What is Ransomware?
Ransomware is a piece of malicious software that infects a computer or device and encrypts the data making it inaccessible to the user. A ransom is then demanded to regain access to the victim's data. A time limit to pay the ransom is often imposed (usually 24-48 hours) or you risk losing access to the encrypted data forever. If a backup is unavailable or the backups were encrypted too, the victim is faced with paying the ransom to recover personal files. Payment must be paid in Bitcoin and the ransom cost can be anywhere from a few hundred dollars to thousands of dollars. Once the ransom is paid, the attacker will send a private key that will allow you to decrypt the data.
Tips for Avoiding Ransomware
- Back up your data - This won't prevent you from being infected with ransomware, but this is one of the most important things you can do in the fight against ransomware. Regularly backup your computer and data to an external hard drive and disconnect it from the computer. This would be considered an offline backup. Even better, backup your computer off-site with a cloud backup service so that even if you suffer a ransomware attack, you can easily restore all your data and not have to worry about paying a ransom.
- Keep your software updated - Make sure to regularly update your operating system and the software installed on it. Ransomware attacks can take advantage of known bugs and vulnerabilities to attack and infect devices.
- Watch for suspicious emails and links - Be careful clicking on any links or attachments that are emailed to you. The biggest vector for ransomware infections are emails. Even if you know the sender, be mindful the their email could be compromised and a hacker is using it to infect others. If you weren't expecting a file or link or the wording in the email seems off, it doesn't hurt to double check with the sender. Use a anti-spam or email security service that can help block emails before they reach your inbox.
- Use antivirus software - Use a reputable antivirus software and keep it updated. There are some great free antivirus softwares out there along with paid ones. If you go with a paid solution, don't let the subscription lapse so that you stop getting security updates.
- DNS filtering - Using a DNS filter like OpenDNS can help block malicious websites, content, and ransomware. By using a large database of blacklisted sites, the filter will check against the database when resolving a DNS query and then prevent the content from loading if it is blacklisted.
Dealing with a Ransomware Attack
If you are dealing with a ransomware attack now, here are some tips to handle it going forward.
- Isolate the infected machines - Try to prevent the infection from spreading any further by isolating all infected machines. Turn off the machines and disconnect them from the network by unplugging the Ethernet cable and disabling Wi-Fi, Bluetooth, and any other networking capabilities. Speed is of the essence and the longer a machine is turned on and connected to the network, the longer it has do encrypt your files and spread to other machines.
- Identify the type of infection - Try to identify the type of ransomware that is being used in the attack. It can help you understand how it spreads, the types of files it encrypts and possibly how it can be removed without paying a ransom to the attacker.
- Change login credentials - Ransomware can spread rapidly by gathering IP addresses and credentials. If the attacker manages to compromise administrative credentials they can move laterally around networks, encrypt files and wipe out backups in the process. To ensure your system is secured and to prevent attackers from thwarting your recovery efforts, you should immediately change all admin and user credentials.
- Assess the damages - To determine which devices have been infected, check for recently encrypted files with strange file extension names and look for reports of odd file names or users having trouble opening files. You should try to create a comprehensive list of all affected systems and data, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, etc.
- Notify the authorities - Once the ransomware has been contained, you will want to report the attack to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.
- Evaluate recovery options - Ideally, you will have backups you can restore from. The quickest and easiest way to recover from a ransomware attack is to restore your systems from a clean backup. Alternatively, you may be able to remove the malware otherwise you will need to wipe all infected systems and reinstall. Performing a complete wipe of all storage devices and reinstalling everything from scratch will ensure that no remnants of the malware linger.