What is ransomware?
Ransomware is a variant of a malware program that encrypts computer and network data with a secure key only known to the criminals that have instigated it. The encrypted data is totally unusable by the user and the attackers demand a ransom to decrypt it. This is usually payable in bitcoin so is totally untraceable.
Ransomware has been around for a number of years and there have been several mutations as the attackers find ways to avoid detection by antivirus programs and exploit different security weaknesses. Recent versions of this malware have been targeting businesses and have encrypted database files and backups. They have the ability to spread through a business network at an extremely fast rate.
How is ransomware delivered?
The most common way ransomware is introduced is via email. These were previously opportunistic bulk mail outs rather than being targeted at a specific company. They typically have an attachment or a link and encourage the recipient to click on it by means of a leading statement such as:
- Please find your invoice attached
- Please check details of your order
In recent months, these generic emails have become more targeted and may appear to come from a person known to the recipient. Another development of the malicious program tries to evade attempts to block it by not activating until the computer is idle or when it is next switched on.
Email is not the only way the attackers transmit the malware and there have been several instances of it being inadvertently downloaded from compromised websites. These may be fake websites that are made to look identical to well-known websites, or even the actual site that has been hacked.
How can I prevent a ransomware infection?
It is almost impossible to totally prevent a ransomware attack as the criminals are constantly developing the code and looking for security weaknesses that they can exploit. However, there are several actions that can be taken to minimise the risk.
- Ensure all machines have good and up to date antivirus such as ESET.
- Ensure that Windows updates a regularly installed. These will include patches to close security weaknesses in the software.
- Replace old PCs running end of life operating systems such as Windows XP.
- Implement a strong password policy.
- Keep open ports on internet routers to a minimum. If using Remote Desktop connections then change from the default port 3389 and limit the locations that can be accessed via this port.
- Make staff aware of the risks of these emails. Encourage them to telephone the sender if it is something they were not expecting.
- Turn off machines overnight and at weekends.
- Have good and secure backups with several recovery points.
How can I recover from a ransomware attack?
Should an attack happen despite taking all the precautions possible, then it is essential to act quickly to minimise the damage. The only real way to recover from a malware attack is to use the data from the backups.
- Isolate the machine or machines involved. These will need to be either scanned using antivirus and malware cleaning programs, or possibly even wiped and reinstalled depending how serious the damage.
- Turn off backups to ensure they cannot be overwritten by the encrypted files.
- Try to identify the source of the infiltration.
- Only once all the machines are known to be infection free should the data be restored.
- Remember to turn on the backup systems!
It is strongly advised that money should not be paid to recover any files encrypted in a ransomware attack. In some cases the files are not decrypted upon payment and the criminals have demanded a further ransom.
Fusion Care Solutions Ltd
Call Iain for advice & recommended solutions
01133 979 555