Blog

Ransomware - Information and Protection

A relatively new phenomenon involving malware and viruses is ransomware, where malicious outsiders implant a program in your computer that can prevent you from accessing your operating system or using your files. The hackers then demand a ransom in the form of payment to an account they designate to restore access to your system and files. First seen in Russia, the practice has since spread worldwide, with ransomware costing organisations millions of dollars per year in payments. This executive summary describes the different types of ransomware and outlines steps you can take to protect your valuable IT assets from the practice.

Types of ransomware

  • The various types of ransomware typically perform the following functions:
  • Keep you from being able to access your operating system (such as Microsoft Windows or Apple OS X)
  • Prevent certain apps from running, for instance your web browser
  • Encrypt files making them inaccessible
  • Continuously block your screen with unwanted advertising messages to try to get you to buy “anti-virus” or “security” software in order to stop the spam

The two main types of the malicious software are called “crypto” and “locker” ransomware. The crypto version encrypts files, while the locker version prevents you from accessing the user interface. Ransomware is essentially a form of denial-of-access (DOA) preventing users from gaining access to their computers and the files on them. It typically is implanted on a computer by a Trojan, which is a form of virus that appears to be an ordinary file but is in fact malware that injects its payload into the host computer.

Protecting yourself from ransomware

Whilst using a firewall and anti-virus software is recommended, relying on these measures alone to protect against ransomware can be dangerous as new ransomware software is being developed all the time.

To protect against ransomware, the following steps are recommended:

Update your operating system and all software regularly: Most anti-virus (AV) software programs can recognize and block most types of ransomware. To ensure that your AV solution is equipped to deal with the most recent ransomware developments, check your settings to make sure that it is set to auto-update. You should also make a point of regularly updating your operating system to help avoid being infected with ransomware due to security flaws in older operating system versions.

Backup all computers and mobile devices on a regular basis: To provide the most comprehensive protection against ransomware, make sure you backup all vital files to a backup system which is not directly linked to your system on a continuous basis. Backing up to a cloud solution offers the dual advantage of providing physical security for your data, as you don’t have to worry about protecting your data by locating your backup disk drive at a location separate from your main computer system.

In the event of a ransomware attack that encrypts your files, you can then restore your files from the backup location.

Utilise Restore points: If you are using a Windows system, it should be set up to maintain “restore points” which the system can be rolled back to if necessary (this setting is on by default in Windows 7 and later). However, you should be aware that some ransomware can delete restore points in Windows.

Virtual snapshot and virtual desktop infrastructure: Another option for protecting your system from ransomware is to use either virtual system snapshots or virtual desktop infrastructure (VDI). These options are more expensive than those previously mentioned, but have the advantage of providing robust business continuity protection from a variety of risks for your company in addition to ransomware, including system outages, equipment theft, data corruption and other major system incidents.

Dealing with a ransomware attack

If you experience an attack by ransomware, check to see if you are able to access your computer’s files and folders, such as those in the Documents and Pictures directories. If you are unable to bypass the ransom note, you are facing a locker ransomware attack. If you are able to navigate on the screen, but files are encrypted, you are dealing with a crypto ransomware attack.

In case of a locker ransomware attack: First reboot the computer in Safe Mode by pressing both the power button and S key on the keyboard simultaneously. Once the computer has restarted, run your AV software to see if it will remove the ransomware. If the AV solution is unable to remove the ransomware, perform a System Restore if you are using Windows to restore the system to the most recent “safe” point.

In case of a crypto ransomware attack: Download and run Kaspersky Ransomware Decryptor, which is able to decrypt locked files in certain cases if the type of ransomware used is covered by the solution. You can also try another tool from FireEye and Fox-IT which may be able to help recover files encrypted by the Crilock ransomware program.

If this does not solve the problem, check your backup data to make sure that it is sufficient to allow full recovery, and then overwrite the files which have been encrypted with the unencrypted backup files. In cases where you don’t possess acceptable backup files, you may be faced with deciding whether to pay the ransom to regain access to your files.

Conclusion

The chance that your company’s computers will be infected by ransomware can be significantly reduced by taking the steps listed above. Given the prevalence of this malware in recent years, and the damage such programs can inflict, making sure that you have thoroughly reviewed your IT system settings and operational procedures to repel such programs is highly recommended.