All you need to know to protect yourself from this digital threat

What is ransomware?

Ransomware is type of malicious software (malware) that impedes users from accessing their infected devices or files, unless they pay a ransom.

It affects personal computers (desktops, laptops), servers, and other devices, such as tablets, and smartphones. Although most infections occur on Windows system, there are versions that affect MacOS, iOS, Linux, and Android systems.

How does ransomware work?

A ransomware attack has three phases: infection, sequester, and extortion. Once successful, it is very quick, taking less than a few minutes from the start of infection to loss of access to system/files and consequent ransom.

WannaCry, CryptoLocker, TorrentLocker, CryptoWall, Fusob, UltraCrypter, and Locky, are a few of the more well-known ransomware.

Ransomware infection

Infection by ransomware depends of the execution of malicious code. For that to happen, attackers resort to several strategies. The most common are by sending e-mails with malicious attachments, fake software updates, exploiting security flaws in older versions of software and outdated operating systems.

Digital Sequester

More recent versions of ransomware, called cripto-ransomware, function in two ways: they block the infected system (blockers), making them useless, or they encrypt files (cryptors), denying access or execution.

Ransomware resorts to efficient cryptographic methods to block the system or access to documents, presentations, images, music, videos, and other types of common files. In most cases of ransomware, it is impossible to restore access to infected files without a key that only the attackers possess.

When infected by ransomware, the system displays a message (appearing in a popup window or changing the desktop’s background) with the ransom’s payment procedure, necessary to restore access.

Digital Extortion

When a computer, server or another device is infected, a ransom is demanded, usually in Bitcoins, in order to be provided with a password that will restore access to the system and its affected files. Despite what the attackers may say, paying the ransom offers no guarantee that access to the system and its files will be restored.

How to protect against ransomware?

Making backups regularly. In addition to ransomware, systems are exposed to other types of malware (virus, Trojans, spyware, etc.). It is important to make backups to be able to restore files easily and quickly. It equally important to test backups to verify if they are been correctly made and that they can be restored correctly.

Storing a recent backup copy in a unit where files cannot be changed. Ransomware affects files that have write permissions, including those that are stored in cloud folders (Dropbox, Google Drive, One Drive, for example) and external USB units, among other formats.

Use software that enables you to neutralize threats in real time, such as blocking access to websites that contain malicious code, and analyzing downloads.

Don’t enable macros in documents received by email. Malicious attachments are one of the main sources of ransomware infection. Attackers try to persuade users to enable macros, only to infect them later on with ransomware.

Don’t click on links or visit websites from suspicious email messages. Usually, attackers entice users to make an impulsive action, such as opening a document or clicking on a link that may result in infection. To this effect, they send electronic mail messages, as if they were from governmental authorities (Tax authority, or Ministry of Finance, for example), authorities (PJ, PSP, FBI, or the CIA), or well-known companies, such as Paypal, Fedex, or DHL. The message’s content is generally of urgent nature and/or intimidating, demanding the user makes an immediate action, such as opening a document or visiting a website to resolve the fake situation. Generally, to conduct these actions, the user will have to install or execute some type of software (that is later revealed to be malicious).

Show file name extension. Some files that contain malicious code add file name extensions, making them seem like inoffensive extensions. By having this option enabled, you can easily view the type of file that you are trying to open (for example: “invoice.pdf” becomes “invoice.pdf.exe”, in case.

Don’t use administrator/root permissions unless necessary. A user account without administrator privileges is sufficient to execute most of a device’s usual tasks. As such, even if the malicious code is executed, there is a chance of not having the necessary permission to make harmful changes to the system.

Restricting write permissions in file servers as often as possible.

Install the latest security updates for the operating system and other installed software.

Educate users to the threat and define a procedure for when they suspect of any email, pop-up, file or program.

The best solution is to be prepared for a ransomware attack.

How remove ransomware

The recovery of infected systems or files from ransomware is very unlikely in case you have not made backup copies. Many people, in despair, end up paying the ransom to recover their files. However, there is no guarantee that the decryption key will be sent, or if the attackers will not demand more payments, or if the system has not yet been affected, for more than one version of ransomware.

The quickest and most economical way of recovering infected files with ransomware is by restoring a backup..

There are free tools to help you recovery encrypted files without having to pay the ransom. These tools work only with well-known versions, for whom it is possible to create a decryption tool. There aren’t any tools that work for all types of ransomware.

It is essential that malware be removed from the system before restoring files. Otherwise, the system/files will be re-infected. For this purpose, you can use an antivirus or another protection program. (Note: this step does not restore access to the files, but rather guarantees the system is free of malicious code that encrypts its files).

"The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works,
and there’s no guarantee you’ll get the decryption key you need in return."
-- No More Ransom

Free tools to remove ransomware

At the "No More Ransom" website, you can find decryption tools for some versions of ransomware, such as Coinvault, WildFare, Chimera, Teslacrypt, Jigsaw, among others). This website is an initiative of the Dutch Police’s High-Tech Crime Unit, from the European Cybercrime Centre (EC3) of Europol and of two cybersecurity companies, with the goal of helping victims of ransomware recovering their encrypted files, and recover your encrypted files without having to pay criminals.

Decryption tools No More Ransom

Keep your files protected from ransomware

Learn how Terabunker can protect your files. Ransomware is the largest virtual threat of 2017, affecting companies as well as individuals on a large scale. Don’t become a victim of digital extortion. Protect your files, protect your business.