Ransomware: How to Stop It
You’ve been attacked with ransomware. What are your next steps?
You can prevent the infection from spreading by isolating infected computers, shared storage, and the network.
Identify the Infection: Using evidence from the computer and messages to determine the malware strain you are dealing with,
Report: Inform the authorities about your plans to coordinate and support counter-attack measures
. There are many options available to you. Decide which one is right for you.
Restore and refresh: Make sure to use safe backups, programs, and software resurces, and make sure you have the right tools at your disposal to restore or upgrade your computer. You can prevent recurrence by planning. Assess the circumstances surrounding the infection and determine what you can do to prevent it from happening again.
1. Isolate the Infection
It is crucial to detect ransomware quickly and accurately before it spreads across networks and encrypts vital data.
It is important to immediately isolate a computer from other computers and storage devices if it is suspected that it is infected. It should be disconnected from both the Wi-Fi and wired networks as well as any storage devices. Cryptoworms are actively looking for connections to other computers. You want to stop that from happening. The ransomware should not be communicating with the command and control center across the network.
You should be aware that ransomware can infect more than one victim zero. This means that ransomware could have entered your home or organization through multiple computers or that it may still be active on certain systems. All connected computers and networks should be treated with suspicion.
2. Identify the Infection
Ransomware will most often identify itself when it requests ransom. Numerous sites help you identify ransomware, including ID Ransomware. No More Ransom! The Crypto Sheriff is available to assist in identifying ransomware.
You can identify the ransomware to help you determine what kind of ransomware it is, how it spreads, what files it encrypts, and what your options are for its removal or disinfection. You can also report the attack to authorities.
Reporting ransomware attacks to authorities will do everyone a favor. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting helps law enforcement gain a better understanding of the threat and justifies ransomware investigations. It also contributes pertinent information to ongoing ransomware cases. The FBI will be able to identify the perpetrators and target victims if it has more information about victims and their ransomware experiences.
You can file a report with the FBI at the Internet Crime Complaint Center.
There are other ways to report ransomware, as well.
4. Determine your options
When ransomware is infected, your options are:
- To pay the ransom.
- To remove the malware.
- To wipe the system and reinstall it from scratch.
Paying the ransom is generally a bad idea. The ransom payment encourages ransomware and often results in the unlocking of encrypted files not being successful.
A recent survey found that more than three-quarters of respondents stated their company is unlikely to pay ransom to recover their data (77%). Only 3% of respondents said they would pay the ransom.
Even if you decide to pay, it’s very possible you won’t get back your data.
There are two options available: either removing malware and selectively restoring the system or wiping it all and starting over.
5. Propagation Through Shared Services
You can choose to either remove malware from your system or wipe your system and reinstall it from safe backups.
Eliminate the Infection
Software packages and websites claim they can remove ransomware from your systems. No More Ransom! One. Other options can be found, as well.
It is not clear whether you can completely and successfully remove an infection. There isn’t a working decryptor for all ransomware. Unfortunately, it’s not possible to remove ransomware from the Internet.
It is best to wipe all systems clean
A complete wipe of all devices on your system and a reinstallation of everything is the best way to ensure that ransomware or malware has been removed. You can format the hard drives in your system to remove any remnants of malware.
If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.
As much as possible, use malware files dates, messages, and any other information that you find about the malware’s operation to determine the date of infection. You should consider that an infection could have been present in your system for some time before activating and causing significant damage. You can identify and learn about the malware that attacked your system. This will help you understand its function and determine your best strategy for restoring it.
Choose a backup that was made before the ransomware attack. With Extended Version History, you can go back in time and specify the date before which you wish to restore files.
You should be able to use backup copies you have made, provided you have a backup policy that includes both off-site and local backups. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.
Ransomware and Malware are not the best strategies for system restores
It is tempting to restore your system to a System Restore point. System Restore is not the best way to remove viruses and other malware. Malicious software can be hidden in many places on a computer system. System Restore cannot remove all of it. System Restore will not save any of your personal files from the past. System Restore will not replace or delete any personal files you have created during a restoration. Don’t expect System Restore to act as a backup. For all personal files, you should always have a backup plan.
Ransomware can also be used to encrypt local backups. Your backup solution should be local and can be connected to a computer infected with ransomware. If this happens, your backups may also get encrypted with the rest of your data.
With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. You have the flexibility to determine which files to restore, from which date you want to restore, and how to obtain the files you need to restore your system.
Reinstalling your OS and software applications will require you to do so from the source media, or via the internet. You should be able to reactivate applications that require your account credentials if you have been maintaining a good record of account management. You can access your password manager account numbers, usernames, and passwords via their web interface or mobile apps. To gain access to these programs, you will need to make sure that your master username is still valid.
6. How to Prevent Ransomware Attacks
Ransomware attacks can cause serious damage to a business or home. Ransomware attacks can cause irreplaceable files to be lost. It can take hundreds of hours to remove the infection and get your systems back up and running.
Ransomware attacks are constantly evolving and the attack methods become more sophisticated. It doesn’t mean you have to join the statistics. You can avoid ransomware from affecting your systems by using smart planning and smart practices.
Find out how viruses enter your computer and workplace
You need to be aware of how ransomware could enter your system to be prepared. Attack vectors are a method of getting into your system.
There are two types of attack vectors: machine attack vectors or human attack vectors.
Human Attack Vectors
Social engineering is a technique that viruses use to gain access to computers. Social engineering, in the context of information security, refers to the manipulation of individuals into disclosing personal or confidential information that could be used for fraudulent purposes. People can be tricked into divulging information they wouldn’t otherwise reveal.
Common vectors of attack against humans include:
Phishing is a technique that uses fake email to trick people into opening attachments or clicking on links that contain malware. An email may be sent to one individual or several people within an organization. Sometimes, the emails are targeted to appear more credible. To make their emails appear legitimate, the attackers spend time researching the targets and businesses. The sender may be a known person or the subject matter related to the recipient’s work. This is spear phishing, which can be personalized in this way. Read more about this type of attack vector in our post, “Top 10 Ways to Protect Yourself Against Phishing Attacks.”
SMSishing is a method that uses text messages to encourage recipients to visit a website or to enter personal information. Common methods use authentication messages or messages that look like they are from a financial service provider. Some SMSishing ransomware attempts to spread themselves by sending themselves out to all the contacts on the device’s contact list.
Vishing uses voicemail in a similar way to SMS and emails to deceive victims. To make it appear legit, the voicemail recipient is instructed by voicemail to call a number that is frequently spoofed. The victim is instructed to call the number and they will be taken through several steps to fix the problem. Instructions include allowing the victim to install malware on their computer. Cybercriminals can make themselves appear professional by using sound effects and other methods to seem legitimate. Vishing is similar to spear phishing and can target an individual or company with information the cybercriminals have gathered.
4. Social Media
Social media can be used to persuade victims to download images from social media sites or to take other compromising actions. It could be music, video, or any other active content that infects the victim’s computer once it is opened.
5. Instant Messaging
Cybercriminals can hack instant messaging clients and distribute malware to victims’ contact lists. This was the method used to distribute Locky ransomware among unsuspecting victims.
Machine Attack Vectors
Machine to machine is another type of attack vector. While humans may be involved in some ways by helping to facilitate an attack by visiting a site or using a computer to access it, the attack process itself is completely automated and does not require any human cooperation to enter your computer or network.
Drive-by is a term that refers to the fact that all it takes to infect a victim is to open a website with malicious code embedded in an image or other active content.
2. System Vulnerabilities
Cybercriminals find vulnerabilities in systems and use them to install ransomware. Systems that have not been updated with security updates are most vulnerable.
Malvertising works in the same way as drive-by but it uses malware ads to deliver malware. These ads can be placed on popular social media sites or search engines to reach large audiences. Adult-only websites are a common source of malvertising.
4. Network Propagation
Ransomware can infect any system. Once it is inside, it scans for files and other accessible computers. It spreads itself throughout the network or shared systems. Infected files and network shares could also be spread to other companies by insufficient security. The malware can spread from there until it is no longer accessible or encounters security barriers.
5. 5. Propagation through Shared Services
Ransomware can be spread online using file sharing and syncing services. Ransomware can spread to other machines and offices if it ends up in a shared folder. A malicious virus can spread quickly if the service is configured to automatically sync files when they are added or modified, which many file-sharing services do.
It is important to carefully consider what settings you use to automatically sync. Also, be cautious when sharing files with others without knowing exactly where they came from.
Ransomware: Best Practices
Security experts recommend several preventative measures to avoid ransomware attacks.
1. Anti-virus and antimalware software can be used to prevent known payloads from being launched.
2. Keep regular, complete backups of all important files. Isolate them from open and local networks.
3. Object Lock, an immutable backup option, allows users to keep truly air-gapped backups. The data cannot be deleted or modified within the specified timeframe. You can quickly recover uninfected data from immutable backups and deploy them to your business, allowing you to return to work without interruption.
Object Lock functionality for backups allows you to store objects using a Write Once, Read Many (WORM) model, meaning after it’s written, data cannot be modified. Object Lock ensures that no one can encrypt or tamper with your data. This is a strong line of defense against ransomware attacks.
4. Make offline backups of your data in places that are inaccessible to any infected computer. This prevents ransomware from gaining access to them.
5. Software vendors will provide the most recent security updates for your OS and applications. To close known vulnerabilities in browsers, operating systems, and web plugins, it is important to patch quickly and often.
6. You should consider installing security software to protect your network, email servers, endpoints, and networks from infected.
7. Cyber hygiene includes using caution when opening attachments or links in emails.
8. To keep your critical computers isolated and prevent malware from spreading in the event of an attack, segment your networks. Unneeded network shares should be disabled
9. Users who do not require admin rights should be disabled. Users should be granted the minimum system permissions necessary to complete their work.
10. As much as possible, limit write permissions to file servers.
11. Make sure you are educating your family, your employees, and your loved ones about the best ways to prevent malware from entering your systems. Inform everyone about the latest email scams and human engineering that aim to turn victims into accomplices.
Avoiding ransomware attacks in the first place is the best way to deal with them. Other than that, making sure your valuable data is backed up and unreachable by ransomware infection will ensure that your downtime and data loss will be minimal or none if you ever suffer an attack.