Being ever-evolving as an attack tool, even the simplest form of ransomware can cost significant time and money but more severe attacks can deal a crippling blow and even destroy a company completely, sparing no one — not even large, prominent organizations. What is ransomware and how do you protect your business from it? We’ll fill you in!
What Is Ransomware?
Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
How Does Ransomware Work?
There are a number of paths ransomware can take to access a computer. One of the most common delivery systems is a phishing scam — this is when an attachment comes to the victim in an email, masquerading as a file they should trust. Once the file is downloaded and opened, the cybercriminals can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
There are several things the malware might do once it’s taken over the victim’s computer but by far the most common action is to encrypt some or all of the user’s files. The most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.
In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. However, most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid — but because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.
Who Is a Target for Ransomware?
There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity — for instance, attackers might target universities because they tend to have smaller security teams and a different user base that does a lot of file sharing, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — thus, these organizations may be uniquely sensitive to leakware attacks.
of companies that fall victim to ransomware are running up-to-date endpoint protection on the infected machines
How to Prevent Ransomware
There are a number of defensive steps you can take to prevent ransomware infection. These steps are of course good security practices in general, so following them improves your defenses from all sorts of attacks.
- Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
- Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- Back up your files frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.
- Take advantage of Security Awareness Training — the most vulnerable target at many organizations isn’t a system or technology. It’s people. With cybersecurity training solutions from Verity IT, we can empower employees with the right skills and knowledge to put the bad guys out of business.
How to Remove Ransomware
There’s a lot of money in ransomware and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. If your computer has been infected with ransomware, you’ll need to regain control of your machine.
Always keep in mind: while walking through these steps can remove the malware from your computer and restore it to your control, it WILL NOT decrypt your files. Their transformation into un-readability has already happened and if the malware is at all sophisticated, it will be mathematically impossible for anyone to decrypt them without access to the key that the attacker holds. In fact, by removing the malware, you’ve precluded the possibility of restoring your files by paying the attackers the ransom they’ve asked for.
Should You Pay the Ransom?
If your system has been infected with malware and you’ve lost vital data that you can’t restore from backup, an important question remains: should you pay the ransom?
When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many organizations that find themselves afflicted by malware quickly stop thinking in terms of the “greater good” and start doing a cost-benefit analysis, weighing the price of the ransom against the value of the encrypted data. While 66 % of companies say they would never pay a ransom as a point of principle, in practice 65% actually do pay the ransom when they get hit.
Ransomware attackers keep prices relatively low — usually between $700 and $1,300, an amount companies can usually afford to pay on short notice. Some particularly sophisticated malware will detect the country where the infected computer is running and adjust the ransom to match that nation’s economy, demanding more from companies in rich countries and less from those in poor regions.
There are often discounts offered for acting fast, so as to encourage victims to pay quickly before thinking too much about it. In general, the price point is set so that it’s high enough to be worth the criminal’s while but low enough that it’s often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans.
There are a couple of tricky things to remember here, keeping in mind that the people you’re dealing with are, of course, criminals.
First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren’t dealing with so-called “scareware” before you send any money to anybody.
Second, paying the attackers doesn’t guarantee that you’ll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But any such malware will quickly get a reputation and won’t generate revenue, so in most cases it’s estimated that around 65 – 70% of the time — the crooks come through and your data is restored.