Ransomware – How to stay one step ahead of the cybercriminals

This article will go over some good measures to reduce the risk of getting ransomware on your computer, as well as some advice what to do if you do get infected. Ransomware was covered in our previous post, so check it out for more details about what ransomware is, how it works, and the most common ways your computer gets infected.

The main way ransomware gets installed on your computer is through phishing, a form of social engineering where an individual is tricked into installing the malware. There are several things to look out for:

1. Do not click on any links that are not verified. These can come through a seemingly legit email or website. Downloads will usually start as soon as you click on a link, so use extra caution, and if in doubt do not click on it.
2. Do not open email attachments from untrusted sources. Also, be aware that some phishing attacks are highly specialized and could be adapted for you specifically or the company you work in (so-called spear phishing). One tip is to use the show file extensions feature to see if any attachments are executable, e.g. ending in .bat, .sh, .dmg, or .exe. If so, do not open it.
3. If an colleague sends a genuine email that looks like phishing, let them know so that the culture for writing good a proper emails will improve in your company.
4. Use caution when downloading from websites. Browsers will give an indication if the site is verified, usually in the form of a lock symbol or a shield. However, even verified websites may have security vulnerabilities or may even be phishing sites, so it is still necessary to exercise caution. Also, make sure the site uses HTTPS instead of HTTP to ensure secure encryption of requests and responses.
5. Be careful not to share personal information. Criminals may use this information to send personalized emails specifically to you, increasing the likelihood of doing what they ask of you.
6. For companies, provide training for employees so that they can recognize malicious emails and phishing attempts more easily.

Ransomware can also exploit technological vulnerabilities. There are a few dos and don’ts to make sure your technological routines are up to scratch.

1. Make sure you scan all your emails and attachments using content scanning and filtering on your mail servers. This will reduce the chance of a malicious email ending up in your inbox.
2. Outdated versions on browsers, software, and operating systems may have vulnerabilities that can be exploited, so make sure to always update to the latest versions when possible.
3. Use good antivirus software that also include ransomware, and a firewall. There are several good ones that will block infected files and prevent your computer from being encrypted, but only use from reputable sources as there are also a lot of fake antivirus software out there.
4. When connecting to the Internet from a public WIFI, make sure you use a VPN.
5. Only give admin privileges when necessary. Restricted access for normal users may reduce the spread of the malware if one employee’s computer is attacked by ransomware.

This cannot be stressed enough and may be the most important measure you do. Having a good backup system is key to protect yourself from losing your data. Instead of paying the ransom, it is better to reinstall everything from good and recent backups, so make sure you have a backup on an external hard drive or in the cloud so that the backup data doesn’t get infected along with your computer.

First off, make sure it is actual ransomware and not just an imitation (such as screen-locking ransomware). The latter may be more easily removed, and is often characterized by trying to shame the victim (eg having been caught looking at adult websites) and pretending to from a source such as the FBI or the police. If you can read most of your files and navigate through your computers system, it is most likely a fake.

However, if the ransomware is authentic there are three main paths you could chose:

First off, it is not recommended to pay the ransom. This will only encourage this type of attack, and there is no guarantee that you will receive the decryption key. Some may even ask for the ransom one more time before they give what you payed for.

That being said, some have chosen to recover the data by paying the fee, especially in the case of medical records or where there is no good backup to reinstall your files from. This is not an easy issue, and the pros and cons can be discussed at length. Again, take good backups of your data, and you will not have to be faced with this dilemma should you be so unfortunate to have all your files encrypted.

Disconnect your infected computer or system from the Internet and other devices, and use an antivirus to remove the ransomware. Note, this will not recover your files, but should remove the virus from your system. Check if there are any deleted files you might recover. Also, finding the exact type of ransomware strain might help you decrypt the files (though not in most cases). There are some online tools like ID Ransomware and Crypto Sheriff that will help you with this. There are also some decryption tools available for some strains, so checkout No More Ransom if a decryption key exist for a specific strain.

If decryption is not possible, then restore the files from your backups. The best is to wipe your computer or system completely, reinstall the operating system, and then restore the files to make sure all traces of the virus is removed. Make sure your backup is not infected before you start. This is the fastest and cheapest way of getting your systems up and running again.

This may not be optimal, but if your data is not very important or something you can’t replace, then simply choosing to reinstall you affected system may be a good solution.