How To Deal With A Ransomware Attack
In this blog, we will help you gain an understanding of the strategies and characteristics of ransomware attacks. We will also share ransomware prevention best practices and guide you on what to do after a ransomware attack.
This blog post will cover the following topics:
Ransomware is a type of malware that uses cryptography to encrypt your files. A ransomware attack manifests once the malicious software installs secretly on your computer. It will then proceed to encrypt your data files or block access to your data or the entire computer. The attacker will demand a ransom to provide you with the decryption key or to restore your access. This ransom demand usually comes with a deadline. If you don’t pay the ransom in time, your data will be gone forever.
But that’s just the tip of the iceberg…
The ransom payment is a small part of the cost that you will incur. The real cost of the damage caused by a ransomware attack includes the following:
Hiring a cybersecurity lawyer
Hiring a ransomware recovery specialist
Forensics
Loss of Data
Operation Downtime
Replacing or resetting infrastructure
Loss of Productivity, and
Loss of Reputation
Ransomware is the second most common malware that is targeted at small and medium businesses. Considering the huge damage potential that ransomware poses for your business, it is necessary to include them in your cybersecurity plan.
First, let’s know the enemy first.
There are 4 major types of ransomware:
1. Encrypting ransomware
This is the most well-known form of malware extortion. The attack is generally carried out using a malicious attachment in a phishing email or through a network vulnerability. The attachment then runs a program that encrypts your data files on the system with a unique encryption key. You are then shown instructions on how to pay the ransom and get the decryption key. The ransom can range from a few hundred to thousands of dollars and the payment method is generally in cryptocurrency such as Bitcoins.
2. Non-encrypting ransomware
Some forms of ransomware do not use encryption but prevent normal operations of the computer. This may be achieved by restricting access to the system or simply displaying images or pop-ups that can’t be closed. To regain back normal access to your computer, the attacker would demand a ransom as in the previous type.
3. Leakware
Leakware is the reverse of ransomware. In a ransomware attack, you are denied access to your data and have to pay to get it back. Whereas in the Leakware attack, you retain access to your data but the malware sends your sensitive data to the hacker. The attacker will then threaten to publish your data unless you pay a ransom. This kind of attack is effective if the hacker finds any information that can cause financial or reputation damage to you. This form of ransomware is more critical for a business as it can expose sensitive financial details, trade secrets, or source codes.
4. Mobile ransomware
Ransomware is not restricted to computers. Attackers have started targeting mobile operating systems also. As mobile devices have limited data, which is usually synced to the cloud, mobile ransomware is usually of the blocker variety. The malicious program displays a blocking message on top of all other applications, preventing the normal functioning of the device. Android devices are prime targets of mobile ransomware as it allows the installation of third-party applications. But there have been variants that target iPhones as well.
But how do you get hit by ransomware in the first place?
The most common way ransomware infects your computer is through phishing emails, which contain malicious attachments. Such phishing or spam email use some form of social engineering to coerce you to download an attachment or to click a link. These emails are made to appear to have come from a trusted source such as a friend or colleague. In some cases, the emails may appear to come from a service such as Google Docs, Dropbox, etc. Once you take action, the malware will install itself on your system and begin encrypting your files.
Ransomware can also find its way onto your computer when you visit an infected website, download pirated media, or use an infected disk or drive. Web-based instant messaging apps, shady browser extensions, and vulnerable web servers can also be used to spread ransomware. In severe cases, hackers can enter your network via a brute force attack on a vulnerable network device. Once they get access to your computer, they will deploy a program that will encrypt a set of files or your entire hard drive, and in the worst case, it may get into the server and encrypt data across your entire organization.
To summarize, you can get ransomware infection in any of the following ways:
Phishing emails containing malicious attachments
Visiting infected websites
Downloading pirated media containing malware
Using untrustworthy browser extensions
Using infected disks or drives
Vulnerable web servers or network devices
Let’s look at some ransomware examples.
Ransomware has become a major threat to businesses. Many businesses have started stashing Bitcoins for possible ransomware attacks. Cybercriminals continue to evolve their strategy and method of attack but most of them are variants of ransomware that have been used in the past.
Here’s a look at the notable ransomware examples:
Bad Rabbit
In October of 2017, a ransomware called “Bad Rabbit” infected organizations including government agencies in Ukraine and Russia. Bad Rabbit was spread using a fake Adobe Flash update on hacked websites. Once the ransomware infected a machine, the user’s files were encrypted and payment in Bitcoins was demanded to decrypt the files.
CryptoLocker
The CryptoLocker ransomware attacks occurred from September 2013 to May 2014. It targeted computers running the Microsoft Windows operating system using a trojan. The CryptoLocker was spread as an attachment to an email, which appeared to come from a legitimate company. The email contained a ZIP file containing an executable file (.exe) with the filename and icon disguised as a PDF file.
Once activated, the ransomware encrypted certain types of files on your computer. You were then shown a message that offered to decrypt the data if you made a payment by a given deadline. Even after you make the payment, there was no guarantee that the hacker would release your encrypted files.
CryptoWall
CryptoWall was kind of a successor of the CryptoLocker ransomware. It appeared around September 2014 in Australia. CryptoWall was spread via infected emails that appeared to be sent by government departments. For example, an email sent by the post office informing of a failed package delivery. To avoid detection by email scanners, you were directed to visit a web page and enter a CAPTCHA code before the malware was actually downloaded.
Fusob
Fusob is a major mobile ransomware that appeared in early 2015. The ransomware was disguised as a harmless video player used scare tactics to extort a ransom. When this malware is installed, it locks the device and displayed a message pretending to be government authority. It would ask you to pay a fine to avoid a made-up legal charge. Most of the victims of this ransomware were in Germany, the US, and the UK.
Petya
Petya is an encrypting ransomware that was first detected in 2016. It targets computers running Microsoft Windows by infecting the master boot record and encrypting your hard drive’s file system table and thus preventing Windows from booting. You would have to make a payment in Bitcoins to regain access to your computer. Petya uses the EternalBlue exploit as one of the means to propagate itself. Once it gets access to a network, it can spread by gathering IP addresses and credentials.
NotPetya
The NotPetya ransomware, believed to be a variant of Petya, appeared in June 2017. It caused widespread infections in Europe and the US. This malware used the same payload as Petya, but with a few changes. The main difference between NotPetya and Petya was that while Petya allowed your computer to be decrypted after you paid the ransom, NotPetya did not. While it was made to appear as a traditional ransomware, NotPetya was instead a wiper, i.e. a ransomware intended solely to destroy data.
The WannaCry is a ransomware attack that affected private organizations and government agencies across the globe. It was first detected in May 2017 and targeted computers running the Microsoft Windows operating system. It was similar to Petya in that it also propagated using the EternalBlue exploit.
Although numerous companies and agencies fell victim to WannaCry, it was completely preventable. Microsoft had already released patches to stop such an exploit. Still, WannaCry was able to use this exploit because organizations had not applied the patches or were using older versions of Windows that were past their end-of-life.
Let’s get down to business. Here’s what you should do when hit by ransomware.
Antivirus software can’t always detect malware in time. In most cases, the ransomware is detected during or after the encryption is underway. It takes some time for the ransomware to encrypt your data so if an attack is detected in its early stage, it is possible to stop the attack. If you are able to remove the malware immediately, before it has completed the encryption, you can save your files from encryption. But the files that are already encrypted may be lost in such a case.
Here are the best practices for dealing with a ransomware attack:
The steps may appear simple but there are nuances and reasonings for each step that are important to understand. Let’s look at each of the steps in detail…
If you suspect a ransomware attack on your computer, immediately disconnect it from the network and get it offline. By isolating the malware you will prevent it from spreading and limit the infection.
If you disconnect your computer in the very early stage of infection and the malware is not able to connect to its command and control server, it will not be able to encrypt your data or block access.
In some cases, what appears to be a ransomware attack may turn out to be a “scareware”. Scareware uses social engineering to cause fear, anxiety, or the perception of a threat to force you into paying a ransom. Such malware try to trick you into believing that your computer is infected by displaying some hard to close pop-ups. This is usually accompanied by a countdown timer on the screen designed to cause anxiety. In such cases, your files aren’t encrypted at all.
Many ransomware don’t even have decryption functionality built-in. So there’s no guarantee that you will get your files back. Even after paying, the criminals may simply take your money and run. So, stay calm and don’t pay the ransom in a hurry.
Recovering from a ransomware attack is a difficult and complicated process. Before you even start thinking about data recovery, you first need to identify the type and mechanism of the malicious software. Doing this will let you decide on the proper process for cleaning the infected system and recovery of encrypted files.
If you start the backup process before completely cleaning the malware from your network, it may end up encrypting even the backup files.
Here’s an example of what can go wrong:
If you suspect a ransomware infection and decide to shut down your computer to stop the malware, you may in fact be doing more harm. Certain ransomware require a reboot of the system because they aren’t able to bypass permission issues or errors. Rebooting your computer will allow the malware to gain deeper access.
The Petya ransomware worked in such a way. It infected the master boot record by installing a payload, which encrypted the file tables of the NTFS file system when the infected system booted.
Whatever step you decide to take may limit your options going forward. Therefore, it is highly recommended that you contact your IT team or a security expert without delay.
Many ransomware, such as Petya, spread by gathering IP addresses and credentials. Gathering the credentials gives the malware unauthorized access to your company data or even root access to your servers. Therefore, if there is a ransomware attack on your company, you should change all admin and user credentials immediately.
Ransomware infections are scary. Even if we have safeguards in place, dealing with ransomware is stressful, exhausting, and time-consuming. As with any form of virus or malware, prevention is always better than cure.
So let’s see how to prevent ransomware infection.
The most important step in ransomware prevention is to invest in cybersecurity. You need real-time protection that can identify and block threats as well as shield known vulnerabilities.
Here’s A List Of Steps you can Take To prevent ransomware infections:
Use security policies and software to block unknown downloads from launching.
Keep backups of your computer using the 3-2-1 strategy.
Install legitimate antivirus and anti-malware software on all devices.
Create a data backup and recovery plan for your company.
Keep your browser updated and use legitimate browser extensions that protect you online.
Use only licensed software to ensure that it is supported and updates & patches are released.
Ensure that software updates and security patches are installed as soon as they are available.
Regularly educate your employees about cybersecurity threats, especially how to identify phishing emails.
Here’s a quick summary of everything about ransomware we’ve learned.
Final thoughts on ransomware detection and prevention
Let’s recap everything covered in this blog post. You now have an understanding of what ransomware is and why it is important to safeguard against it. You also learned about the common types of ransomware and how they spread. This knowledge will help you in the detection and prevention of ransomware threats.
You also learned what to do after a ransomware attack is detected. More importantly, you now know how to prevent ransomware attacks in the first place. If you keep an eye out for the tell-tale signs of malware and maintain healthy cyber-hygiene, you will not fall prey to the common ransomware attacks.
We know that dealing with a ransomware infection is terrifying. Just the sight of a locked screen telling you that your files have been encrypted can cause severe anxiety. Don't panic, take a deep breath, and calmly follow the instructions listed above. And if you need help with your IT security, click the button below to reach out to us.
If you liked the blog, please share it with your friends