
After a ransomware attack, the hacker will demand payment (ransom), but often times will not unlock the systems or files even if ransom is paid.
Ransomware is a type of malware, but with an extra sting. If infected with this malware, access to your operating system or files will be prevented or limited. The hacker will demand payment (ransom), but often times will not unlock the systems or files even if ransom is paid.
A ransomware attack is nothing new, dating back to the AIDS Trojan in the late 1980s. Because it was the 80s, instead of paying electronically with bitcoin, the victim had to mail money to a post office box.
Payment requirements aren’t the only change, of course. Ransomware attacks have become increasingly sophisticated and common.
Let’s look at how ransomware works.
Step 1: Infection
How does a device or system get infected with ransomware? All of the usual malware methods are applicable to ransomware infection:
- Emails with malicious links or attachments
- Visiting websites that install malware on your computer
- Clicking malicious links on a website
- Malvertising (malicious advertising) links
- System vulnerabilities
- Access via stolen credentials
- Self-propagating ransomware (cryptoworms)
Step 2: Execution
Once the ransomware is on your system, the real damage begins. Earlier ransomware was known for blocking system access immediately upon boot up or when your operating system loaded. Recent variants encrypt files on your hard drive, mapped network drives, or unmapped drives, leaving your files inaccessible.
The more vicious versions of a ransomware attack would slowly delete files as the ransom clock ticks.
Advanced ransomware goes as far as detecting backup files and deleting or encrypting them. The latest variants not only take your files hostage but threaten a data dump if you do not pay.
The major takeaway: ransomware is evolving and cybercriminals are going to do whatever it takes to make the victim pay.
WARNING: Nothing is safe. If it’s connected, it’s at risk!
This includes:
- Workstations
- Servers
- Laptops
- Smartphones/tablets
- External hard drives
- USB removable media
- SAN/NAS
- Synced cloud storage
What to Do If Your Institution Is Attacked
Take these actions if your institution is affected by ransomware:
- Disconnect infected devices from the network to prevent the ransomware from spreading to other devices.
- Turn off any cloud syncing. If your system is hit with ransomware, files that sync with the cloud will be encrypted and those encrypted files will sync with the cloud.
- Implement your Incident Response Plan, if you have one. (If you don’t, this article explains what an Incident Response Plan should include.)
- Restore from backups on either a disconnected drive or a connected drive that has not been compromised. Be aware that malware could still exist on your systems even after you contain the ransomware attack and restore your data.
- If you do not have backups, you could research whether the algorithms or decryption key tables have been released. While this is not always the case, sometimes you can obtain the decryption key without paying the ransom.
- Contact your legal counsel. They will be able to advise you on steps to take, such as contacting law enforcement and notifying affected parties, if necessary.
- Contact your insurance company. There may be a provision in your policy that could be impacted or mitigated if protocol is followed.
Interesting Facts About Ransomware
- Some variants lock your bitcoin wallet! This is the digital equivalent of physically stealing a wallet.
- Ransomware-as-a-Service (RaaS) is exactly what it sounds like. Anyone can purchase ransomware and use it to extort money from victims of their choosing.
Tips for Fighting Ransomware
Use this short checklist to help protect your institution from ransomware:
- Use effective malware protection
- Implement robust patch management procedures
- Install web content filters
- Disable macros in Microsoft Office
- Limit use of user accounts with elevated privileges
- Training! Training! Training!
- Back up your data to disconnected media
Understanding a ransomware attack and following these best practices will help your institution reduce the risk of getting attacked. And remember that it’s vital to layer controls so that if one control fails, others are in place to help prevent such an attack.