for the outcome. While a failed hard drive and a ransomware encryption can both be "recovered" via restoring a backup to a new drive, the ransomware is sometimes a malware that runs on the machine itself. In any event, restoring from an external backup will not remove the issue that allowed the attackers access to the system in the first place. This requires countermeasures such as:
- elevated security permissions on a system to prevent trojans
- remote backup strategies to prevent connected backups from being encrypted
- infiltration detection in the event of something like a worm
- hardened passwords to prevent intrusion
Unfortunately most computer users do not have these countermeasures in place.
To recover from a failed drive, simply make backups to an external disk. Upon drive failure replace the disk and restore the volumes. Simple.
To recover from a ransomware requires time, downtime, and investigation to determine if the machine was compromised due to:
- a user account running with permissions that were too high for the user's needs (desktop user as administrator)
- an infection on another machine or device that allowed a user to pivot to the system allowing the infection (infected domain controller)
- a lack of awareness in regard to something like a phishing attempt in an e-mail where the user clicked on something they did not intend to (along with #1)
- very simple passwords (if the attack was on-site)
- remote access permissions into a machine with remote access software like LogMeIn or Windows Remote Desktop
- a non-firewalled network
- other compromised systems like IoT devices
If the cost of an investigation is expensive, it may be cheaper to pay the ransom.
Note: the system/network still needs to be secured prior to and after an investigation, otherwise the same attack can recur.
In some cases, by enabling encryption on a volume with BitLocker where the volume was not already encrypted, the attacker can prevent access to the entire volume locking the user out of their own system. In this case it's a Windows feature. There would be no evidence of anything "installed" on the system, but rather there would be evidence of an intrusion if the system was configured in such a way that the user's account could be compromised either remotely or in-person with the insertion of an infected device.
On Disk Failure
When a disk fails you simply replace the device because it was a physical failure. If several disks are failing, then there is an issue with the controller. You can only tell if a disk has failed by testing it in a different machine if a new disk exhibits the same symptoms, or if you test a new disk in the failed machine and it works, then you know the controller is okay. In situations like a RAID where multiple disks work together, a failed disk can take out other disks, so there is a chance for systemic failure across multiple devices. Think about bad sectors and file corruption on a single drive being mirrored to multiple copies on a RAID. Disk failure is typically only limited to one machine, with the exception of networks where terminals (thin clients) all connect to a central system. Replacing a failed disk usually remedies the issue. Statistically you're not likely to experience the same issue unless the replacement disk was purchased at the same time and was part of the same vendor run in which case it might be a manufacturer defect of a component line.
It's not always only one machine with Ransomware though
Some ransomware can actually encrypt more than one machine on a network. I have a client whose server was infected, and allowed the virus to spread to multiple machines on the network and then the server and workstations were all locked. In cases where the server might not be infected, but is acting as a host, this can cause recurring infections to workstations that connect to the infected files. Regardless, the issue needs to be fixed systemically to stop the infection.
If a hard drive in a workstation dies it doesn't replicate the failure across a network. Comparing ransomware and hard drive failures is like comparing cancer to a broken limb; they are both debilitating.
- There's the potential of backing up encrypted data with the ransomware
- Most people aren't backing up to the cloud in the first place
- If you're regularly backing up your hard drive you don't need to worry about automatically backing up your dead hard drive
- With the encryption there wouldn't be any way to recover my data without paying the ransom (which isn't guaranteed to work).
- If the drive dies, there's still the potential that some of it can be recovered.
Overall, hard drive failure has potential to not be as damaging with precautions and recovery services, whereas ransomware is designed to be intentionally much more damaging.