1. What is Ransomware?
The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom. Ransomware displays intimidating messages similar to those below:
- “Your computer has been infected with a virus. Click here to resolve the issue.”
- “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
- “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted (converted in a format that is not readable or usable).
2. How does a computer become infected with Ransomware?
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications.
Additionally, newer methods of ransomware infection have been observed. For example, vulnerable public web servers have been exploited as an entry point to gain access to an organization’s network.
3. How serious is a Ransomware attack?
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released;
it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition,
decrypting files does not mean the malware infection itself has been removed.
4. How can I protect against Ransomware?
TT-CSIRT recommends that users and system administrators take the following preventive measures to protect their computers and computer networks from ransomware infection:
- Keep your operating system and software updated (especially firewall appliances and anti-virus software). Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Perform regular backups. Store these backups offline (i.e. on a device that cannot be accessed from the network)
- Enable strong spam filtering and scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users
- Authenticate inbound emails (with SPF, DMARC and DKIM) to prevent email spoofing.
- Conduct (or attend) security awareness training with employees
- Implement network segmentation and data categorization to minimize exposure of mission-critical and sensitive data
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- Securing system administrations tools that attackers could abuse
- Disabling third-party or outdated components that could be used as entry points
- Disable the loading of macros in your Office programs
- Disable Remote Desktop whenever possible and never expose it directly to the internet
- Implement multi-factor authentication wherever possible
- Block web sites that are known for being malware breeding grounds (illegal download sites, pornographic sites, etc.)
- Develop an incident response plan and a business continuity plan in the event that a ransomware attack takes place
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
- Do not follow unsolicited Web links in emails. Check out our Phishing page for more information.
5. What to do if your system has been infected with ransomware
5.1. Disconnect From Networks
- Unplug Network / Ethernet cables and disable wifi or any other network adapters.
- Put your (mobile) device in Airplane Mode
- Turn off Wi-Fi and Bluetooth
This can aid in preventing the spread of the ransomware to shared network resources such as file shares.
5.2. Disconnect External Devices
- USB drives or memory sticks
- Attached phones or cameras
- External hard drives
- Or any other devices (including printers) that could also become compromised
5.3. Contact IT Support & Report Incident
It is important that incidents are reported as early as possible so that you can help limit the damage and cost of recovery. Ransomware can quickly spread across a computer network be it at home or in the office. This is why unplugging your computer if you believe you’ve been infected is a recommended action.
Any user, home / personal or from a company can also contact TT-SCIRT to report a Ransomware attack.
5.4. Get advice before taking action!
Users are often discouraged from paying a ransom demanded by Ransomware Hackers, as this does not guarantee files will be released. There may be instances where your data can be restored from a backup and a data recovery specialist can assist with this activity.
While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, should only consider paying the ransom if all other options have been exhausted. In cases where Cryptolocker, Cryptowall or other sophisticated forms of ransomware were involved, then you may not be able to get you data back without paying a ransom.
If you do consider paying the ransom, you should note that:
- There is a 1 in 20 chance that the ransomware authors will take the money but not provide a decryptor. Generally speaking, larger, more “professional” ransomware hackers are more likely to provide a working decryptor than variants that are typically sold to and run by individuals, such as Dharma and Phobos. Regardless of who is behind the attack, victims have to rely on criminals to provide a decrytpor with no guarantee that they’ll hold up their end of the bargain.
- The decryptor may not work properly on your particular system.
- Ransom payments may be used to fund serious criminal activity, including human trafficking and terrorism.
- Ransomware is often paid for in Bitcon which is untraceable. It also means you will have to set up a CryptoCurrency account and purchase Bitcoin.
- Paying the ransom substantiates the ransomware business model and perpetuates further attacks.
If you do end up paying and are fortunate enough to get your files decrypted, it is recommended that you seek the services of an IT Professional with Ransomware Recovery Experience to review your computer and network to ensure you have indeed gotten rid of the Ransomware.