Thought leadership

What is Ransomware?

Ransomware is an order of malware and is separated into many families. It operates, as suggested, by removing access to your computer by either locking your workstation or encrypting your files, only offering to return the system to your control should you pay the ransom.

There are two main ways in which ransomware works – the most common contemporary method is to encrypt your important files (either on your hard disk or network drive) making them unreadable to normal programs; less commonly, the malware will lock your workstation so that you can’t even log in.

How does the ransomware get onto your systems?

There are a number of ways that you can be infected. Chiefly, it is by running an authentic looking executable attached to an email, most commonly themed as a shipping notice from a delivery company. Slightly less common (but not with any lesser real threat) is via a link to an apparently genuine website – known as a ‘drive-by download’ – that is either a fake version of a real website, or a real website that has been compromised where a pop-up asks you to install some software. Thirdly, a compromised website (or html email) may silently install the malware on your computer using a vulnerability exposed in your operating system that hasn’t been prevented due to not installed vendor recommended software patches. A fourth route may be via bundled software – for example, downloading ‘Chrome.exe’ from somewhere other than Google might install malware.

Why is ransomware so effective?

Ransomware effectively relies on fear – a warning message that your computer has been infected (and that you may have been indulging in illegal activities) may prompt a panicked action to pay the ransom or run another executable, leading your system to become further infected with other viruses.

How can I protect myself?

A security appliance (such as Watchguard devices) if configured correctly will help prevent a malware infection by preventing software from connecting to its control server – the software requires this connection to store the decryption key on the criminal’s server. In addition, the appliance will prevent connections to websites based on categorisation or reputation.

AV software will attempt to protect your system from ransomware (and other viruses) by recognising the files on your system before they are run.

As mentioned earlier, some malware can install itself by using known vulnerabilities in your computer operating system. The software providers will likely know about these vulnerabilities and have released a security patch to prevent attempted exploitation. Ensuring that your systems are up-to-date with the latest vendor releases are a key method to reduce ransomware incidents.

Ensure that users do not have rights to install software – this is easily controlled within the enterprise environment, but can be done at home as well – if a user does not have rights to install software, the chances for the ransomware to be installed correctly diminish. Additionally, prevent macros from running within Microsoft products by default, only allowing them to run if the source is trusted. Control Removable Media Access

Whilst this is not as common a route for infection, consider preventing removable media devices from being used where possible. Detailed information can be found on the UK Government’s National Cyber Security Centre.

Important files should be backed up regularly, preferably using the 3-2-1 rule. That is, 3 copies of the files on 2 different devices and at least 1 copy offsite. Additionally, periodically check that backups have worked and that a restore process will complete successfully. Backup files should not be routinely accessible by the machines which are at risk (for example, users’ desktops). Should the systems be affected by the ransomware, once the operating system has been reinstalled, the un-encrypted data can be restored.

Read our customer story on Filofax to learn how SysGroup helped them achieved a streamlined, manageable and faster backup process, click below –

Our Customer Story

This may go hand in hand with controlling code execution and takes it further – ensure that all rights to network shares are reviewed and the principle that if access is not required it is not allowed is maintained.

How to remove it?

  1. Do not pay the ransom. Should an attack be successful, the first step is to not panic. Paying the criminal will only fund them for further attacks as potentially marking you as a target for future attacks.
  2. Examine the malware via the text it uses to inform you of your plight (or the file extension that it has encrypted the files with), and attempt to identify the family that malware is from – for example, Tescrypt, Crowti, Fakebsod.
  3. Once identified, ensure the original infection is removed – most efficiently achieved by booting into safe mode and using an on-demand virus scanner. If this isn’t possible, attempt to use Windows System Restore to roll back the operating system to a state prior to infection.
  4. If none of this is possible, run a virus scanner from a bootable CD or USB drive.
  5. Once the malware is removed, attempt to use decryption software as mentioned; if this doesn’t work, then you must rely on your file backups to return your data safely. It is worth mentioning again at this point, do not connect your backups to the infected machine before removing the original source of infection!