What is Ransomware?
Ransomware is a subset of malware in which the data on a victims computer is locked — typically by encryption — and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is usually monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack.
Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminals identity is not known. Ransomware malware can be spread through malicious attachments found in emails or in infected malicious software apps, infected external storage devices and compromised websites. Attacks have also used Remote Desktop Protocol and other approaches that do
not rely on any form of user interaction.
How do Ransomware attacks work?
Ransomware kits on the deep web have enabled cybercriminals to purchase and use software tools to create ransomware with specific capabilities. They can then generate this
malware for their own distribution, with ransoms paid to their bitcoin accounts. As with much of the rest of the information technology world, it is now possible for those with little
or no technical background to order inexpensive ransomware as a service ( RaaS ) and launch attacks with minimal effort.
One of the more common methods of delivering ransomware attacks is through a phishing email. An attachment the victim thinks they can trust is added to an email as a link. Once the victim clicks on that link, the malware in the file begins to download. Other more aggressive forms of ransomware will exploit security holes to infect a system, so they do not have to rely on tricking users. The malware can also be spread through
chat messages, removable Universal Serial Bus (USB) drives or browser plugins. Once the malware is in a system, it will begin encrypting the victims data. It will then add
an extension to the files, making them inaccessible. Once this is done, the files cannot be decrypted without a key known only by the attacker. The ransomware will then display a
message to the victim, explaining that files are inaccessible and can only be accessed again upon paying a ransom to the attackers — commonly in the form of bitcoin.
Who is targeted by ransomware?
Ransomware targets can vary from a single individual, a small to medium-sized business (SMB) or an enterprise-level organization to an entire city. Public institutions are especially vulnerable to ransomware because they lack the cybersecurity to defend against it adequately. The same is true for SMBs. In addition to
spotty cybersecurity, public institutions have irreplaceable data that could cripple them if made unavailable. This makes them more likely to pay.
What are the effects of ransomware on businesses?
The impact of a ransomware attack on a business can be devastating. According to safeatlast.co, ransomware cost businesses over $8 billion in the past year, and over half of all malware attacks were ransomware attacks. Some effects include the following:
loss of a businesss data;
downtime as a result of compromised infrastructure ;
lost productivity as a result of downtime;
loss of potential revenue;
costly recovery efforts that potentially outweigh the ransom itself;
long-term damage to both data and data infrastructure;
damage to a business's previous reputation as secure; and
loss of customers and, in worst cases, the potential for personal harm if the business deals in public services such as healthcare.
How do you prevent ransomware attacks?
To protect against ransomware threats and other types of cyberextortion, security experts urge users to do the following:
Back up computing devices regularly.
Inventory all assets.
Update software, including antivirus software .
Have end users avoid clicking on links in emails or opening email attachments from strangers.
Avoid paying ransoms.
Avoid giving out personal information.
Do not use unknown USB sticks.
Only use known download sources.
Personalize antispam settings.
Monitor the network for suspicious activity.
Use a segmented network .
Adjust security software to scan compressed and archived files.
Disable the web after spotting a suspicious process on a computer.
While ransomware attacks may be nearly impossible to stop, individuals and organizations can take important data protection measures to ensure that damage is minimal and recovery is as quick as possible. Strategies include the following:
Compartmentalize authentication systems and domains.
Keep up-to-date storage snapshots outside the primary storage pool.
Enforce hard limits on who can access data and when access is permitted.
How to remove ransomware
There is no guarantee that victims can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, victims can stop and reboot their system in safe mode, install an antimalware program, scan the computer and restore the computer to a previous, noninfected state. Victims could also restore their system from backup files stored on a separate disk. If they are in the cloud, then victims could reformat their disk and restore from a previous backup.
Windows users specifically could use System Restore , which is a function that rolls Windows devices and their system files back to a certain marked point in time — in this case, before the computer was infected. For this to work, System Restore needs to be enabled beforehand so that it can mark a place in time for the computer to return to. Windows enables System Restore by default. For a general step-by-step process in identifying and removing the ransomware, follow these recommendations:
cannot recover its files, it will be able to restore from a backup.
Ensure system optimization or cleanup software does not remove the infection or other
necessary ransomware files. The files must first be isolated and identified.
Quarantine the malware using antimalware software. Also, make sure the attackers did not
create a backdoor that can allow them to access the same system at a later date.
Identify the ransomware type and exactly which encryption method was used. Decryptor
and ransomware recovery tools can help determine the type of ransomware.
Once identified, ransomware recovery tools can be used to decrypt files. Because of the
different and evolving methods of ransomware, there is no absolute guarantee that the tool
will be able to help.