Someone in your organization gets an email with an attached document. The sender seems legitimate, but when they click on the link, it’s not what it claims to be. Soon your organization’s data is encrypted and you receive a message: pay a ransom to the attackers if you want the decryption key. You’ve just been the victim of a ransomware attack.
Ransomware has become a major attack vector in 2021. According to Threatpost, ransomware attacks increased by more than 150% in the first half of the year, and the threats from ransomware are more diverse than ever; a recent report found that 113 different ransomware families were operating in the first quarter of 2021.
What is ransomware?
Ransomware is a type of malware, or malicious software, that holds an organization’s information, systems, data or networks for ransom. It often does this by blocking access to data, either by encrypting the data or by locking a system so the owners can’t get access to their own files. The attackers then demand a ransom for the encryption key or to unlock the system. If the ransom isn’t paid, some attackers will threaten to publish proprietary information on the public internet. Some even do; ransomware group Grief (PayorGrief, previously called DopplePaymer) operates a leak site where the data of victims is posted.
Ransomware attacks are often carried out using a Trojan horse – a file pretending to be something else — delivered through a phishing scam. The user is most often tricked into opening the email and opening the link or attachment. Sometimes ransomware is delivered through a worm, such as the WannaCry worm, which travels automatically between computers.
While spotting a phishing attack is often simple — think of all the times you’ve seen a fake email from a bad actor pretending your PayPal account has been suspended — phishing scammers chasing big game have become more sophisticated in the last year. According to the SANS 2021 Top New Attacks and Threat Report, phishers are increasingly using deeper research to customize their messages to C-level executives in a bid to fool company leadership into clicking links and opening attachments.
It’s no surprise that ransom demands attached to malware attacks more than doubled in the last year.
How can you remove ransomware after an attack?
So what happens after you’ve been attacked? How can you remove ransomware once your system has been infected?
There’s good news and bad news when it comes to getting rid of ransomware. The malware itself can be removed, but your data often cannot be decrypted — and of course, you have no idea what will happen with your data once the attackers have it. With that in mind, however, there are some steps you can take to respond to an attack.
- Move fast: The sooner you act, the more likely you are to retain more of your data. If your (or your anti-ransomware software) detects the ransomware is detected before you’re asked for a ransom, you’ll be able to simply delete the ransomware. And data that are already encrypted will remain encrypted, but you can stop the process from spreading.
- Get offline: Get your infected machine off the internet and the network as soon as you can. Disconnect virtually and physically. You don’t want the ransomware spreading to other devices or the cloud, or communicating with the cybercriminals who sent it.
- Delete the malware: It can be done. If you’re an individual reading this post, CSO Magazine’s Steve Ragan has a video showing how to remove ransomware from a Windows machine by rebooting the machine into safe mode, installing anti-malware software, and restoring the computer to a previous state. If you’re at an organization, obviously your IT team will do this for you, but be aware that this approach will not get your encrypted data back, just control of the machine.
- Use a decryption tool: While not all ransomware attacks are decryptable, there are several description tools you can use to get back your data. The No More Ransom Project offers a library of ransomware decryption tools that can help you get your data back,
- Install a backup: Hopefully, you’re backing up everything. If so, you can reinstall your backups after the machine is restored.
Should you pay the ransom?
It may seem like the easiest way to decrypt your data is to just pay up, but it’s not that simple, and in fact the authorities recommend that businesses do not pay ransoms to bad actors after attacks.
For one thing, there’s no guarantee that the criminals will give your data back after an attack, or that they won’t post it publically. For another, paying the ransom only proves to the criminals that their attack has worked, and they’re likely to do it again.
How can SecurityScorecard help?
In the case of most ransomware, an ounce of prevention is better than a pound of cure. Before you’re attacked, be sure to follow best practices when it comes to cyber hygiene and make sure to have a ransomware response plan in place.
You should also be continuously monitoring your security posture. SecurityScorecard’s Security Ratings, for example, let you see your organization’s security posture at a glance, giving you easy-to-read A-F ratings across ten groups of risk factors including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence. By understanding your security posture, and how to correct any issues that arise, you’ll be able to protect your organization against ransomware and other cyber threats.