Ransomware is malicious software (malware) that takes over a computer (Desktops, Workstations, Servers) or holds its data hostage to extort money from victims by denying access to that computer or data.
Ransomware can be introduced in a variety of ways. The two most common
- Email phishing attack where malware is sent as a link or an attachment to an email sent to the victim
- “Drive-by Attack” where malware is downloaded to a victim’s computer when she visits an infected website
After the initial infection, the malware will often seek to spread to shared drives and other computers on the network.
If demands are not met, the system or encrypted data remains unavailable, it may be deleted, or the computers can be destroyed.
What to Do to Keep From Being Infected
- Provide all users cybersecurity awareness training so they can be vigilant against phishing attacks.
- Teach users the phishing danger signals.
- Teach users to not click on links or attachments in emails unless they are absolutely positively 100% the email is legitimate and its contents are safe.
Make Sure IT Does Their Part
- Keep operating system and applications patched with the latest updates.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Set all user accounts with limited — non-administrative — privileges.
- To the extent IT can manage it, they should use application whitelisting to identify the programs that are allowed to run.
PREPARE TO BE INFECTED WITH RANSOMWARE
- BackUps: Ensure all critical files are backed-up. Make sure back-ups are incremental and out-of-band; air-gapped. Test restore processes regularly.
- Incident Response Management: Develop, train, test, and practice your Incident Response Plan
If You’ve Been Infected with Ransomware
Good backups are the only sure way to recover from ransomware. With backups, you can restore the files that have been encrypted.
Without good backups, you’re stuck without your valuable files unless (1) you pay the ransom and the cyber criminals actually give you the key to unlock your files or (2) your particular strain of ransomware is included in the repository of keys and applications on No More Ransom.
IT Departments need to recognize that ransomware has been known to silently infect a network and lie dormant for a period of time so that backups also become infected.
It is critical that IT verifies its ability to fully recover from a ransomware attack. It’s not enough for them to test their ability to recover a file or a folder. IT needs to test their ability to fully restore all working files from backup.
In addition to protecting your organization, SecureTheVillage advocates notifying the Internet Crime Complaint Center (IC3) of the ransomware attack. The FBI is publicly urging victims to report ransomware incidents to federal law enforcement to help them gain a more comprehensive view of the current threat and its impact on U.S. victims.
The No More Ransom Project
It is sometimes possible for infected users to regain access to their encrypted files or locked systems, without having to pay. No More Ransom’s website includes a repository of keys and applications that can decrypt data locked by different types of ransomware. Victims can also upload encrypted files and ransom notes for inspection and support.
No More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and McAfee – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
Ransomware: Should You Pay?
No More Ransom’s web site states: The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.
When considering paying the ransom, one should know that a recent study showed that less than half of paying ransomware targets get their files back.
Published: March 2018