The Definitive Guide to Ransomware
April 14, 2020
Ransomware - a growing concern for many businesses and individuals--is a form of malware that infects your network or devices and holds your information for ransom.
If you’re just learning about ransomware and you don’t know where to start, we’ve compiled this guide with the aim to get you quickly up-to-speed.
This article is part of our Definitive Guide to Ransomware series:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
- Recent Ransomware Attacks and Examples
- How to Prevent and Prepare for Ransomware Attacks
- Should You Pay the Ransomware Demand
- What You Need to Know About Ransomware Insurance
- Ransomware Removal
- Common Ransomware Attacks
What is ransomware?
In order to understand ransomware, it’s helpful to first understand the definition of malware. Malware is software designed specifically to infiltrate your system and cause harm to your files, hardware, network, clients, or servers. You might be familiar with computer viruses, spyware, worms, or even Trojan horses--malware that can disguise itself as something else in order to get into your system. One of the largest growing versions of malware is called ransomware.
Ransomware is a form of malware that gains access to your system, encrypts your data, and demands payment, or a ransom, in order to release your files back to you. These malware attacks become ransomware when a ransom is demanded--this is the true classification of ransomware.
How does ransomware spread?
There are common attack methods for ransomware, which are typically the same as malware (again, the classification of ransomware being the actual demand for ransom). Malware can come into your system in a few ways.
Phishing emails are a common attack method for malware. An email is sent to one or many of your employees with malicious attachments or a link to a fake website. Once the email recipient opens and downloads the attachment or clicks on the link, the malware is on your system. Once it finds your files or your information and executes the demand for ransom, it’s considered ransomware.
Vulnerable web servers also present a common malware attack point. Attackers can gain access to your files and information through a weak network entrypoint. Security holes are easy for attackers to find and bypass.
Common ransomware attacks
There are three types of ransomware attacks: scareware, screen lockers, and encrypting ransomware. Scareware and screen lockers pose no real danger, and you can just delete the emails. Ransomware, on the other hand, locks you out of your system and cripples your business. All three attacks, when first discovered, elicit the same fight or flight response. However, once you have calmed down, how you respond to each is very different.
Scareware Scareware is deployed using pop-up messages claiming that your system is infected with ransomware and you need to pay the ransom in order to release your data. The claim is false and your information is safe--even though you may continue to see pop-up messages. The crime actors will often prove they have access by showing you an older password that corresponds to the email address. Then they will limit the time available to respond--hoping you will panic and pay.
Screen lockers Screen lockers claim that illegal activity has been detected on your device and you must pay a fine. The message typically imitates an FBI or US Department of Justice seal and demands payment quickly in order to restore your system. The claim is false, however, and if illegal activity is detected on your device, the authorities will take appropriate action (which doesn’t look like locking you out of your system and demanding an immediate fine).
Encrypting ransomware Encrypting ransomware does exactly what it says it does--encrypts your files and demands payment in order to release your data. The other types of ransomware disguise themselves, but encrypting ransomware is easier to identify--when a ransom is demanded, you know you’re dealing with ransomware. Files may be returned if you pay the ransom, but there’s no guarantee.
How can you prevent ransomware attacks?
There are many ways to protect your organization and employees from the dangers of ransomware. It’s increasingly important to be proactive in your cyber security plan as more and more companies allow remote work. Here are seven ways to get started:
Require antivirus software. Up-to-date antivirus software can provide the right defense against malicious programs. It’s important to use antivirus software that updates automatically, maintains an up-to-date database of known malware (comparing incoming files to the database), blocks malicious script files, prevents malicious script files from running, and offers virus scanning in the background. A good antivirus software will also include malware removal.
Require a malware blocker. Most people think that malware and a virus are the same, but the reality is--they are connected, but different. Think about a virus as something that can spread through your system (perhaps getting on your system from a malicious download or attachment). And think about malware as more of an umbrella term. It’s malicious software. Malware can be ransomware, a virus, a worm, adware, etc. If you’re blocking for viruses, you need to make sure you’re also including a malware blocker. It’s the proper defense against ransomware.
Keep operating systems up-to-date. Require everyone within your organization to keep their operating systems up-to-date. Those updates reduce vulnerabilities and improve security. IT teams can force critical device updates.
Install an email gateway. Block malicious email before it even has a chance to be delivered with the right email gateway. It can protect your organization from malware, a ransomware attack, viruses, and spam. Gateways scan all emails, even attachments, and give them the green light before they are delivered or sent from your organization.
Automate file backups. If your organization is hit with ransomware and your data is held hostage. In most situations the perpetrators do not actually have your data, but rather they have encrypted the data that resides on your servers. You may be able to avoid a ransom in the first place if your data is properly duplicated within a backup. Automate that backup and you’ll have real-time insurance against the need to pay for your files in the case of an attack. Make sure to test your backup regularly.
Update security training. Your security team should be updating your cyber security training at least once per year. Include updated information about common ransomware attacks, what to look for in phishing emails, how to identify a malicious website, and how to properly create secure passwords. Security companies such as KnowBe4 and Proofpoint offer excellent training.
Restrict user permissions. If possible, restricting user permissions on company devices can be a great strategy to prevent ransomware. Restricting users ability to download and install software can prevent malware and ransomware attacks.
Implement two-factor authentication. Vulnerabilities in your network and “easy to remember” user-generated passwords create easy ways for attackers to get into your system. This problem is exacerbated in our new work-from-home world. Implement two-factor authentication to reduce risk.
Define your network defense strategy. A good network strategy will include asset classification, both physical and digital. You must know what you need to protect in order to make the right plan. It’s also key to define specific threats and model what those threats look like to your organization. Configuration management, access control, and auditing should also be part of your network defense strategy.
What should you do if your systems have been infected with ransomware?
If your business is unfortunate enough to encounter ransomware, it’s critical that you have a response plan already in place. Here are steps to get you through a ransomware attack:
Isolate any infected systems from your network. This includes disconnecting the network cable and shutting the system down. Don’t allow the infected systems to get on any WiFi network. Make sure the compromised systems are separate from the rest of your assets.
Identify the type of ransomware. If you have an internal response team or an IT team prepared for this type of attack, prioritize the identification of the ransomware. This will help you determine your next steps in how you deal with the malware on your system. If you don’t have an internal IT team or incident response team, involving an outside consultant could be very valuable.
Report the ransomware. Time is not your friend in a ransomware event. Employees should immediately report an attack to your IT security team. The amount of damage control you may be faced with will likely increase the longer it takes to report the incident.
Make your plan--offense or defense. Whether you plan to go on the offense and disregard the demand for ransom--moving forward without paying--or you intend to go on the defense and pay the crime actors without a guarantee that they will release your data, you need to make a plan. Your plan may include consulting the authorities, an experienced consultant, and your IT team.
Remove the malware. Your IT team or outside consultants will need to remove the malware from your system before it can be connected to the rest of the network--this is especially important if it’s still active and can spread to other systems once reconnected to your network.
Restore your system. If you have a backup of the data or files that have been encrypted, now is the time to restore the system back to full health (after the malware is removed). If you’ve paid the ransom and the data is restored (which isn’t a guarantee), it’s time to make sure everything is as it should be (and isn’t infected with new malware).
Should you pay the ransom if your system is infected with ransomware?
There are mixed opinions on whether or not you should pay the ransom if your system is infected with ransomware. While paying the ransom doesn’t come with any guarantee, there are several examples where data has been restored after the ransom was paid. If you consider paying, it’s important to know that the act of paying the ransom could make you a higher target for ransomware in the future.
The most important rule to remember is this--plan ahead for this type of attack and always keep a backup. If you can prevent the attack in the first place, or at least reduce your risk, you’ll hurt less if it happens.
While the specifics of ransomware removal are best left to your IT team or outside consultants, it’s possible that a decryption tool may already be available online. For example, if you are hit with a known version of CryptoLocker or CoinVault, the decryption keys are readily available online--ready to use.
Ransomware examples and recent attacks
Here is a list of recent ransomware attacks, the financial damage (if available), and the typical attack methods of each:
|Ransomware||Year||Cost (if known)||Description|
|Ryuk||2018||$640,000||Targeted organizations by disabling the Windows System Restore option and network drives.|
|WannaCry||2017||$4 Billion||Spread to 150 countries and infected 230,000 computers. Targeted Windows operating systems.|
|Bad Rabbit||2017||unknown||Delivered through drive-by downloading, using vulnerable websites to deliver the malware to unsuspecting website traffic. Targeted website visitors with a fake Adobe Flash install prompt.|
|Jigsaw||2016||unknown||For every hour that the ransom was unpaid, files were deleted and imagery from the Jigsaw horror movie was played.|
|Petya||Spread in 2016 and resurfaced in 2017 under a new name, GoldenEye||unknown||Targeted the victim’s hard drive instead of specific files, specifically focused on HR departments using fake job application emails with infected Dropbox links.|
|Locky||2016||unknown||Delivered via phishing emails and malicious attachments. Targeted files typically used by developers, engineers, testers, etc.|
|Troldesh||2015||unknown||Delivered via phishing emails with malicious links or attachments.|
In the event of a ransomware attack, are you covered with your current cybersecurity policy? Many policies skim past or barely mention ransomware, so it’s important that you understand if you are properly covered.
Important questions to ask when researching ransomware insurance:
- Will it cover the cost of notifying my customers or partners of the data breach?
- How will my policy help me restore my infected systems?
- Will my policy help me pay the ransom, if I choose to pay it?
- How much downtime will my policy cover in the event the ransomware shuts down product production or critical supply chain operations?
- If I need to compensate affected parties or pay a fine, will my policy cover it?
For more information about ransomware insurance, take our 3-question quiz to assess your organization’s ransomware exposure.