Ransomware is a form of malicious software which can infect files, hard drives and even websites. It uses encryption technology to scramble and lock the files, rendering them useless to the owner. A "ransom" is then demanded, usually payable in Bitcoins to an anonymous "wallet." If the ransom isn't paid in a certain amount of time, the encrypted files are deleted -- with no way of restoring them.
Both individuals and companies are targeted by cyber-criminals who typically attempt to extort anywhere from a few hundred to many thousands of dollars. Ransomware isn't a new phenomenon, but it appears to be on the increase. There's a whole host of ways it can infect a computer, and because it is updated constantly, ransomware can be hard to detect with a traditional anti-virus program. If you get infected with ransomware, it's also unlikely you'll ever recover the files that have been locked, even if you pay (which isn't recommended.)
A recent in-depth study by Bromium found there are currently six major variants of malware, which have specific types of behaviour and various ways of spreading. However, the good news is that there are ways you can protect yourself, both as an individual and as a business owner, from the growing threat of ransomware.
How does ransomware spread?
Ransomware is associated with many other online dangers, such as Trojan viruses, phishing websites, email spammers and botnets (a network of "zombie" computers infected with viruses and controlled by criminals). It often evades traditional anti-virus software and can spread in many ways:
- Security exploits in software
- Malicious websites
- Malicious code injected into legitimate websites
- Drive-by downloads (malware within legitimate software)
- Spam emails
What happens during a ransomware infection?
Once you've been infected through one of the methods above, there are several things that happen:
- A downloader is installed to your system, which then uses a list of Command and Control (C&C) servers or domains controlled by the attackers to install the ransomware program onto your system.
-Once the ransomware has been sent back to the downloader by the C&C server, it will then begin to encrypt all the files and hard drives it can detect.
-A message will appear on your screen, informing you that your files are now locked. Instructions on how to pay to restore your files will be displayed, usually demanding that you act within a certain timeframe or everything will be lost.
How can I protect myself from the threat of ransomware?
Ransomware is constantly evolving, which means that a multi-faceted approach is required to protect yourself. These are some actions you can take to lessen the threat of ransomware.
1) Regularly back up your data
Ensuring your data is backed up regularly and keeping offline copies of all your important information should be your first priority. Having a recent back-up of all your files will mean a ransomware infection is nothing more than a minor annoyance.
2) Don't click on links or attachments from unknown senders
Ransomware is often hidden within attachments; .zip files are a common way for ransomware to spread, so treat them with caution. Malicious links can send you to websites that have multiple threats, so hover your mouse over the link to check it's genuine.
3) Exercise caution with macros
Macros within Microsoft Office documents can contain ransomware and other nasty viruses or malware. A feature has been added to the latest version of Windows with this in mind; it disables macros in any document that's been downloaded from the internet, adding extra protection.
4) Utilize multi-layered security
Ransomware can often evade basic anti-virus programs; current versions are updated and new versions are released frequently to escape detection. For maximum security, utilize desktop and network firewalls, as well as a reputable anti-virus program. To limit any potential damage, you should separate the various areas of the network with firewalls so they can only be accessed if needed. You should also ensure browser security settings are enabled, which can protect you from a wide range of threats. Before choosing an anti-virus provider, contact their customer service department and enquire whether their product protects you from ransomware. There's also specific software for protecting against ransomware threats and other advanced financial-based malware available.
5) Keep all software and security tools updated
Ransomware can spread through unpatched software vulnerabilities and outdated software. If they're kept up to date, it's less likely that ransomware will be able to slip through; essential bug fixes and security updates are often contained in patches.
6) If you have administrative access, use it only when required
While you're logged in as an administrator, you should only be performing essential duties. Never open documents, browse the web or undertake normal work duties while logged in as administrator; it's an unnecessary risk.
7) Ensure all your employees receive regular training
Your employees are a potential risk if they aren't trained properly in online security. Ensure staff receive regular training on how to spot such threats; all suspicious documents should also be forwarded to the IT department to deal with.
What is Cryptolocker?
Cryptolocker is a type of ransomware which has mostly targeted users in the USA and UK. It's particularly nasty as there have been several different versions which have proved adept at evading protection security, and it can spread in unique ways. As well as being distributed through spam email, Cryptolocker can also be spread via Remote Desktop Protocol (RDP) ports that have been left open to the internet. It also has the ability to infect mapped drives, or any drive that has been designated a letter. This can include network folders, external hard drives and even folders on the cloud, if you have them mapped locally. Due to the unique way that Cryptolocker spreads through your system, there are specific steps you can take to defend against this particular piece of ransomware.
- Filter email files by extension
Your gateway mail scanner may have the ability to block certain file types; it's a good idea to block .EXE files and files which have two extensions. If you need to exchange trusted .EXE files in a personal environment, using cloud services or password-protected ZIP files are ideal solutions.
- Display hidden file extensions
Cryptolocker takes advantage of a default Windows function which hides recognized file extensions. This means it can disguise itself in a double file extension.
- Create rules for files from LocalApp Data and AppData folders
Cryptolocker has certain specific behaviour; you can create rules using Intrusion Prevention Software or within Windows to identify and disallow this behaviour. You may have some legitimate software that also runs from these folders; you can easily create exceptions to allow it to work properly.
- Disable RDP if you don't use it
Disabling your RDP can help prevent the spread of Cryptolocker through open ports. If you're not sure how to do this, there's some helpful articles on the Microsoft website.
What can I do if I've been infected with ransomware?
If you suspect your system has been infected, don't panic; there are several steps you can take.
1) Disconnect immediately from the network and Wi-Fi
If you suspect you've been affected, immediately unplug your device, and disconnect it from the Wi-Fi network. If you do this quickly enough, there may be a small chance that the ransomware didn't have time to connect with the C&C server and start encrypting your files. You have to react very quickly, and there's only a small chance you'll be able to stop it this way, but it's worth a try.
2) Ensure the infected device is kept off the network
Keep the infected drive or machine unplugged and disconnected from the network while you're attempting to find a solution. This will ensure the ransomware doesn't spread any further through your system.
3) Do NOT pay the ransom
There are several good reasons not to cave in and pay, even if you're desperate to get your files back. Firstly, there's no guarantee the cyber-criminals are going to send you the password; even if they do, your files may be damaged beyond repair. Paying the ransom will also encourage further ransomware attacks and could fund other criminal enterprises.
4) Check if you have the ability to use System Restore
Windows computers have a function called System Restore which may be able to reinstall a previous clean version of your system. However, recent versions of Cryptolocker also delete "shadow files," meaning a clean restore isn't possible.
Can I regain control of my files without paying the ransom?
Because of the way the files are encrypted, there's no possibility of using a "brute-force" program to crack the private key. Early versions of ransomware often hid the private key somewhere in the memory or simply hid the affected files. Unfortunately, there aren't many newer versions of ransomware that do this, and the files are usually fully encrypted. However, it may be worth researching the type of malware you've been infected with to see if there are any similar potential solutions. If Clean Restore isn't an option, or you don't have a back-up of your data, your files should be considered lost forever.
Ransomware is a serious threat to individuals and businesses alike; even multi-national companies have been targeted. Due to the way ransomware constantly evolves, basic anti-virus programs struggle to provide adequate protection. It can spread in many ways, so you should utilize a multi-faceted security system which provides protection for everything, from your network to your browser. It's vital to keep these measures fully updated and patched, as updates often contain essential security fixes which can help protect you from the threat of ransomware. If you're a business owner, ensure all staff receive regular training to keep them informed about online security matters.
If the worst happens and you find your files infected with a variant of ransomware, you'll probably not be able to retrieve them, although by taking swift action you may be able to limit some of the damage. The System Restore function isn't guaranteed to reinstall your files, so having recent offline back-ups of essential data is an absolute must. This should be your first priority when developing an action plan to deal with the growing threat of ransomware.