What is ransomware?

Malicious software that uses encryption to hold data for ransom has become wildly successful over the last few years. The purpose of this software is to extort money from the victims with promises of restoring encrypted data. Like other computer viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it. Ransomware, as it is known, scores high profile victims like hospitals, public schools and police departments. Now it has found its way into home computers.

How does ransomware work?
Ransomware identifies the drives on an infected system and begins to encrypt the files within each drive. Ransomware generally adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted—the file extension used is unique to the ransomware type.

Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files, making them accessible.

Steps you should take to protect against disaster

  • Make sure your antivirus software is up to date
  • Understand what’s happening across the network
  • Scan and filter emails before they reach your users
  • Have a plan for how to respond to a ransomware attack and test it
  • Understand what your most important data is and create an effective backup strategy
  • Make it harder to roam across your networks
  • Train you employees to recognize suspicious emails
  • Change default passwords from all access points
  • Apply software patches to keep systems up to date
  • Don’t plug in any random USB stick on your pc

What to do in the case of a ransomware attack

There are several steps to take:

  • Disconnect the machine from the network to limit the intrusion.
  • Keep your computer on and do not try to restart it; otherwise, you could lose information that may be useful in analyzing the attack.
  • Inform the company’s security/network manager.
  • Find out the name of the ransomware (an old version may have an “antidote” to restore the files). In order to do that, visit the website nomoreransom.org and download the decryption tools that are available for some ransomware.
  • Attempt to restore your data using the automatic backup systems of some operating systems or your own backup system.
  • Recover your files on a storage service if your computer has been synchronized with this type of service.

Sources:

https://www.zdnet.com/article/ransomware-11-steps-you-should-take-to-protect-against-disaster/
https://us.norton.com/internetsecurity-malware-7-tips-to-prevent-ransomware.html
https://security.berkeley.edu/faq/ransomware/what-do-i-do-protect-against-ransomware
https://www.us-cert.gov/ncas/tips/ST19-001