Return to site

Ransomware attacked me!

What should I do now?

· Ransomware,Business Continuity,3-2-1 rule,Offline Backup Copy,Veeam

At first DONT PANIC, knowing its a big deal.

Here is a scenario.

You’re working on your computer and you notice that it seems slower. Or perhaps you can’t access document or media files that were previously available. You might be getting error messages from Windows telling you that a file is of an “Unknown file type” or “Windows can’t open this file.”

broken image

Not to forget, it can happen with Mac's too.

broken image

Another possibility is that you’re completely locked out of your system. If you’re in an office, you might be looking around and seeing that other people are experiencing the same problem. Some are already locked out, and others are just now wondering what’s going on, just as you are.

Then you see a message confirming your fears.

broken image
broken image

You’ve been infected with ransomware.

The number of ransomware attacks on businesses jumped from one attack every two minutes in Q1 to one every 40 seconds by Q3 of 2017. There were over four times more new ransomware variants in the first quarter of 2017 than in the first quarter of 2016. Ransomware costs businesses more than $75 billion per year and the average cost of a ransomware attack on businesses was $133,000. The scary part is that 75% of companies infected with ransomware were running up-to-date endpoint protection.

The outlook isn’t getting better. Damages from ransomware are expected to rise to $11.5 billion this year, and a new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021.


How Does Ransomware Work?

Ransomware typically spreads via spam or phishing emails. It also can be spread through websites or drive-by downloads to infect an endpoint and penetrate the network. Infection methods are constantly evolving and there are many other ways one can become infected, as well (see section six,How to Prevent a Ransomware Attack. Once in place, the ransomware then locks all files it can access using strong encryption. Finally, the malware demands a ransom (typically payable in bitcoins) to decrypt the files and restore full operations to the affected IT systems.

Encrypting ransomware orcryptoware is by far the most common recent variety of ransomware. Other types that might be encountered are:

  1. Non-encrypting ransomware or lock screens (restricts access to files and data, but does not encrypt them)
  2. Ransomware that encrypts the Master Boot Record (MBR) of a drive or Microsoft’s NTFS, which prevents victims’ computers from being booted up in a live OS environment
  3. Leakware or extortionware (exfiltrates data that the attackers threaten to release if ransom is not paid)
  4. Mobile Device Ransomware (infects cell-phones through drive-by downloads or fake apps)

Steps in a Typical Ransomware Attack

broken image

The typical steps in a ransomware attack are:

  1. After it has been delivered to the system via email attachment, phishing email, infected application or other method, the ransomware installs itself on the endpoint and any network devices it can access.
  2. The ransomware contacts the command and control server operated by the cybercriminals behind the attack to generate the cryptographic keys to be used on the local system.
  3. The ransomware starts encrypting any files it can find on local machines and the network.
  4. With the encryption work done, the ransomware displays instructions for extortion and ransom payment, threatening destruction of data if payment is not made.
  5. Organizations can either pay the ransom and hope for the cybercriminals to actually decrypt the affected files (which in many cases does not happen), or they can attempt recovery by removing infected files and systems from the network and restoring data from clean backups.

Who Gets Attacked?

Ransomware attacks target firms of all sizes — 5% or more of businesses in the top 10 industry sectors have been attacked — and no size business, from small-and-medium businesses to enterprises, is immune. Attacks are on the rise in every sector and in every size of business.

Recent attacks, such as WannaCry, mainly affected systems outside of the United States. Hundreds of thousands of computers were infected from Taiwan to the United Kingdom, where it crippled the UK’s National Health Service (NHS).

The US has not been so lucky in other attacks, though. The US ranks the highest in the number of ransomware attacks, followed by Germany and then France. Windows computers are the main targets, but ransomware strains exist for Macintosh and Linux, as well.

The unfortunate truth is that ransomware has become so wide-spread that for most companies it is a certainty that they will be exposed to some degree to a ransomware or malware attack. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.

How to Defeat Ransomware

So, you’ve been attacked by ransomware. What should you do next?

broken image

1 — Isolate the Infection

The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data.

The first thing to do when a computer is suspected of being infected is to isolate it from other computers and storage devices. Disconnect it from the network (both wired and Wi-Fi) and from any external storage devices. Cryptoworms actively seek out connections and other computers, so you want to prevent that happening. You also don’t want the ransomware communicating across the network with its command and control center.

Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.

2 — Identify the Infection

Most often the ransomware will identify itself when it asks for ransom. There are numerous sites that help you identify the ransomware, including ID Ransomware. The No More Ransomware! Project provides the Crypto Sheriff to help identify ransomware.

Identifying the ransomware will help you understand what type of ransomware you have, how it propagates, what types of files it encrypts, and maybe what your options are for removal and disinfection. It also will enable you to report the attack to the authorities, which is recommended.

broken image
broken image
broken image

3 — Report to the Authorities

You’ll be doing everyone a favor by reporting all ransomware attacks to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.

You can file a report with the FBI at the Internet Crime Complaint Center. There are other ways to report ransomware, as well.

4 — Determine Your Options

Your options when infected with ransomware are:

  1. Restore from offline backup copy
  2. Pay the ransom
  3. Try to remove the malware
  4. Wipe the system(s) and reinstall from scratch

It’s generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and in many cases the unlocking of the encrypted files is not successful.

In a recent survey, more than three-quarters of respondents said their organization is not at all likely to pay the ransom in order to recover their data (77%). Only a small minority said they were willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation).

Even if you decide to pay, it’s very possible you won’t get back your data.

That leaves three other options: restoring your data from the offline backup copy, removing the malware and selectively restoring your system, or wiping everything and installing from scratch.

5 — Restore or Start Fresh

You have the choice of trying to remove the malware from your systems or wiping your systems and reinstalling from safe backups and clean OS and application sources.

Get Rid of the Infection

There are internet sites and software packages that claim to be able to remove ransomware from systems. The No More Ransom! Project is one. Other options can be found, as well.

Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn’t exist for every known ransomware, and unfortunately it’s true that the newer the ransomware, the more sophisticated it’s likely to be and the less time the good guys have had to develop a decryptor.

It’s Best to Wipe All Systems Completely

The surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain.

If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.

Be sure to determine the date of infection as well as you can from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.

Select a backup or backups that was made prior to the date of the initial ransomware infection. If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you are sure were not connected to your network after the time of attack and hence protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.

6 — How to Prevent a Ransomware Attack

A ransomware attack can be devastating for a home or a business. Valuable and irreplaceable files can be lost and tens or even hundreds of hours of effort can be required to get rid of the infection and get systems working again.

Ransomware attacks continue to evolve and attack methods get more sophisticated all the time. You don’t have to be part of the statistics. With good planning and smart practices, you can prevent ransomware from affecting your systems.

Know How Viruses Enter Your Workplace and Computer

To be prepared, you need to know how ransomware can enter your system. These methods of gaining access to your systems are known as attack vectors.

Attack vectors can be divided into two types: human attack vectors and machine attack vectors.

Human Attack Vectors

Often, viruses need the help of humans to enter computers so they employ what’s known as social engineering. In the context of information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, people can be fooled into giving up information that they otherwise would not divulge.

Common human attack vectors include:

1 — Phishing

Phishing uses fake emails to trick people into clicking on a link or opening an attachment that carries a malware payload. The email might be sent to one person or many within an organization. Sometimes the emails are targeted to make them seem more credible. The attackers take the time to research the individual targets and businesses so their email appears legitimate. The sender might be faked to be someone known to the recipient or the subject matter relevant to the recipient’s job. When personalized in this manner, the technique is known as spear phishing.

2 — SMSishing

SMSishing uses text messages to get recipients to navigate to a site or enter personal information on their device. Common approaches use authentication messages or messages that appear to be from a financial or other service provider. Some SMSishing ransomware attempt to propagate themselves by sending themselves to all contacts in the device’s contacts list.

3 — Vishing

In a similar manner to email and SMS, vishing uses voicemail to deceive the victim. The voicemail recipient is instructed to call a number that is often spoofed to appear legitimate. If the victim calls the number, he or she is taken through a series of actions to correct some made-up problem. The instructions include having the victim install malware on their computer. Cybercriminals can appear professional and employ sound effects and other means to appear legitimate. Like spear phishing, vishing can be targeted to an individual or company using information that the cybercriminals have collected.

4 — Social Media

Social media can be a powerful vehicle to convince a victim to open a downloaded image from a social media site or take some other compromising action. The carrier might be music, video, or other active content that once opened infects the user’s system.

5 — Instant Messaging

Instant messaging clients can be hacked by cybercriminals and used to distribute malware to the victim’s contact list. This technique was one of the methods used to distribute the Locky ransomware to unsuspecting recipients.

Machine Attack Vectors

The other type of attack vector is machine to machine. Humans are involved to some extent as they might facilitate the attack by visiting a website or using a computer, but the attack process is automated and doesn’t require any explicit human cooperation to invade your computer or network.

1 — Drive-By

Drive-by has this moniker because all it takes for the victim to become infected is to open a webpage with malicious code in an image or active content.

2 — System Vulnerabilities

Cybercriminals learn the vulnerabilities of specific systems and exploit those vulnerabilities to break in and install ransomware on the machine. This most often happens to systems that are not patched with the latest security releases.

3 — Malvertising

Malvertising is like drive-by, but uses ads to deliver malware. These ads might be placed on search engines or popular social media sites in order to reach a large audience. A common host for malvertising is adults-only sites.

4 — Network Propagation

However a piece of ransomware enters a system, once it has it can scan for file shares and accessible computers and spread itself across the network or shared system. Companies without adequate security might have their company file server and other network shares infected as well. From there, the malware will spread as far as it can until it runs out of accessible systems or meets security barriers.

5 — Propagation Through Shared Services

Online services such as file sharing or syncing services can be used to propagate ransomware. If the ransomware ends up in a shared folder on a home machine, the infection can be transferred to an office or to other connected machines. If the service is set to automatically sync when files are added or changed, as many file sharing services are, then a malicious virus can be widely propagated in just milliseconds. 

It’s important to be careful and consider the settings you use for systems that automatically sync, and to be cautious about sharing files with others unless you know exactly where they came from.

Best Practices to Defeat Ransomware

Security experts suggest several precautionary measures for preventing a ransomware attack.

  1. Use anti-virus and anti-malware software or other security policies to block known payloads from launching.
  2. Make frequent, comprehensive backups of all important files and isolate them from local and open networks. Cybersecurity professionals view data backup and recovery (74% in a recent survey) by far as the most effective solution to respond to a successful ransomware attack.
  3. Keep offline backups of data stored in locations inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents them from being accessed by the ransomware.
  4. Install the latest security updates issued by software vendors of your OS and applications. Remember to Patch Early and Patch Often to close known vulnerabilities in operating systems, browsers, and web plugins.
  5. Consider deploying security software to protect endpoints, email servers, and network systems from infection.
  6. Exercise cyber hygiene, such as using caution when opening email attachments and links.
  7. Segment your networks to keep critical computers isolated and to prevent the spread of malware in case of attack. Turn off unneeded network shares.
  8. Turn off admin rights for users who don’t require them. Give users the lowest system permissions they need to do their work.
  9. Restrict write permissions on file servers as much as possible.
  10. Educate yourself, your employees, and your family in best practices to keep malware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors

It’s clear that the best way to respond to a ransomware attack is to avoid having one in the first place. Other than that, making sure your valuable data is backed up and unreachable by ransomware infection will ensure that your downtime and data loss will be minimal or none if you ever suffer an attack.

Have you endured a ransomware attack or have a strategy to avoid becoming a victim? Please let us know in the comments.