This is a question that Rockford IT, security experts based in Telford, are regularly asked, followed by how do you avoid and remove it. With people becoming more aware of these attacks our resident IT security expert, Penetration Tester Ian Simons gives the low down on ransomware and how you can protect yourself and what to do if your computer/ devices are affected.
Ransomware is an order of malware and is separated into many families. It operates, as suggested, by removing access to your computer by either locking your workstation or encrypting your files, only returning the system to your control should you choose to pay the ransom.
There are two main ways in which ransomware works – the most frequent method is to encrypt your important files (either on your hard disk or network drive) making them unreadable to normal programs; less commonly, the malware will lock your workstation so that you can’t even log in.
There are a number of ways that you can be infected. Chiefly, it is by running an authentic looking executable attached to an email, most commonly delivered as a shipping notice, order confirmation or similar. Slightly less common (but not with any lesser real threat) is via a link to an apparently genuine website – known as a ‘drive-by download’ – that is either a fake version of a real website, or a real website that has been compromised where a pop-up asks you to install some software. Thirdly, a compromised website (or html email) may silently install the malware on your computer using a vulnerability exposed in your operating system that hasn’t been prevented due to not installed vendor recommended software patches. A fourth route may be via bundled software – for example, downloading ‘Chrome.exe’ from somewhere other than Google might install malware.
Ransomware effectively relies on fear – a warning message that your computer has been infected (and that you may have been indulging in illegal activities) may prompt a panicked action to pay the ransom or run another executable, leading your system to become further infected with other viruses. Paying the ransom may not even remove the malware.
A security appliance (such as Watchguard devices) if configured correctly will help prevent a malware infection by preventing software from connecting to its control server – the software requires this connection to store the decryption key on the criminal’s server. In addition, the appliance will prevent connections to websites based on categorisation or reputation.
Endpoint Security will attempt to protect your system from ransomware (and other viruses) by recognising the files on your system before they are run. Kaspersky Internet Security will also help to prevent the software from running at the point of execution.
As mentioned earlier, some malware can install itself by using known vulnerabilities in your computer operating system. The software providers will likely know about these vulnerabilities and have released a security patch to prevent attempted exploitation. Ensuring that your systems are up-to-date with the latest vendor releases is a key method to reduce ransomware incidents.
Ensure that users do not have rights to install software – this is easily controlled within the enterprise environment, but can be done at home as well – if a user does not have rights to install software, the chances for the ransomware to be installed correctly diminish. Additionally, prevent macros from running within Microsoft products by default, only allowing them to run if the source is trusted.
Control Removable Media Access – whilst this is not as common a route for infection, consider preventing removable media devices from being used where possible. Detailed information can be found on the UK Government’s National Cyber Security Centre.
Important files should be backed up regularly, preferably using the 3-2-1 rule. That is, 3 copies of the files on 2 different devices and at least 1 copy offsite. Additionally, periodically check that backups have worked and that a restore process will complete successfully. Backup files should not be routinely accessible by the machines which are at risk (for example, users’ desktops). Should the systems be affected by the ransomware, once the operating system has been reinstalled, the un-encrypted data can be restored.
This may go hand in hand with controlling code execution and takes it further – ensure that all rights to network shares are reviewed and the principle that if access is not required it is not allowed is maintained.
Do not pay the ransom. Should an attack be successful, the first step is to not panic. Paying the criminal will only fund them for further attacks as potentially marking you as a target for future attacks.
Examine the malware via the text it uses to inform you of your plight (or the file extension that it has encrypted the files with), and attempt to identify the family that malware is from – for example, Tescrypt, Crowti, Fakebsod. Kaspersky have made available several free tools for malware decryption, and the experts at Rockford IT can also assist with this.
Once identified, ensure the original infection is removed – most efficiently achieved by booting into safe mode and using an on-demand virus scanner. If this isn’t possible, attempt to use Windows System Restore to roll back the operating system to a state prior to infection.
If none of this is possible, run a virus scanner from a bootable CD or USB drive.
Once the malware is removed, attempt to use the Kaspersky decryption software as mentioned; if this doesn’t work, then you must rely on your file backups to return your data safely. It is worth mentioning again at this point, do not connect your backups to the infected machine before removing the original source of infection!
Rockford IT, part of SysGroup PLC are IT security experts based in Telford, West Midlands. Call us on 0333 101 6000 if you would like any security advice or solutions.
Thanks for reading all the way to the end!
We'd love 'it' if you shared this article.