Ransomware is one of the most frightening types of malware. Not only does it compromise the data of the victim but it locks them out of their systems and therefore seriously threatens any organization’s bottom line and essential services like healthcare and finance. Concern about ransomware rose in 2016 as the attacks increased in both variety and frequency. Here is a step-by-step guide to what ransomware is, how to prevent it and what to do if your business machine is infected by it.
The Nature of the Beast
Ransomware is a type of malware that typically locks a user’s screen, encrypts their files with a cryptographic algorithm and holds their data hostage for ransom which it demands the user pay in exchange for a decryption key. Once it has snuck past your firewall and antivirus and executed, the ransomware will spread to infect as many networks and machines it can access. After the deadline, the files are uploaded or destroyed. Some varieties of ransomware don’t release the key after the first payment, either demanding an additional payment or deleting the data anyway. Ransomware is typically delivered through hyperlinks or attachments in phishing emails or in an “exploit kit” from a dangerous website.
Prevention: The Best Solution
Unfortunately, once a ransomware file is downloaded, antivirus software rarely prevents them from self-executing. Backups are not always reliable and they don’t protect from data theft. You should understand how much potential downtime and loss of data could impact your company. Consider doing a risk assessment to assign value to your critical data assets if you’d like to know for sure.
Prevention Strategy #1: User Education
Prevention Strategy #2: Workplace Policies
Only use safe browsers like Chrome and Firefox and monitor/control external hard drives (such as USBs) carefully. Consider disabling Macros in MS Office Documents, because they can execute ransomware infected documents. You can generally lower risks by limiting user access and privileges to the minimum necessary for your employees to do their work. Regularly update your firewall and browser extensions to prevent an exploit kit exploiting vulnerable software (e.g. outdated Flash Players). Finally, ensure that external backups are securely located and have a schedule to regularly test them.
Responding to an Infection
If you suffer an infection, your firewall has been bypassed and the ransomware is delivered to your antivirus if it gets past the antivirus (as almost all do) your runtime defense and isolation measures try to contain the damage. Special filtering options like whitelisting (AppLocker) can stop some ransomware running. If you feel out of your depth, consider consulting one of the top ransomware removal and cyber security firms.
Step 1: Isolating Infected Machines
While antiviruses work well when scanning your files, looking up and blocking known viruses, they don’t stop new malware or old malware that has been repackaged. Ransomware gets past antivirus software by changing its appearance, file name or signature, or delivering through the registry keys. The first thing to do in case of an infection is to isolate which machines are infected, immediately disconnect them from your network (e.g. Wi-Fi) and close shared network drives remotely.
Step 2: Identifying the Ransomware
It’s important to know which ransomware you are targeted with. Some are “fake”, i.e. they don’t encrypt your data properly, there are decryption tools for some and others don’t have a history of giving up the decryption key in exchange for ransom. Use the Ransomware Decryption Tool Finder and Google to find out.
Step 3: Identifying Patient Zero
Discover which employee got the infection first and get them to retrace their steps to find out where the ransomware came from (e.g. opening documents or attachments, visiting odd websites). Finally, decide whether to pay the ransom or not. Consider wiping infected machines for good measure and restoring from a backup.
Ransomware is evolving, with new varieties deleting backups (Locky), stealing credentials (CryptXXX) and spreading via ransomware-as-a-service (RaaS) operations which allow those with little technical expertise to conduct attacks (Cerber) on their own in exchange for a cut of the ransom money. Finally, many ransomware criminals are adding additional threats including targeting databases, threatening doxxing and releasing data publicly if victims don’t pay.
Scared yet? You should be! Get organized!