How to Prevent or Recover From an Attack
It’s already late at night. Perhaps you checked your email on your laptop “one last time.” But, there is something wrong.
It is slow. Files won’t open. Files won’t open.
The phone rings. The phone rings. It’s your IT team. You hear the words you prayed to the IT gods to not hear: “We’ve been compromised.”
Your laptop is there in black and red, as you look down at it.
Ransomware has infected you. You have lots of company.
This article was first published in April 2019 and then updated in October 2020. Ransomware has become increasingly common since then. This post has been updated to reflect current ransomware trends and help businesses and individuals protect their data.
In 2020, the FBI’s Internet Crime Complaint Center received 2,474 ransomware complaints, and those are just the ones that got reported. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.
Ransomware attacks have become more common and more dangerous over the years. Ransomware attacks on corporate networks can result in companies being hit with thousands to even millions of dollars. In 2020, the total number of global ransomware reports increased by 485% year-over-year according to the latest Threat Landscape Report 2020 by Bitdefender.
The trend is compounded by the fact that more people work remotely due to the ongoing global pandemic. Cybercriminals take advantage of this opportunity to attack those working outside the corporate firewall. Scams and phishing attempts on all platforms increased, indicating that attackers used COVID-19 issues to exploit fear and misinformation. Bitdefender observed that attacks were focused on COVID-19-related messaging in the first half of 2020, before moving to impersonations for banking, delivery, and travel services in half two.
Ransom payments are reaching new heights. Attempts have gone as high as $50 million–the largest attempted ransom ever. Many companies refused to pay the ransom due to the astronomical demands. Cover’s Q4 2020 Quarterly Ransomware Report noted that average payments decreased 34% to $154,108 from $233,817 in Q3 of 2020. The decrease is due to decreasing trust that hackers will not delete sensitive data. Many reports have been released after payments are made.
Ransomware can affect all industries: tech, healthcare, oil and gas, higher education, and more. Cover found that ransomware was most prevalent in the healthcare sector, followed closely by public and private sectors, even during a global pandemic. If there is an expectation that a business’ mission and/or service to the globe might deter malicious actors then that assumption should be left in the past.
Ransomware is still a serious threat to all businesses, but it has been particularly damaging to those in education and healthcare. In 2020, 1,681 schools were affected by ransomware as well as 560 healthcare facilities according to a report from Emsisoft, a security solutions provider.
In March of 2021, attackers demanded an astronomical $40 million from Broward County Public Schools, the nation’s sixth-largest school district. In August and September of 2020, 57% of ransomware attacks reported to the federal Multi-State Information Sharing and Analysis Center involved schools, compared to 28% of all reported ransomware incidents from January through July.
Hackers have an easy target in the education sector, particularly since schools with tight budgets and old IT equipment experienced unprecedented levels of IT-reliant remote learning. Schools store sensitive student data that they are vested in protecting. This makes them more likely than others to pay ransoms and have their data made public.
In healthcare, since 2016, 270 ransomware attacks have targeted 2,100 clinics, hospitals, and other health-related businesses, with an estimated overall cost of $31 million.
Attacks on the healthcare system and the public sector can cause serious problems. Fabian Wosar, Emsisoft’s CTO, stated that “ransomware-related deaths were not reported in the United States last year.” Before that luck runs out, and lives are lost, security must be strengthened across the public sector.
Understanding ransomware and how to protect your company or organization from it is the first step in increasing security. Learn how to protect yourself against ransomware.
What is Ransomware?
Ransomware is typically spread via spam, phishing email, and social engineering. To infect an endpoint or penetrate the network, it can also be spread via drive-by downloads and websites. There are many ways that technology can be infected. Infection methods change constantly. See section 6, “How to Prevent Ransomware Attacks”. Ransomware locks files that it can access with strong encryption once it is in place. The malware then demands payment in Bitcoin to unlock the files and restore normal operations to affected IT systems.
Cryptoware, or encryption ransomware, is the most popular type of ransomware. You might also encounter the following types:
- Non-encrypting Ransomware (or lock screens) restricts access to files, but not encrypts them.
- Ransomware encrypts the Master Boot Record of a drive (or Microsoft’s NTFS) to prevent victims’ computers from being booted in a live OS environment.
- Extortionware, also known as leakware, is a program that steals sensitive or harmful data and threatens to release it if the ransom is not paid.
- Ransomware for mobile devices (infects cell phones through drive-by downloading or fake applications).
The Latest Trends in Malware
Social distancing has allowed people to shop online, work from home, and learn in new ways over the past year. This increase in online activity has created more security threats, with targets being government and healthcare institutions. Cybercriminals don’t seem to be deterred, even though these institutions are vital during a pandemic. They are constantly evolving their attack strategy, focusing on the areas that offer the best payback with the least effort.
Cybercriminals are no longer required to be extremely savvy to launch an attack, thanks to ransomware as a service (RaaS). Cybercriminals can find affiliate software through the dark web, where they get a cut of the profits. Oleg Skulkin, the Lead Digital Forensics Specialist at Group-IB, a cybersecurity firm, shared with ZDNet that, “Affiliate programs make this kind of attack more attractive for cybercriminals. These attacks have become so popular that almost all companies, no matter their size or industry, are potential victims.
It’s not the question of “When will the next ransomware strike occur?”, but “Has there been a breach already today?” There is no evidence that ransomware attacks are slowing down, so companies should be prepared. Organizations large and small should understand the importance to have backups and be secure.
Steps in a Ransomware Attack
These are the steps that you should follow to prevent a ransomware attack:
- 1. Infection: Once it is delivered to the system via email attachments, phishing emails, infected applications, or any other method, ransomware takes over the endpoint and all network devices it can access.
- 2. Secure Key Exchange: Ransomware contacts the command-and-control server used by cybercriminals to attack the system to generate cryptographic keys that can be used locally.
- 3. Encryption: The ransomware begins to encrypt any files it finds on local computers and the network.
- 4. Extortion: After encryption is complete, ransomware contains instructions for ransom and ransom payment. If payment is not made, data will be destroyed.
- 5. 5. Unlocking: Organizations have two options. They can pay the ransom to the cybercriminals and hope they decrypt the files. Or, they can try to recover the files by removing the infected files from the network and restoring data using clean backups. Unfortunately, negotiating with cybercriminals is often a lost cause as a recent report found that
- 42% of organizations
- who paid a ransom did not get their files decrypted.
Who gets attacked?
Ransomware attacks can affect all businesses, regardless of size. Approximately 5% of the top 10 industries have been targeted. Attacks on all sizes of businesses and every sector are increasing.
Also, the phishing attempt that targeted the World Health Organization (WHO), though unsuccessful, proves that attackers show no sense of “out of bounds” targets when it comes to choosing their victims. These attacks show that weaker controls and undeveloped IT systems can lead to data breaches.
The United States ranks highest in ransomware attacks. France and Germany are close behind. Windows computers are the most common targets. However, ransomware strains for Macintosh or Linux are also available.
Ransomware is so common that most companies will be affected by it at some point. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.
Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about phishing in “Top 10 Ways to Protect Yourself Against Phishing Attacks”), but other methods have become more common recently. Cryptoworms have been spreading because of weaknesses in Microsoft’s Server Message Block and Remote Desktop Protocol. Infected desktop applications, including an accounting package, and even Microsoft Office (Microsoft Dynamic Data Exchange (DDE), have been used as agents.
Ransomware strains like WannaCry, CryptoLocker, and Petya have recently included worms that spread themselves across networks. This earned them the nickname “crypto worms.”
Ransomware: How to Stop It
You’ve been ransomware-infected. What are your next steps?
- 1. You can prevent the infection from spreading by isolating infected computers, shared storage, and the network.
- 2. 2. Identify the Infection: Using evidence from the computer and messages to determine the malware strain you are dealing with,
- 3. Report: Inform the authorities about your plans to coordinate and support counter-attack measures.
- 4. There are many options available to you. Decide which one is right for you.
- 5. Restore and refresh: Make sure to use safe backups, programs, and software resources, and make sure you have the right tools at your disposal to restore or upgrade your computer.
- 6. You can prevent recurrence by planning. Assess the circumstances surrounding the infection and determine what you can do to prevent it from happening again.
1. Isolate the Infection
It is crucial to detect ransomware quickly and accurately before it spreads across networks and encrypts vital data.
It is important to immediately isolate a computer from other computers and storage devices if it is suspected that it is infected. It should be disconnected from both the Wi-Fi and wired networks as well as any storage devices. Cryptoworms are actively looking for connections to other computers. You want to stop that from happening. The ransomware should not be communicating with the command and control center across the network.
You should be aware that ransomware can infect more than one victim zero. This means that ransomware could have entered your home or organization through multiple computers or that it may still be active on certain systems. All connected computers and networks should be treated with suspicion.
2. Identify the Infection
Ransomware will most often identify itself when it requests ransom. Numerous sites help you identify ransomware, including ID Ransomware. No More Ransom! The Crypto Sheriff is available to assist in identifying ransomware.
You can identify the ransomware to help you determine what kind of ransomware it is, how it spreads, what files it encrypts, and what your options are for its removal or disinfection. You can also report the attack to authorities.
3. Report to the Authorities
Reporting ransomware attacks to authorities will do everyone a favor. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting helps law enforcement gain a better understanding of the threat and justifies ransomware investigations. It also contributes pertinent information to ongoing ransomware cases. The FBI will be able to identify the perpetrators and target victims if it has more information about victims and their ransomware experiences.
You can file a report with the FBI at the Internet Crime Complaint Center.
There are other ways to report ransomware, as well.
4. Determine your options
When ransomware is infected, your options are:
- To pay the ransom.
- To remove the malware.
- To wipe the system and reinstall it from scratch.
Paying the ransom is generally a bad idea. The ransom payment encourages ransomware and often results in the unlocking of encrypted files not being successful.
A recent survey found that more than three-quarters of respondents stated their company is unlikely to pay ransom to recover their data (77%). Only a minority of respondents said they would pay a ransom.
33% of companies have set up Bitcoin accounts in preparation.
Even if you decide to pay, it’s very possible you won’t get back your data.
There are two options available: either removing malware and selectively restoring the system or wiping it all and starting over.
5. Restore or Start Fresh
You can choose to either remove malware from your system or wipe your system and reinstall it from safe backups.
Eliminate the Infection
Software packages and websites claim they can remove ransomware from your systems. No More Ransom! One. Other options can be found, as well.
It is not clear whether you can completely and successfully remove an infection. There isn’t a working decryptor for all ransomware. Unfortunately, it is true that ransomware gets more complex with time and has taken longer to create a decryptor.
It is best to wipe all systems clean
A complete wipe of all devices on your system and reinstallation of everything is the best way to ensure that ransomware or malware has been removed. You can format the hard drives in your system to remove any remnants of malware.
If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.
As much as possible, use malware files dates, messages, and any other information that you find about the malware’s operation to determine the date of infection. You should consider that an infection could have been present in your system for some time before activating and causing significant damage. You can identify and learn about the malware that attacked your system. This will help you understand its function and determine your best strategy for restoring it.
Choose a backup that was made before the ransomware attack. With Extended Version History, you can go back in time and specify the date before which you wish to restore files.
You should be able to use backup copies you have made, provided you have a backup policy that includes both off-site and local backups. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.
Ransomware: Best Practices
Security experts recommend several preventative measures to avoid ransomware attacks.
- 1. Anti-virus and antimalware software can be used to prevent known payloads from being launched.
- 2. Keep regular, complete backups of all important files. Isolate them from open and local networks.
- 3. Object Lock, an immutable backup option, allows users to keep truly air-gapped backups. The data cannot be deleted or modified within the specified timeframe. You can quickly recover uninfected data from immutable backups and deploy them to your business, allowing you to return to work without interruption.
Object Lock functionality for backups allows you to store objects using a Write Once Read Many (WORM) model, meaning after it’s written, data cannot be modified. Object Lock ensures that no one can encrypt or tamper with your data. This is a strong line of defense against ransomware attacks.
- 4. Make offline backups of your data in places that are inaccessible to any infected computer. This prevents ransomware from gaining access to them.
- 5. Software vendors will provide the most recent security updates for your OS and applications. To close known vulnerabilities in browsers, operating systems, and web plugins, it is important to patch quickly and often.
- 6. You should consider installing security software to protect your network, email servers, endpoints, and networks from infected.
- 7. Cyber hygiene includes using caution when opening attachments or links in emails.
- 8. To keep your critical computers isolated and prevent malware from spreading in the event of an attack, segment your networks. Unneeded network shares should be disabled
- 9. Users who do not require admin rights should be disabled. Users should be granted the minimum system permissions necessary to complete their work.
- 10. As much as possible, limit write permissions to file servers.
- 11. Make sure you are educating your family, your employees, and your loved ones about the best ways to prevent malware from entering your systems. Inform everyone about the latest email scams and human engineering that aim to turn victims into accomplices.