Ransomware 101

What is ransomware and how to prevent it...

ransomware 101

Like any other technology, encryption could be used both for good and bad. While it is typically used for the prevention of cyberattacks, encryption could also be a powerful offensive weapon in ransomware attacks. And that is what this article is all about, so read on for details…

Ransomware defined

As you could guess from its name, ransomware presumes taking someone’s files for ransom. A ransomware attack presumes a hacker encrypting a user’s or an organization’s files and asking for a ransom in exchange for encryption keys — which will help the victim unlock their files.

In that sense, ransomware is especially damaging for large organizations, health systems, (local) governments — all of which are unable to operate without full access to their documents and systems.

The sad truth is that ransomware is getting increasingly popular with hackers offering ransomware-as-a-service (RaaS) to less tech-savvy criminals. Also, we have the rise of (anonymous) cryptocurrencies to “thank” for this, as it makes sure criminals are seldom (if ever) caught. And unsurprisingly, most hackers performing ransomware attacks ask to be paid in crypto rather than regular (fiat) money that could be easily traced.

Arguably the most infamous ransomware attack was the one on Colonial Pipeline, which forced a shutdown of a 5,500-mile oil pipeline.

How do ransomware attacks work?

Probably the number one way how ransomware gets installed on the company network is when the user installs a piece of software that hides the ransomware code in it. The user is unaware of this, yet the damage is there.

Alternatively, a savvy hacker could install ransomware directly by taking advantage of a vulnerability in the network or device.

Once installed, ransomware will intelligently search for important stuff such as documents, databases, photos and other files — and encrypt them with a public key generated specifically for that attack. The private key that is required to decrypt the files is held by the hacker, who won’t give it without being paid for it.

Victims on their end only see a lock screen, which is the digital equivalent of a ransom note, with instructions on how to pay a ransom to their attacker in exchange for the decryption key.

Not all ransomware uses encryption…

We have to add that while the most sophisticated ransomware attacks use encrypting, that is not the case in all instances.

There are those kinds of ransomware that merely confront victims with a lock screen but don’t encrypt any files. Such malware could be easily removed by rebooting the device in “Safe Mode” (or its équivalent) and uninstalling it.

Some hackers are not savvy enough to encrypt the files or don’t know which files are important so they don’t bother with encryption. Instead, they may opt to put pornographic images on the lock screen while accusing victims of illegal activity so they don’t seek help from experts. Something like that happened in 2010 when the Russian scheme WinLock locked tens of thousands of victims out of their Windows desktops until they sent an expensive premium SMS. As a result, hackers earned a total of $16 million.

One related incident is worth mentioning as it’s full of irony. It took place in 2013 when a man received a ransomware note claiming he was under investigation by the FBI for child pornography. Then he brought his computer to a police station to dispute the claim, only to have police search his computer and find actual child pornography. As a result, he was arrested and only later realized the original accusation was a virus rather than a real ransomware message.

And although such kinds of malware could be easily removed with good antivirus software, not everyone starts it when seeing a ransom note. Which brings us to the next question…

Should you pay?

There are no black and white answers here. We’ve heard of companies paying the ransom only to be able to resume their normal operations as well as those deciding to fight back, whether that involves engaging security experts from restoring all the data prior to the ransomware attack. Also, there are those who end up negotiating the ransom with the attacker, trying to get a lower price.

Still, the general rule is NOT to pay the ransom, but again – sometimes that is not an option. Especially in the healthcare setting, attackers know how time is important as the lack of access to proper data could literally cost lives. And so, quite a few healthcare organizations have ended up paying ransom instead of seeing the lives of their patients being endangered.

The other question you may want to ask is…

How to remove ransomware?

As noted above, not all ransomware attacks involve encryption. If it’s not being used, a regular antivirus could do the trick. Other things to consider include:

1. Isolate the infected device to stop the spread of malware across the network. This could include switching it off from the network, removing all connected drives and disabling any other connections to the outside world.

2. Contacting the IT department could help as it will not only be able to isolate the device more easily but also more thoroughly check what’s going on — and whether there are other infected devices on the network.

3. Use anti-malware software such as antivirus to try to remove the malware. As we’ve said before, in many cases this has helped solve the situation. In other cases, when pro-hackers are involved, there is little that could be done as “good” ransomware is able to delete itself after encrypting the data.

4. Recover the files – this is why it is important to have a backup ready for deployment. You can wipe the affected disks clean and restore them to the point where everything worked as planned.

A good resource to check is No More Ransom – it could help you identify the type of attack and find decryption tools, if they are known.

How to prevent ransomware attacks?

As you would imagine, when it comes to ransomware – it’s all about prevention. In that sense, there are a few things everyone should be doing:

  • Make regular backups so if, God forbid, something goes awry (not only ransomware) – you can easily get back to your feet by restoring the data.
  • Keep all your devices and all your apps up to date. The newer software versions not only bring new features, but also fix some of the known bugs that could be exploited by savvy hackers. Aside from your computer, phone and tablet – make sure your router is also running the latest firmware.
  • Do not open email attachments from people you don’t know. Heck even if you know the person sending you the email, think twice. If it’s not an image or a PDF, you don’t want to open it. Cause the person on the other end of the line may not have sent you that email in the first place – it could’ve been the malware that is trying to reproduce to as many devices as possible.
  • The same goes for links – do not click on suspicious links. Do not trust “too good to be true” messages.
  • Educate yourself and your peers. This is the best defense as it will help all of you better detect ransomware before it can strike and cause damage to everyone.

By abiding by these rules, you will hopefully be able to stay safe from any ransomware attacks. It can be a scary world out there so watch out.