This guide should offer some tips for the prevention of data loss through ransomware.
Picture this: You’ve spent the last few weeks working on an important project gathering and compiling inforation from a wide array of sources.
When you finally finish the project, you go to copy the file onto a DVD and what the? a ransom message pops up similar to the one below.
“Unfortunately, the files on this computer have been encrypted. You have 96 hours to submit payment to receive the encryption key, otherwise your files will be permanently destroyed.”
You’ve been hit with ransomware.
You don’t have a backup or even worse you do have a backup but the media was connected during the attack and the backup is also encrypted.
What to do next?
Unfortunately, when it comes to ransomware, once your files are encrypted, there’s not much you can do, as the encryption methods us high-bit encryption ciphers.
The first point most cyber security firms make is DO NOT pay the ransom it only encourages the attackers to keep on operating and helps the build better more sophisticated attacks.
According to the FBI ransomware netted $209 million (R3 billion) in the first quarter of 2016 alone, although how much of this is from businesses as opposed to individuals is impossible to say
and even if you do pay up, there’s a chance you won’t get your files back, so you’re out the files and your cash.
Accoring to Trend a meager 44 percent of those who paid the ransom got their data back. If that’s correct, paying a ransom demand is more like a bet than a data recovery strategy.
Anecdotes confirm this with the case of a US hospital in Kansas being only an extreme example of the problem. The institution paid the initial ransom but the attackers just returned to ask for a higher figure.
The culprits also use crypto currency like bitcoin which also makes it near impossible to trace them. That’s why it’s so important to prevent ransomware attacks from happening in the first place.
Anyone can be hit with ransomware although trends point to the culprits targeting organizations that due to their size are more likely to pay the ransom.
Types of ransomware
The first step in ransomware prevention is to recognize the different types of ransomware you can be hit with. Ransomware can range in seriousness from mildly off-putting to Cuban Missile Crisis severe.
Okay, yes, it’s called scareware, but in comparison to other types of ransomware these are not so scary.
Scareware includes rogue security software and tech support scams. You might receive a pop-up message claiming that a bajillion pieces of malware were discovered and the only way to get rid of them is to pay up.
If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe.
A quick scan from your security software and antimalware applications like malwarebytes should be able to clear out these suckers.
Pro tip: A legitimate antivirus or anti-malware program would not solicit customers in this way.
Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely.
Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or U.S. Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine.
In order to reclaim control of your PC, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.
Pro tip: The FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.
Encrypting ransomware (Cryptoware)
This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver.
The reason why this type of ransomware is so dangerous is because once cyber-criminals get hold of your files, no security software or system restore can return them to you.
Unless you pay the ransom, they’re gone. And even if you do, there’s no guarantee you can get those files back.
Pro tip: Cyber security professionals advise not to pay the ransom. Complying with ransomware criminals just opens the door up for future more advanced attacks.
So what should you do about this kind of ransomware? Get out in front of it.
“If any attack in the history of malware proves that you need protection in place before an attack happens, encrypting ransomware is it,” says Adam Kujawa, Head of Intelligence at Malwarebytes.
“It’s too late once you get infected. Game over.”
Once your files have been encrypted there is little to no chance of recovering them without a good working backup as most new variants of crytpoware only store the public key on the infected computer while the private key, which is required for decryption, is stored on the botnet.
Without this private key it is near impossible to decrypt your files as it could take many lifetimes to try and crack the private key.
Some good advice
The first step in ransomware prevention is to invest in decent cyber security. Start with an antivirus with active monitoring and layer on other applications that are specifically designed to thwart advanced malware attacks such as ransomware like ESET. These include anti-malware and anti-ransomware programs.
Backups (Stored offline and disconnected)
Next, as much as it may pain you, you need to create secure backups of your data on a regular basis and never leave the backup media connected to your device when a backup is not running.
You can purchase an external hard drive where you can save new or updated files—just be sure to physically disconnect the devices from your computer after backing up,
otherwise they can become infected with ransomware, too. Cloud storage is another option, but we recommend using a server with high-level encryption and multiple-factor authentication.
Also bear in mind cloud storage solutions like dropbox that have a desktop sync client should not be allowed to run 24/7 only open the sync client in order for a backup to run the disconnect and close the client.
Never disable User Access Control (UAC) as annoying as it may be UAC can prevent unwanted code from running with elevated privileges required to encrypt your data.
And while we are at it NEVER have an administrator account with no password or a weak password. It is also good practice to have two accounts one account configured as a standard user for day to day computing and a separate administrator account for the times when changes need to be made to your computer. Using the administrative account on a daily basis while convenient is not really the smart thing to do.
Mapped network drives
Using mapped network drives should be considered taboo. All ransomware can encrypt data on a mapped network location. While using UNC paths to access data is not a fool proof approach it does seem to be more effective at keeping the ransomware from jumping across networked devices. Most ransomware scans your computer for available drive letters and forces encryption on each drive letter found, accessing your data using UNC paths means your data is not accessed by a drive letter thus reducing the risk of the ransomware jumping over to other devices on your network.
Close off any remote access services like remote desktop. While it is convenient to have direct access to your computers using remote desktop or similar, a lot of these attacks happen this way. Having a server accessible via remote desktop with a weak password is asking for trouble, it’s not a case of if it will get ransomware but when. Rather use secure VPN solutions like OpenVPN to establish a connection to the remote network and then us the VPN tunnel to access remote desktop on your computer.
Stay informed. One of the most common ways that computers are infected with ransomware is through social engineering.
Educate yourself on how to detect phishing campaigns, suspicious websites, and other scams. And above all else, exercise common sense. If it seems suspect, it probably is.
If you are still unsure speak to us we have a team of dedicated professionals that can advise you on the best possible solution to help you prevent an attack and failing that help you recover your data with near to zero loss of information