Ransomware: Malware in Its Cruelest Form
Ransomware is nothing new, dating back to the AIDS Trojan in the late 1980s. Because it was the 80s, instead of paying electronically with bitcoin the victim had to mail money to a post office box.
Payment requirements aren’t the only change, of course. Ransomware attacks have become increasingly sophisticated and increasingly common.
Let’s look at how ransomware works.
Step 1: Infection
How does a device or system get infected with ransomware? All of the usual malware methods are applicable to ransomware infection:
- Emails with malicious links or attachments
- Visiting websites that install malware on your computer
- Clicking malicious links on a website
- Malvertising (malicious advertising) links
- System vulnerabilities
- Access via stolen credentials
- Self-propagating ransomware (cryptoworms)
Step 2: Execution
Once the ransomware is on your system, the real damage begins. Earlier ransomware was known for blocking system access immediately upon boot up or when your operating system loaded. Recent variants encrypt files on your hard drive, mapped network drives, or unmapped drives, leaving your files inaccessible.
The more vicious versions of ransomware slowly delete files as the ransom clock ticks. Advanced ransomware goes as far as detecting backup files and deleting or encrypting them. The latest variants not only take your files hostage but threaten a data dump if you do not pay.
The major takeaway: ransomware is evolving and cybercriminals are going to do whatever it takes to make the victim pay.
WARNING: Nothing is safe. If it’s connected, it’s at risk!
- External hard drives
- USB removable media
- Synced cloud storage
What to Do if Your Organization is Attacked
Take these actions if your organization is affected by ransomware:
- Disconnect infected devices from the network to prevent the ransomware from spreading to other devices.
- Turn off any cloud syncing. If your system is hit with ransomware, files that sync with the cloud will be encrypted and those encrypted files will sync with the cloud.
- Implement your Incident Response Plan, if you have one. (If you don’t, this article explains what an Incident Response Plan should include.)
- Restore from backups on either a disconnected drive or a connected drive that has not been compromised. Be aware that malware could still exist on your systems even after you contain the attack and restore your data.
- If you do not have backups, you could research whether the algorithms or decryption key tables have been released. While this is not always the case, sometimes you can obtain the decryption key without paying the ransom.
- Contact your legal counsel. They will be able to advise you on steps such as contacting law enforcement and notifying affected parties, if necessary.
- Contact your insurance company. There may be a provision in your policy that could be impacted or mitigated if protocol is followed.
Interesting Facts About Ransomware
- Some variants lock your bitcoin wallet! This is the digital equivalent of physically stealing someone’s wallet.
- Ransomware-as-a-Service (RaaS) is exactly what it sounds like. Anyone can purchase ransomware and use it to extort money from victims of their choosing.
Tips for Fighting Ransomware
Use this short checklist to help protect your organization from ransomware:
- Use effective malware protection
- Implement robust patch management procedures
- Install web content filters
- Disable macros in Microsoft Office
- Limit use of user accounts with elevated privileges
- Training! Training! Training!
- Back up your data to disconnected media
It’s important to layer controls so that if one control fails, others are in place to help prevent an attack.
If you have questions about this or other cybersecurity issues, please contact us at firstname.lastname@example.org.
Lisa is a partner at CapinTech. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017 and is now CapinTech.