The cost of ransomware to businesses is estimated to be over $200 million in the first half of this year. According to Trend Micro this is up 172% from 2015.  Ransomware is highly lucrative for criminals who can bring a business to a standstill all in the name of a quick buck and it’s working for them.

Businesses dependent on their computers and servers should take note and ensure they are proactive in preventing these attacks but also should be sure they have a clear contingency plan to recover if it does happen.

1. What is Ransomware?

Ransomware is a form of malware that executes an attack on the victims computer and seeks to prevent access to the operating system, applications or files and folders until a sum of money is paid to the attacker.

There are two main types of ransomware; There is encrypting ransomware and locking ransomware.

Encrypting ransomware encrypts personal files and documents on the victims computer or network with a private key, which renders the files inaccessible until a ransom is paid to the attacker who will then provide the key to decrypt the files.

Locker ransomware locks the victim out of their operating system and prevents access to the desktop or any applications or files until the ransom is paid.

The most common form of ransomware is encrypting ransomware.

2. How do you get Ransomware?

Ransomware can be spread by a number of ways. The most common being through emails containing malicious links or attachments which are opened by the victim, but ransomware can also be spread through:

  • Security exploits in vulnerable or unpatched software
  • Legitimate websites which are hacked and have malicious code injected
  • Drive by downloads – automatic downloads from infected sites
  • Malvertising – fake ads on websites which execute or download malicious software
  • SMS/text message
  • Self propagation from one infected machine to others in the network
  • Infected external storage devices.
  • Social engineering

3. How do you prevent Ransomware?

There is no single way to prevent ransomware. It should be an organizational strategy that covers all aspects of the IT infrastructure, as well as staff/user education.

  • Have layered security – Firewalls, mail filtering, end-point protection- Keep up to date – Patch all operating systems, 3rd party apps, antivirus, mail scanning, firewalls, etc as soon as possible.
  • Security policies – Filter and quarantine emails for phishing links, attachments, etc. Have strong web filtering to prevent drive-by downloads and malicious sites
  • Restrict privileges – Ransomware runs in the user context, so users should not be local administrators on their machines or have unnecessary access to network files and folders or servers
  • Restrict software execution – Use whitelisting to only allow authorized applications to be executed on users computers or implement policies to block execution of programs from the %LocalAppData% folder where ransomware often runs from – Microsoft AppLocker is very good for this
  • Have a strong backup strategy including offsite backups
  • Prevent the use of external storage devices, or only use secure devices such as IronKey.
  • User/Staff education – Keep staff up to date on latest scams, emails, viruses and what to do in certain situations

4. How does Fortisandbox fit into the picture?

Fortisandbox is a layer in the proactive detection and prevention of malware. Most ransomware and malware is so successful in its attacks because it can bypass traditional antivirus and filtering solutions and enter a victims machine or network due to it being seemingly harmless until it is actually executed.

Fortisandbox works by examining suspicious code in a secure and isolated environment to analyse the behaviour, effects and potential threat level before it is executed in the customer network. It can then trigger certain actions based on the results, as well as learning and updating itself with this knowledge to mitigate further attacks.

5. Once you have it can you get your data?

There have been instances where individuals or companies have paid the ransom to their attackers and have successfully been able to recover their files, but this is not recommended or guaranteed and more often than not will not result in getting the data back.

Recently there was the case of the Hollywood Presbyterian Medical Center in LA which paid 40 bitcoins (US$17K) to their attackers and were able to successfully decrypt their files and systems. Click here for more

The best way to recover from an attack is to get data back from backups. If you have recent and secure backups then you may only lose a day or few hours work as you restore your files and systems from the last good backup and clean any infected systems.

There are also some online tools which can attempt to break the encryption on ransomware and some specific encryptions have been broken, but ransomware is evolving so fast that it’s hard for the tools to keep up.

6. What you need to tell your team to look out for?

Staff and users need to be vigilant when online! Be aware of the latest threats and scams which are circulating as they are constantly evolving
Never open links or attachments if you are not sure of the sender or file. If you suspect it, delete it or consult with IT.

Check the reply to address in suspicious emails from people you may know. Often it will be a fake email and the reply will go to a different address.

Be especially wary of emails containing attachments or links from institutions like banks, police, post office, paypal etc, or emails which ask for or offer money, especially when they come from people or institutions you may know.

Also be wary when surfing the web for malicious sites or malicious ads, especially ads which offer free prizes or money, or report that your file or computer is at risk or infected. Also be wary of sites that try to copy legitimate sites especially through Google searches.

Finally, be cautious about any unsolicited emails, phone calls or text messages you receive from people claiming to be from Microsoft, Apple, etc or institutions, especially if asking for personal details or access to your computer.

Worried about Ransomware?
Speak to the experienced team at Stanfield IT on 1300 910 333