Don’t Get Held Hostage - Defending Against Ransomware

If you follow Nodal’s official Twitter account (and you should!), we regularly report on current malware and hacking trends and other security issues that can impact our clients’ systems.  A recent method of cyber-attack is a nasty sort of scam called ‘ransomware’. This article will discuss just what ransomware is, how it may affect you, and what can be done to combat it.

What is ransomware?

As its name suggests, ransomware is malicious software that holds your data hostage until a ransom is paid to the attackers, often in the form of a untraceable cryptocurrency such as Bitcoin.  It does this by encrypting all the data found on the target system, making it completely inaccessible to the user. Since modern cryptography is nearly impossible to crack using brute-force methods, the only way to decrypt and recover the locked data is with a unique decryption key generated during the attack. This key is held by the attackers, who will (hopefully) provide it in exchange for the ransom fee.

As discussed in our article covering phishing scams, scammers will often use social pressure and fear to try and coerce a payment; for example, they may threaten to delete the decryption key if the ransom is not paid within a certain timeframe.

A variation on the ransomware scam is where the attackers threaten to publish your data publicly unless a ransom is paid.  This can be especially damaging if said information is sensitive or potentially embarrassing: payroll and banking information, creative work that’s not been approved for public release, medical records, and other personal data.  This variety of attack can also be referred to as ‘leakware’ or ‘Doxware’.

How ransomware attacks happen

Ransomware infects systems much like any other computer virus.  In most cases, ransomware disguises itself as legitimate software sent via email attachment or some other online messaging application with the goal of tricking the user into launching it on their system.

Sometimes the virus exploits known vulnerabilities in common software and operating systems.  For example, the infamous ‘WannaCry’ worm from 2017, which affected over 300,000 systems worldwide, took advantage of a security hole in older Windows operating systems to propagate.

How to prevent ransomware attacks

Most common anti-virus security practices will provide at least some defense against ransomware attacks:

  • Employ software or security policies which prevent known ransomware from launching.
  • Use a dedicated antivirus or anti-malware program and keep it up-to-date.

  • Apply regular operating system and security updates.

  • Perform due diligence when opening emails and attachments.

Additional steps may involve creating regular offline backups of important data.  Ransomware may attack any and all volumes attached to the target system, so do not assume data is safe if it is stored on an attached external drive.  If a backup volume is offline and stored in a secure location, it is impervious to ransomware attacks.

What to do if you’re affected

Despite all due diligence, malware attacks can still sometimes happen.  Antivirus and security systems are constantly updated, but cannot possibly predict when new strains of ransomware are deployed.  Depending on the nature of the attack and the data affected, your options may be limited.

First, it may be possible to detect and stop a ransomware attack as it’s happening.  Encryption of your data takes time, so if you notice strange behavior on your computer (especially after launching some software installer), you may be able to remove the malicious software as it is running.  This will not restore any data that has already been encrypted, but may save the bulk of your data if you act quickly.

Unfortunately, if the attack completes there are really only three options: recover from a backup, pay the ransom, or write the data off as lost.

  • If you have an up-to-date offline backup, you’re set.  The targeted system can be reformatted (thus completely removing the ransomware), and the backup data restored to its original location.  This procedure will take time, but your backed-up data will continue to be available and the ransomware will be eliminated.

  • If you do not have an offline backup, you may be tempted to pay the ransom in order to recover your data.  This is, obviously, what the scammers want, and paying the ransom will only convince them that there is money to be made attacking other targets.  Bear in mind that these are criminals, so there is no guarantee that a ransom paid will result in the decryption of your data. The attackers may also see a payment as a sign of desperation and compliance, and use that to demand more and more money.

  • The final option is to write your data off as lost.  This can be a difficult step to take, especially if important personal data was affected.  However, refusing to give in to the attackers’ demands will leave them empty-handed and possibly discourage future attacks.  Giving up your data may also be necessary if the scammers do not provide you with a decryption key, so you may be in this situation even after paying the ransom.

Ransomware is one of the latest trends in malicious cyber attacks, making it increasingly important to properly manage your system security and data backups.  There is never any guarantee that a criminal will act in good faith, so it’s a far better plan to be prepared in any event. Nodal suggests maintaining dedicated backups for a number of reasons, and protecting against ransomware is no exception.

There's a lot more ground to cover here - there are several articles on wikipedia, or if you have more questions, feel free to drop us a line