locked-computer.jpg

Understanding Ransomware: How to Prevent and Recover From Attacks

Understanding Ransomware: How to Prevent and Recover From Attacks

Posted by Ryan Brooks on March 27, 2017 at 11:35 AM

As we head deeper into 2017, security experts are predicting a sharp increase in advanced cyber attacks that test network defense and threaten the integrity of personal and corporate data.

One of the most prolific of all security threats is ransomware, a cyber threat that experienced massive growth in 2016 and that looks set to dominate every IT professional's concerns this year too. It's a threat not to be ignored. According to a recent survey, almost 50 percent of organizations have been affected by ransomware in some guise or another. As more and more companies are being hit, more and more money is being allocated to prevent ransomware attacks and keep data safe.

Ransomware: How It Started and How It Works

The concept of ransomware can actually be traced back almost a decade. As with many cyber threats and attacks, this one started life in Russia and gained momentum quickly worldwide.

As its name suggests, ransomware involves the victim of a cyber attack releasing a ransom (usually in the form of a money transfer) in order to protect or recover their files or systems. One of the earliest examples of ransomware would copy all files into a password-protected ZIP folder, delete the originals and then demand the victim transfer $300 in order to recover their data.

Common Ransomware Variants and Payloads

Unfortunately, ransomware isn't suddenly going to disappear overnight. In fact, it is very profitable for the perpetrators behind the attacks. While many networks are protected against ransomware threats, there are still many organizations that are not protected and that will pay the ransom, as it is often the quickest and easiest way to seize back control of their data. And it doesn't just stop there; once you've paid once, you're likely to be targeted again and again until you have adopted robust security measures.

Some of the most recent ransomware variants and payloads include:

Erebus -- This variant specifically targets the Windows OS and makes modifications to the registry so that its server can connect to the PC or server to encrypt system files and data. Erebus then drops a ransom note entitled README.HTML, which directs the user to a payment site that demands they pay $90 to free their files.

Locky -- Many organizations got up close and personal with Locky in 2016. Typically delivered via email, this variant encrypts files and gives them a .locky extension. In most cases, Locky demands the user to send payment of 1 Bitcoin in order to receive a decrypter to decode their files.

KillDisk -- KillDisk was originally designed to wipe hard drive data but has since gained ransomware capabilities in the form of data encryption. The current ransom payment for Windows and Linux variants is 222 Bitcoin. At the time of writing, 222 Bitcoins is equivalent to $236,676.

How Is Ransomware Delivered?

The most common and effective delivery method for ransomware is email. The victim will receive an email containing an attachment or link that, once opened, will execute the ransomware. Another popular delivery method is through an exploit kit that releases its payload when a user loads a compromised website or clicks on a spam link.

The most common payload of ransomware is encryption. This can take place in mere seconds, renders affected files inaccessible and usually goes undetected until encryption is complete. Some ransomware variants will leave a clue to their origin by leaving their name in file extensions, while others require a little more detective work. Once the encryption process has completed, a lock screen or ransom note will often be visible to the user.

What Does the Future Hold for Ransomware?

The future is bleak for organizations that remain unprepared to prevent or tackle ransomware head on. The variation and pace of exploits is on the rise, and all organizations, regardless of size or type, are at risk.

And it's not just cloud or on-premise networks that are at risk. Mobile devices are fast becoming the next target for ransomware criminals. With many people storing their most sensitive and prized data on their mobile phones, including everything from bank details to family photos, these devices are an easy and potentially profitable target.

How Do You Prevent a Ransomware Attack?

As with most cyber threats, prevention is always better than the cure. There are a number of ways you can protect your organization from becoming a target; email filtering to prevent certain file types from coming through, educating users not to click on suspicious or unknown links or attachments, and running regular patch management processes to prevent exploits are just some of the measures you can take. Incident and anomaly detection and response tools will also notify you the moment an infection is detected and can be programmed to take automatic action.

Although not a way to prevent ransomware but a great best practice. Make sure to have good backups in place. That way if you do get attacked, the damage to your files will be mitigated. If your backups are sound, your IT team can go back in and restore your data back to the last time it was backed up before it was encrypted.

What to Do If You Have Been Affected by Ransomware

The most important end goal if you have been affected by ransomware is to recover without paying the ransom and without suffering any damage. You'll need to take action to prevent the infection from spreading to other segments of your network and to other devices by isolating affected machines. You can then start to investigate the extent and cause of the infection, and attempt to restore your data.

As ransomware and other malicious threats continue to evolve and become more sophisticated, organizations need to protect themselves and keep one step ahead. Thankfully, the security industry is sophisticated too and offers a broad range of tools and a wealth of knowledge that will help to ensure your data doesn't fall victim to the latest cyber threats.

Topics: IT