Ransomware: How to Prevent or Recover From an Attack
This is how it looks.
It’s already late at night. Perhaps you checked your email on your laptop “one last time.” But, there is something wrong.
It is slow. Files won’t open. Files won’t open.
The phone rings. The phone rings. It’s your IT team. You hear the words you prayed to the IT gods to not hear: “We’ve been compromised.”
Your laptop is there in black and red, as you look down at it.
Ransomware has infected you. You have lots of company.
This article was first published in April 2019 and then updated in October 2020. Ransomware has become increasingly common since then. This post has been updated to reflect current ransomware trends and help businesses and individuals protect their data.
In 2020, the FBI’s Internet Crime Complaint Center received 2,474 ransomware complaints, and those are just the ones that got reported. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.
Ransomware attacks have become more common and more dangerous over the years. Ransomware attacks on corporate networks can result in companies being hit with thousands to even millions of dollars. In 2020, the total number of global ransomware reports increased by 485% year-over-year according to the latest Threat Landscape Report 2020 by Bitdefender.
The trend is compounded by the fact that more people work remotely due to the ongoing global pandemic. Cybercriminals take advantage of this opportunity to attack those working outside the corporate firewall. Scams and phishing attempts on all platforms increased, indicating that attackers used COVID-19 issues to exploit fear and misinformation. Bitdefender observed that attacks were focused on COVID-19-related messaging in the first half of 2020, before moving to impersonations for banking, delivery, and travel services in half two.
Ransom payments are reaching new heights. Attempts have gone as high as $50 million–the largest attempted ransom ever. Many companies refused to pay the ransom due to the astronomical demands. Cover’s Q4 2020 Quarterly Ransomware Report noted that average payments decreased 34% to $154,108 from $233,817 in Q3 of 2020. The decrease is due to decreasing trust that hackers will not delete sensitive data. Many reports have been released after payments are made.
Ransomware can affect all industries: tech, healthcare, oil and gas, higher education, and more. The software found that ransomware was most prevalent in the healthcare sector, followed closely by public and private sectors, even during a global pandemic. If there is an expectation that a business’ mission and/or service to the globe might deter malicious actors then that assumption should be left in the past.
Ransomware is still a serious threat to all businesses, but it has been particularly damaging to those in education and healthcare. In 2020, 1,681 schools were affected by ransomware as well as 560 healthcare facilities according to a report from Emsisoft, a security solutions provider.
In March of 2021, attackers demanded an astronomical $40 million from Broward County Public Schools, the nation’s sixth-largest school district. In August and September of 2020, 57% of ransomware attacks reported to the federal Multi-State Information Sharing and Analysis Center involved schools, compared to 28% of all reported ransomware incidents from January through July.
Hackers have an easy target in the education sector, particularly since schools with tight budgets and old IT equipment experienced unprecedented levels of IT-reliant remote learning. Schools store sensitive student data that they are vested in protecting. This makes them more likely than others to pay ransoms and have their data made public.
In healthcare, since 2016, 270 ransomware attacks have targeted 2,100 clinics, hospitals, and other health-related businesses, with an estimated overall cost of $31 million.
Attacks on the healthcare system and the public sector can cause serious problems. Fabian Wosar, Emsisoft’s CTO, stated that “ransomware-related deaths were not reported in the United States last year.” Before that luck runs out, and lives are lost, security must be strengthened across the public sector.
Understanding ransomware and how to protect your company or organization from it is the first step in increasing security. Learn how to protect yourself against ransomware.
What is Ransomware?
Ransomware is typically spread via spam, phishing email, and social engineering. To infect an endpoint or penetrate the network, it can also be spread via drive-by downloads and websites. There are many ways that technology can be infected. Infection methods change constantly. See section 6, “How to Prevent Ransomware Attacks”. Ransomware locks files that it can access with strong encryption once it is in place. The malware then demands payment in Bitcoin to unlock the files and restore normal operations to affected IT systems.
Cryptoware, or encryption ransomware, is the most popular type of ransomware. You might also encounter the following types:
- Non-encrypting Ransomware (or lock screens) restricts access to files, but not encrypts them.
- Ransomware encrypts the Master Boot Record of a drive (or Microsoft’s NTFS) to prevent victims’ computers from being booted in a live OS environment.
- Extortionware, also known as leakware, is a program that steals sensitive or harmful data and threatens to release it if the ransom is not paid.
- Ransomware for mobile devices (infects cell phones through drive-by downloading or fake applications).
The Latest Trends in Malware
Social distancing has allowed people to shop online, work from home, and learn in new ways over the past year. This increase in online activity has created more security threats, with targets being government and healthcare institutions. Cybercriminals don’t seem to be deterred, even though these institutions are vital during a pandemic. They are constantly evolving their attack strategy, focusing on the areas that offer the best payback with the least effort.
Cybercriminals are no longer required to be extremely savvy to launch an attack, thanks to ransomware as a service (RaaS). Cybercriminals can find affiliate software through the dark web, where they get a cut of the profits. Oleg Skulkin, the Lead Digital Forensics Specialist at Group-IB, a cybersecurity firm, shared with ZDNet that, “Affiliate programs make this kind of attack more attractive for cybercriminals. These attacks have become so popular that almost all companies, no matter their size or industry, are potential victims.
It’s not the question of “When will the next ransomware strike occur?”, but “Has there been a breach already today?” There is no evidence that ransomware attacks are slowing down, so companies should be prepared. Organizations large and small should understand the importance to have backups and be secure.
Steps in a Ransomware Attack
These are the steps that you should follow to prevent a ransomware attack:
- 1. Infection: Once it is delivered to the system via email attachments, phishing emails, infected applications, or any other method, ransomware takes over the endpoint and all network devices it can access.
- 2. Secure Key Exchange: Ransomware contacts the command-and-control server used by cybercriminals to attack the system to generate cryptographic keys that can be used locally.
- 3. Encryption: The ransomware begins to encrypt any files it finds on local computers and the network.
- 4. Extortion: After encryption is complete, ransomware contains instructions for ransom and ransom payment. If payment is not made, data will be destroyed.
- 5. 5. Unlocking: Organizations have two options. They can pay the ransom to the cybercriminals and hope they decrypt the files. Or, they can try to recover the files by removing the infected files from the network and restoring data using clean backups. Unfortunately, negotiating with cybercriminals is often a lost cause as a recent report found that
- 42% of organizations
- who paid a ransom did not get their files decrypted.
Who gets attacked?
Ransomware attacks can affect businesses of all sizes. Approximately 5% of the top 10 industries have been targeted. Attacks on all sizes of businesses and every sector are increasing.
Also, the phishing attempt that targeted the World Health Organization (WHO), though unsuccessful, proves that attackers show no sense of “out of bounds” targets when it comes to choosing their victims. These attacks show that weaker controls and undeveloped IT systems can lead to data breaches.
The United States ranks highest in ransomware attacks. France and Germany are close behind. Windows computers are the most common targets. However, ransomware strains for Macintosh or Linux are also available.
Ransomware is so common that most companies will be affected by it at some point. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.
Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about phishing in “Top 10 Ways to Protect Yourself Against Phishing Attacks”), but other methods have become more common recently. Cryptoworms have been spreading because of weaknesses in Microsoft’s Server Message Block and Remote Desktop Protocol. Infected desktop applications, including an accounting package, and even Microsoft Office (Microsoft Dynamic Data Exchange (DDE), have been used as agents.
Ransomware strains like WannaCry, CryptoLocker, and Petya have recently included worms that spread themselves across networks. This earned them the nickname “crypto worms.”
Ransomware: How to Stop It
You’ve been infected by ransomware. What are your next steps?
- 1. You can prevent the infection from spreading by isolating infected computers, shared storage, and the network.
- 2. 2. Identify the Infection: Using evidence from the computer and messages to determine the malware strain you are dealing with,
- 3. Report: Inform the authorities about your plans to coordinate and support counter-attack measures.
- 4. There are many options available to you. Decide which one is right for you.
- 5. Restore and refresh: Make sure to use safe backups, programs, and software resources, and make sure you have the right tools at your disposal to restore or upgrade your computer.
- 6. You can prevent recurrence by planning. Assess the circumstances surrounding the infection and determine what you can do to prevent it from happening again.
1. 1. Isolate the Infection
It is crucial to detect ransomware quickly and accurately before it spreads across networks and encrypts vital data.
It is important to immediately isolate a computer from other computers and storage devices if it is suspected that it is infected. It should be disconnected from both the Wi-Fi and wired networks as well as any storage devices. Cryptoworms are actively looking for connections to other computers. You want to stop that from happening. The ransomware should not be communicating with the command and control center across the network.
You should be aware that ransomware can infect more than one victim zero. This means that the ransomware could have entered your home or organization through multiple computers or it may still be active on certain systems. All connected computers and networks should be treated with suspicion.
2. 2. Identify the Infection
Ransomware will most often identify itself when it requests ransom. Numerous sites help you identify ransomware, including ID Ransomware. No More Ransom! The Crypto Sheriff is available to assist in identifying ransomware.
You can identify the ransomware to help you determine what kind of ransomware it is, how it spreads, what files it encrypts, and what your options are for its removal or disinfection. You can also report the attack to authorities.
3. Report to the Authorities
Reporting ransomware attacks to authorities will do everyone a favor. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting helps law enforcement gain a better understanding of the threat and justifies ransomware investigations. It also contributes pertinent information to ongoing ransomware cases. The FBI will be able to identify the perpetrators and target victims if it has more information about victims and their ransomware experiences.
You can file a report with the FBI at the Internet Crime Complaint Center.
There are other ways to report ransomware, as well.
4. 4. Determine your options
When ransomware is infected, your options are:
- To pay the ransom.
- To remove the malware.
- To wipe the system and reinstall it from scratch.
Paying the ransom is generally a bad idea. The ransom payment encourages ransomware and often results in the unlocking of encrypted files not being successful.
A recent survey found that more than three-quarters of respondents stated their company is unlikely to pay ransom to recover their data (77%). Only 3% of respondents said they would pay a ransom.
Even if you decide to pay, it’s very possible you won’t get back your data.
There are two options available: either removing malware and selectively restoring the system or wiping it all and starting over.
5. Restore or Start Fresh
You can choose to either remove malware from your system or wipe your system and reinstall it from safe backups.
Eliminate the Infection
Software packages and websites claim they can remove ransomware from your systems. No More Ransom! One. Other options can be found, as well.
It is not clear whether you can completely and successfully remove an infection. There isn’t a working decryptor for all ransomware. Unfortunately, it is true that ransomware gets more complex with time and has taken longer to create a decryptor.
It is best to wipe all systems clean
A complete wipe of all devices on your system and a reinstallation of everything is the best way to ensure that ransomware or malware has been removed. You can format the hard drives in your system to remove any remnants of malware.
If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.
As much as possible, use malware files dates, messages, and any other information that you find about the malware’s operation to determine the date of infection. You should consider that an infection could have been present in your system for some time before activating and causing significant damage. You can identify and learn about the malware that attacked your system. This will help you understand its function and determine your best strategy for restoring it.
Choose a backup that was made before the ransomware attack. With Extended Version History, you can go back in time and specify the date before which you wish to restore files.
You should be able to use backup copies you have made, provided you have a backup policy that includes both off-site and local backups. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.
Ransomware and Malware are not the best strategies for system restores
It is tempting to restore your system to a System Restore point. System Restore is not the best way to remove viruses and other malware. Malicious software can be hidden in many places on a computer system. System Restore cannot remove all of it. System Restore will not save any of your personal files from the past. System Restore will not replace or delete any personal files you have created during a restoration. Don’t expect System Restore to act as a backup. For all personal files, you should always have a backup plan.
Ransomware can also be used to encrypt local backups. Your backup solution should be local and can be connected to a computer infected with ransomware. If this happens, your backups may also get encrypted with the rest of your data.
With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. You have the flexibility to determine which files to restore, from which date you want to restore, and how to obtain the files you need to restore your system.
Reinstalling your OS and software applications will require you to do so from the source media, or via the internet. You should be able to reactivate applications that require your account credentials if you have been maintaining a good record of account management. You can access your password manager account numbers, usernames, and passwords via their web interface or mobile apps. To gain access to these programs, you will need to make sure that your master username is still valid.
6. How to Prevent Ransomware Attacks
Ransomware attacks can cause serious damage to a home or business. Ransomware attacks can cause irreplaceable and valuable files to be lost. It can take hundreds of hours to remove the infection and get your systems back up and running.
Ransomware attacks are constantly evolving and the attack methods become more sophisticated. It doesn’t mean you have to join the statistics. You can avoid ransomware from affecting your systems by using smart planning and smart practices.
Find out how viruses enter your computer and workplace
You need to be aware of how ransomware could enter your system to be prepared. Attack vectors are a method of getting into your system.
There are two types of attack vectors: machine attack vectors or human attack vectors.
Human Attack Vectors
Social engineering is a technique that viruses use to gain access to computers. Social engineering, in the context of information security, refers to the manipulation of individuals to divulge confidential or personal information that could be used for fraudulent purposes. People can be tricked into divulging information they wouldn’t otherwise reveal.
Common vectors of attack against humans include:
Phishing is a technique that uses fake email to trick people into opening attachments or clicking on links that contain malware. An email may be sent to one individual or several people within an organization. Sometimes, the emails are targeted to appear more credible. To make their emails appear legitimate, the attackers spend time researching the targets and businesses. It is possible that the sender may be a known person or that the subject matter of the email is relevant to the recipient’s job. This is spear phishing, which can be personalized in this way. Read more about this type of attack vector in our post, “Top 10 Ways to Protect Yourself Against Phishing Attack.”
SMSishing is a method that uses text messages to encourage recipients to visit a website or to enter personal information. Common methods use authentication messages or messages that look like they are from a financial service provider. SMSishing ransomware attempts to spread themselves by sending themselves out to all the contacts on the device’s contact list.
Vishing uses voicemail in a similar way to SMS and emails to deceive victims. To make it appear legit, the voicemail recipient is instructed by the operator to call a number that has been spoofed. The victim is instructed to call the number and they will be taken through several steps to fix the problem. Instructions include allowing the victim to install malware on their computer. Cybercriminals can make themselves appear professional by using sound effects and other methods to seem legitimate. Vishing is similar to spear phishing and can target an individual or company with information the cybercriminals have gathered.
Social media can be used to persuade victims to download images from social media sites or to take other compromising actions. It could be music, video, or any other active content that infects the victim’s computer once it is opened.
5. Instant Messaging
Cybercriminals can hack instant messaging clients and distribute malware to victims’ contact lists. This was the method used to distribute Locky ransomware among unsuspecting victims.
Machine Attack Vectors
Machine to machine is another type of attack vector. While humans may be involved in some ways by helping to facilitate an attack by visiting a site or using a computer to access it, the attack process itself is completely automated and does not require any human cooperation to enter your computer or network.
Drive-by is a term that refers to the fact that all it takes to infect a victim is to open a website with malicious code embedded in an image or other active content.
2. System Vulnerabilities
Cybercriminals find vulnerabilities in systems and use them to install ransomware. Systems that have not been updated with security updates are most vulnerable.
Malvertising works in the same way as drive-by but it uses malware ads to deliver malware. These ads can be placed on popular social media sites or search engines to reach large audiences. Adult-only websites are a common source of malvertising.
4. Network Propagation
Ransomware can infect any system. Once it is inside, it scans for files and other accessible computers. It spreads itself throughout the network or shared systems. Infected files and network shares could also be spread to other companies by insufficient security. The malware can spread from there until it is no longer accessible or encounters security barriers.
5. 5. Propagation through Shared Services
Ransomware can be spread online using file sharing and syncing services. Ransomware can spread to other machines and offices if it ends up in a shared folder. A malicious virus can spread quickly if the service is configured to automatically sync files when they are added or modified, which many file-sharing services do.
It is important to carefully consider what settings you use to automatically sync. Also, be cautious when sharing files with others without knowing exactly where they came from.
Ransomware: Best Practices
Security experts recommend several preventative measures to avoid ransomware attacks.
- 1. Anti-virus and antimalware software can be used to prevent known payloads from being launched.
- 2. Keep regular, complete backups of all important files. Isolate them from open and local networks.
- 3. Object Lock, an immutable backup option, allows users to keep truly air-gapped backups. The data cannot be deleted or modified within the specified timeframe. You can quickly recover uninfected data from immutable backups and deploy them to your business, allowing you to return to work without interruption.
Object Lock functionality for backups allows you to store objects using a Write Once, Read Many (WORM) model, meaning after it’s written, data cannot be modified. Object Lock ensures that no one can encrypt or tamper with your data. This is a strong line of defense against ransomware attacks.
- 4. Make offline backups of your data in places that are inaccessible to any infected computer. This prevents ransomware from gaining access to them.
- 5. Software vendors will provide the most recent security updates for your OS and applications. To close known vulnerabilities in browsers, operating systems, and web plugins, it is important to patch quickly and often.
- 6. You should consider installing security software to protect your network, email servers, endpoints, and networks from infected.
- 7. Cyber hygiene includes using caution when opening attachments or links in emails.
- 8. To keep your critical computers isolated and prevent malware from spreading in the event of an attack, segment your networks. Unneeded network shares should be disabled
- 9. Users who do not require admin rights should be disabled. Users should be granted the minimum system permissions necessary to complete their work.
- 10. As much as possible, limit write permissions to file servers.
- 11. Make sure you are educating your family, your employees, and your loved ones about the best ways to prevent malware from entering your systems. Inform everyone about the latest email scams and human engineering that aim to turn victims into accomplices.
Avoiding ransomware attacks in the first place is the best way to deal with them. Other than that, making sure your valuable data is backed up and unreachable by ransomware infection will ensure that your downtime and data loss will be minimal or none if you ever suffer an attack.
Are you a victim of ransomware attacks? Do you have any tips or strategies to prevent becoming one? We would love to hear from you in the comments.