3 Proven Ways to Deal with Ransomware
by Robert Bond
Ransomware Best Practices
Ransomware attacks were one of the most profitable for criminals last year and certainly the most frustrating with WannaCry and Petya for InfoSec and users like you and I. Ransomware has increased significantly over the past decade and last year attacks increased over 250% year over year and is now a $1 billion dollar a year business. Ransomware typically demands users pay funds either in Bitcoin or some other cryptocurrency to regain access to their locked data or computer.
One of the issues with defending against ransomware, is that the strains are constantly evolving which circumvents some of the standard defenses like anti-virus. Crypto-malware as it’s called, finds its way on your system through the attacker typically either having you click on a link in an e-mail (phishing) or has you click on a malicious link on a website. Both tactics trick you into downloading an executable file which locks your data and in many cases looks for your backup’s and locks those as well.
In addition, because the cost per incident has increased so significantly from $294 in 2015 to over $1,000 last year organizations and individuals have to pay attention. From a risk management perspective, this can become the beginning of the daunting question – “where is the risk to my information assets?” Organizations must assess their asset’s value and the expected loss within the company’s information assets if attacked. Thus, to reduce this risk and manage being attacked by ransomware you must know yourself and know the enemy.
As the Chinese general Sun Tzu said:
Therefore I say: One who knows the enemy and knows himself will not be in danger in a hundred battles.
One who does not know the enemy but knows himself will sometimes win, sometimes lose.
One who does not know the enemy and does not know himself will be in danger in every battle.
This observation made more than 2,400 years ago still has relevance to the philosophy of InfoSec defense in 2018. It is currently more vital than any other time to know the 3 simple things you can do to unlock, eliminate, and defend against ransomware.
Defining the Threat
Before you pull out your wallet to pay the attackers as 34% have done globally and 64% of victims have done in the US – and many didn’t get their data even with the payment, it is important to take a step back if you think you may be infected. First, determine whether which type of ransomware it is, or if it’s a counterfeit like so many strains of ransomware. Is your computer screen locked? Is it crypto-malware which is locked data, not just a locked screen? Could this be doxing just to gather private or personal information?
Examine every option before buying bitcoin to send to criminals likely across the world in the hope of getting your data back. If you notice a pop-up screen declaring a fine and your data hasn’t been extracted to be encrypted, it may simply be malicious external threat trying to scare you into paying. You can hit the Control, Shift and Esc keys at the same time to open Task Manager, choose the Application tab, right-click the browser application and select end task. You’re done here – it’s that simple. They just sent a tiny program to pop-up that message, however the program had no ability to lock your data.
However, crypto-malware like WannaCry and Petya are very different and much more malicious. Once you have realized that your emails and photographs aren’t uploading it is likely crypto-malware. This means your data is encrypted and will likely need a key or decryption tool like WannaKey that was released after the WannaCry attack. One more thing, following the attack, if you receive blackmail requests from criminals saying that they have your personal information and will publish it, then it is doxing.
One piece of advice that is critical is the moment you realize your system may have been compromised, stop and look at the evidence. Check the spelling, logos, names, addresses, URLs and other information to understand as much as possible. So often, victims are tricked into thinking they are making a tax payment to the US government or a payment to a software vendor when in reality, they are being duped and sending a payment straight to cybercriminals in Russia, Ukraine, China or some other place around the globe.
Quarantine and Terminate the Ransomware
You have multiple options once you have identified the type of Ransomware. Your company may have risk management practices in place like wiping and re-imaging your system with data from a backup. While this is time-consuming, inconvenient and expensive, it is still the standard across most organizations.
The best practice is certainly to isolate the infected laptop before the ransomware attacks network drives as many of the ransomware strains are able to move from system to system. Additionally, this means going offline from any external drives. This prevents data corruption through infection.
Unless the files are encrypted. This doesn’t mean pay forward to the attacker. As we suggested earlier, decryption tools are available online as well as support portals that can help you through unlocking various types of ransomware. Another example is the bitdefender free virus removal tool which will decrypt a variety of strains of ransomware. Another option is to try and incrementally restore the files that may have been contaminated from a backup. For individuals this is a viable option, however for many corporate users you must check to see if this follows your company’s guidelines concerning IT contingency plan protocols and business continuity plans.
If these steps haven’t been successful as mentioned prior, you have the option of wiping and reinstalling your data and programs. For individuals this would be a simple factory reset which would remove all data and programs including the operating system and allow you to start with a clean system. Yes, it is painful, however, at least you have successfully isolated the worm and terminated its life.
Stick to the Zero Tolerance
DO NOT PAY! Never pay in a ransomware attack. As so many have realized after they pay the ransom there is no certainty that the criminals can or will unlock your data. While ransomware will continue to be used by criminals, the response by the InfoSec community with solutions have been improving. For instance, there are tools like those from nomoreransomware.org, an open initiative from McAfee, Kaspersky Labs, and Europol that will likely provide a solution.
Routine backups are critical to preventing damage from attacks. Files and sensitive data should be fully backup up and stored properly. Physical drives should be disconnected from systems to avoid infection and cloud-based backups should have safeguards that protect data in the case of infection, however, confirming this with service providers is critical.
That said, we must emphasize again, never pay the criminal that is holding your operating system hostage. It isn’t certain that they have the means to provide a solution or will provide a solution upon payment and payment will certainly encourage the attacker to continue to threaten others.
Defining, quarantining, and responding to the ransomware threat appropriately is critical to protecting your data and saving any payments that may or in so many cases may not unlock your data. We know that anti-virus and software vendors are updating and providing patches more quickly. In most cases keeping your system updated is the best defense against known attacks. In addition, tools to decrypt are on the rise as well, so before you pay, do a bit of research to see if a solution has become available. Finally, backup your system and data. Nothing will help you sleep at night more than knowing that if all else fails you have a copy of your critical data somewhere safe.
Ransomware attacks will continue to threaten both organizations and individuals because, very simply they are lucrative and becoming easier to deploy as more and more malicious code becomes available. Thus, as Sun Tzu suggested, “know yourself” and the defenses and solutions you have at your disposal in case of an attack.
March 17, 2020
February 24, 2020
January 13, 2020