Ransomware: Education is Your Best Defense

You sit down at your desk, log on to your computer… and are greeted with a brazen message:

YOUR COMPUTER AND FILES ARE ENCRYPTED. YOU HAVE 96 HOURS TO SUBMIT PAYMENT OR YOUR FILES WILL BE DESTROYED.

You’ve been working on a project for two days. But when you frantically search for your files, they’re locked or have disappeared completely. Your heart sinks as pop-up windows hit your screen, denying you access to documents, spreadsheets and even personal photographs until you pay a fee in bitcoin. As you wonder what “bitcoin” is and where you get it, you hear someone from the office next to you shouting, “Hey, is anyone else having problems?”

You’re under a ransomware attack. You’ve heard about them, but how can it be happening to you? Your IT staff has assured you that you’re protected by your firewall and anti-virus. But now your project deadline is upon you, and everyone is milling in the hall because no one can work. What now?

We’ve seen numerous businesses and organizations impacted by ransomware attacks, resulting in lost work time and extra effort (and money) spent on getting their files and systems back. So it’s important to know what ransomware is, how it can affect you, and how you can protect your organization’s network.

Ransom-what?

Ransomware prevents you from using your computer by blocking access to operating systems, encrypting your files or stopping certain applications from running. It then demands that you pay a fee, often in bitcoin, to get your files and programs back. And the longer you take to pay, the higher the fee.

Ransomware can infect any device that uses the internet, including PCs, laptops, tablets and smartphones. It’s generally spread in the same manner as viruses or other malware—opening contaminated email attachments, visiting questionable websites or clicking on embedded links. There are also drive-by infections, in which a normally legitimate and safe website becomes infected (albeit usually only for a short time). When you visit the site, it infects you with ransomware.

Once on your computer, ransomware moves quickly; a file you worked on just minutes before can suddenly become inaccessible. If you have connections to other computers, or shared storage, files on those devices can also get encrypted by the ransomware on your computer.

The ransomware will often bring in other malicious software as well, kill your anti-virus and backups, erase your log files, and capture keystrokes to steal your passwords. It can also delete critical system files so key applications won’t work.

There are two main types of ransomware. Lock-screen ransomware displays a full-screen message stating that your computer is locked and requiring payment to unlock it. It completely stops your ability to use your computer in any way. Encrypting ransomware encrypts and locks files on your device, and any network share it can see then demands payment for a key to release them. This type of ransomware is far more difficult to remove, and is some cases you don’t want to… at least not right away.

How do I know if I’ve been hit with ransomware?

The first visible sign of an infection is a message like the one above. You might see multiple pop-up windows, or one full-screen display. It can even include an official-looking seal and tell you that you’ve violated the law and will be arrested if you don’t pay their fine.

If you’re able to navigate your system, you’ll often see odd icons placed on files that have been encrypted and their names/extensions have been changed. You will not be able to open any of them (or you might not see the files at all).

Following the ransom instructions can be expensive. The City of Lake City, Florida, recently paid nearly $500,000 to hackers after ransomware took the city offline. Earlier in 2019, the Riviera Beach City Council agreed to pay $600,000 to decrypt their files. With critical services and data unavailable, personally identifying information compromised, and the potential for life saving systems not to work when needed the most… paying the ransom may be your only course of action.

What can I do if I’ve been attacked?

Some older versions of ransomware can be  decrypted using reverse-engineered decryptors available on the internet. But with the ever-changing ransomware landscape, these tools have a very low success rate. In most cases, removal is complex and requires the help of a knowledgeable IT professional with ransomware experience. If you are going to pay the ransom you can’t remove the infection until your data is back. If you’re not going pay the ransom, the malicious software may also be the tool to run the decryption. In any case you’ll have to look for, and find, the landmines placed to cause you more harm.

However, it is not recommended that you pay the fee to regain control of your device and files. There is no guarantee that cybercriminals will provide the decryption key needed to access the files; and since they operate with anonymity, there is no recourse for victims.

How can I keep this from happening?

Ransomware is the most insidious threat you will ever face as an individual or organization. While it is difficult to fight, there are many things you can do to greatly reduce your chances of infection and mitigate the damage if you do get hit:

  • Only visit websites that you know are reputable. That link promoting rapid weight loss in a pill or spilling dirt on a Hollywood celebrity might intrigue you, but it could lead to a compromised website. And if you get presented with a pop-up box asking you to update a plugin or anything else, don’t click on it. Let IT handle your updates.
  • Use good, reputable anti-virus software and ensure it is updated daily with full scans every week
  • Ensure you are behind a good firewall, preferably one that provides services such as anti-virus, web filtering, content filtering, deep packet inspection, and intrusion detection and prevention.
  • Never download or open attachments or click links in emails that have been sent to you unless you are expecting it—even if you think you know who it’s from. Get verbal confirmation from the sender if possible.
  • Ensure that you have good password policies in place. Passwords should be complex (or less complex but longer), at least 12 characters in length and changed regularly. When possible, use two-factor authentication, which requires a second method to verify a user’s identify (for example, a password and a security question).

However, the two best methods for dealing with ransomware are as follows:

  1. User education. Provide regular staff training on how to spot risks and what to do (per your policies) when a risk or attack is suspected.
  2. Ensure that you have reliable backups of your systems and data (preferably with an off-site component) that are done every day. This way you have uninfected copies of all of your work safely tucked away. If you’re hit with a ransomware attack, your IT provider or staff can follow removal procedures to get rid of the infection and then re-install the backed-up versions of your files and programs. Remember, your backup systems should be off domain or network as much as possible to make it harder for the ransomware software to kill them.

It’s also crucial to review your backup procedures and make sure you hire a provider that does the job right. Many organizations that have been affected by ransomware thought they had sufficient backup systems in place, only to realize after an attack that their files were not protected enough. (Read here about what to look for in a remote backup service provider.)

Don’t let your data and systems be taken hostage by a faceless cybercriminal. While there is no guaranteed way to prevent ransomware, you can help protect your devices and your network by following safe and smart web browsing and email practices. You should also assume that you will be infected eventually and have a good backup system for your network and data. And as always, contact James Moore’s Technology Solutions Consulting Team to see how we can help you and your network stay safe.