Ransomware: locking you out of your system!

The pandemic’s work-from-home reality has caused cyber-attacks to rise exponentially over the last year. We saw more cyber-attacks of every kind, but Ransomware, in particular, leads the charge with a 150% increased attack compared to the previous year, and the ransom paid by victims also increased by 300% in the year 2020.

What is Ransomware?

Ransomware is a cyber-attack that uses malware to encrypt the victims’ files and information to hold them for ransom. A user or organization’s critical data is encrypted thereby, not allowing access to files, databases, or applications. A ransom is then demanded to provide access to the data. Ransomware is often designed to spread across a network and target database and file servers and can thus quickly paralyze entire organizations.

Why is Ransomware a concern?

Ransomware attacks and their variants are constantly evolving preventive technologies and spreading quickly for several reasons.

• Malware kits that can be used to create new malware samples on demand are readily available.
• The development of cross-platform languages has also led to the creation of cross-platform Ransomware.
• Innovation in the field of encryption technologies that encrypt entire drives instead of selected files.

Today’s thieves don’t even need to be computer-savvy as malware strains are readily available on online markets for a cut in profit.

How to Defend against Ransomware Attacks?

The following steps will help you mitigate damage in case of a ransomware attack.

• Backup your Data
  The best way to avoid being unable to access your critical data or files due to ransomware attacks is to have regular backup copies of them (preferably on a cloud or external hard drive). In case of a ransomware attack, you wipe your computers and servers clean and re-install your data from your backup.
• Secure your backups
  Ensure that your data backup is inaccessible for modification or deletion from the system where your data resides as Ransomware will look for data backups to encrypt or delete them.
• Use security software
  Use security software like antiviruses on all your computer systems and ensure that they are updated with security patches or updates released.
• Practice Safe surfing
  Download applications only from trusted sources and do not respond to emails or messages from unknown users as they may use this to inject malware into your system.
• Implement a security awareness program
  Create security awareness amongst your employees regarding cyberthreats and provide training to help prevent phishing and other social engineering attacks.

What to do in case of a ransomware attack?

It is essential to move quickly in case of a suspected ransomware attack. Follow the following steps to help minimize the damage and promptly return to business as usual.

• Isolate and shutdown critical systems
  The first and most crucial step is to isolate and shut down all critical systems. Shutting down and isolating all systems helps contain the malicious code as there is a chance that not all of your systems and data may be infected.
• Enact your business continuity plan
  The business continuity plan is a step-by-step guide that helps all your departments understand how the business operates in times of disaster or other business-altering scenarios. The disaster recovery component details how critical data and systems can be restored and brought back online.
• Assess the damages
  Determine which devices have been infected by checking for recently encrypted files with strange file extension names and look for reports of odd file names or users having trouble opening files. If you find any devices that haven’t been wholly encrypted, they should be isolated and turned off to help contain the attack and prevent further damage and data loss. Create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and other possible vectors.
• Locate the source
  Once the entry source is identified, it becomes easier to identify and track infected systems across the networks. To do this, check from alerts coming from our antivirus or other security and monitoring software’s, asking people about their activities (such as opening suspicious emails) and what they’ve noticed can be helpful as well.
• Report the cyberattack
  Like any other crime, Ransomware is against the law and should, therefore, be reported to the authorities. Furthermore, law enforcement may use legal authorities and tools that are unavailable to most organizations. Partnerships with international law enforcement can be leveraged to help find the stolen or encrypted data and bring the perpetrators to justice. There is also compliance to consider. The GDPR, for example, provides businesses with a 72-hour window to disclose a data breach involving customers’ personal information.
• Restore from backup
  The quickest and easiest way to restore your systems and data is through your backups. Use antivirus/anti-malware software to wipe clean your infected systems of the Ransomware (otherwise, it would continue to lock you out of your system, encrypting your files and potentially corrupting your backup). You can now restore your designs using the backup, but remember restoring extensive data can be time-consuming, forcing the business to go offline for an extended period.
• Research your decryption options
  If there is no viable backup available, there is still a chance to get your data back. Try searching for decryption keys for the variant of Ransomware you’re dealing with; if you’re lucky may find a decryptor or decryption tool to help unlock your data.
• Patch, and monitor
  For the final phase of the ransomware attack, patch systems that may have led to the initial ransomware compromise and monitor the environment closely for further malicious activity. It is not uncommon for malicious activity to continue, even if the ransom is paid or if infected systems were restored. If the same vulnerability that led to the initial attack, the environment can become compromised again.

Why shouldn’t you pay the ransom?

While it may be tempting to give in to a ransom demand when faced with the possibility of weeks or months of recovery and downtime, there are enough reasons for it to be a bad idea:

• You may never get a decryption key
  You depend on criminals’ integrity to give you the decryption key once you have paid the ransom. There have been organizations that have received nothing even after paying the ransom.
• You could get repeated ransom demands
  Once you pay the ransom, criminals who deployed the Ransomware know you’re at their mercy. They may make repeated demands to provide you with a working key.
• You may receive a decryption key that only kind of works
  The decryptor you receive may only be just good enough for the criminals to say they held up their end of the bargain. Moreover, it’s not unheard of for the encryption process itself to corrupt some files beyond repair.
• You may be painting a target on your back
  Organizations with a proven history of paying the ransom are more attractive targets than new targets that may or may not pay.
• You’re still funding criminal activity
  When you pay the ransom, you’re funding criminal activities; you’re reinforcing the idea that Ransomware is a business model that works.

Conclusion

As with other forms of malware, careful action and the use of excellent security software are a step in the right direction when it comes to combatting Ransomware. Of particular importance regarding Ransomware is the creation of backups, as this allows you to be well prepared even in a worst-case scenario.