Ransomware has been one of the scariest topics in cybersecurity for years – and for good reason. We explain how you can possibly get rid of the malware after an attack and better protect yourself from it in the future!
Ransomware, which lives up to its name because ransom means ransom in English, is a type of malware where a cybercriminal blocks access to data or applications until a ransom payment is received. In other words – hackers hijack your information until you pay. The bad thing: similar to kidnapping, there is no guarantee that paying the ransom will lead to a happy ending.
Ransomware: unfortunately, bitter seriousness
What sounds a bit like paranoia actually cost numerous organizations around the world billions of dollars. The cyber attacks often target organizations with sensitive data, such as governments, hospitals and law firms. Therefore, IT security managers, especially organizations with an online presence, should be aware of how ransomware works.
How it all started
The first documented example of ransomware was the PC Cyborg Trojan in 1989, which was an elaborate scheme involving a ridiculous amount of floppy disks, denying access to machines and sending cash to a post office box in Panama. It may not have been the most efficient plan, but it shows that hackers have been engaging in extortion for decades.
How do hackers use ransomware today?
Modern ransomware uses the same type of infection strategies as standard malware, including phishing, social engineering and application vulnerabilities. A common installation technique is the use of malspam or malvertising. In malspam, the malware is disguised as an email. In malvertising, the attacker injects malicious code into advertisements on legitimate websites.
Once the ransomware is installed, the cyber attacker can start reaping the fruits of his labor. The exact strategy of ransomware varies, but usually falls into one of these categories:
- Crypto-malware: the attacker encrypts files, folders and drives. The victim will not be able to access his files until he pays the ransom.
- Locker: Hackers lock access to a device or application for ransom.
- Doxware: In this case, the cybercriminal has copied files and threatens to share them. The victim still has access to his files, but does not want sensitive content to be revealed.
Ransomware as a Service (RaaS).
Ransomware attacks can be a collaboration between a client and a hacker who works for a portion of the bounty. We call this ransomware as a service (RaaS). In this case, the attacker may have already gained access to an environment, but needs further expertise to execute the malware campaign. He may not know how to implement the ransomware attack on his own, or he may need a customized attack. Regardless, these “collaborations” are often common within cybercriminal groups.
Here’s how to eliminate ransomware!
First things first: a ransomware attack is tricky. In most cases, the victim is faced with the difficult decision of actually paying the hacker to get their data back. However: even then, there is no guarantee that the hacker will keep his promise. As with any extortion attempt, there is no easy solution. The point of the attack is to put the victim in a difficult position, which, in principle, can only be solved by paying the ransom.
If your website has been defaced by a ransomware campaign, the first thing you should try is to use your backups. In the best case scenario, you have external backups of your database and website that go back at least a week. If the backups are undamaged, make sure to change all your credentials after the recovery. Then consider working with a malware prevention company.
Unfortunately, if backups aren’t an option, you’re in a bad position. You could pay, but as mentioned earlier, there’s no guarantee that hackers will stick to the deal. In any case, you need to consider the type of data involved. Depending on how critical the encrypted data is, you should contact a professional or a law enforcement agency.
How to protect yourself from Ransomware!
Since ransomware can be difficult to remove, continuous prevention is the best protection. Following general security best practices can help prevent infection with ransomware. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, among others, recommends these precautions:
- Keep all applications and operating systems up to date.
- Never click on links or open attachments in unsolicited or unknown emails. Even if you know the sender, always look twice to see if you are expecting this message.
- Make regular off-site backups of data, preferably weekly.
- Follow secure browsing practices (like VPN) on the Internet – including using strong passwords.
- In addition, it’s also good to be aware of any administrator privileges. Follow the practice of the “least principle.” Remove admin privileges from all users who don’t need them. This can help prevent malware attacks, including ransomware.
- Don’t rely solely on your firewall’s protection.
- Pay attention to whether your computer’s behavior is suspicious. This includes, for example, if a service asks for your password twice completely unmotivated – especially if you are sure you spelled KatzeMaus123 correctly.
- Establish additional safeguards to prevent backup data from being encrypted.
- Most importantly, never respond to extortionists’ demands!
It is not recommended to pay ransom, but in the end, that is exactly what happens in most large-scale attacks. That’s because it often takes so long to decrypt or find a solution that paying a ransom is cheaper. As ProPublica reported in 2019, insurers often prefer to pay the ransom. For example, cyber insurance is an estimated seven to eight billion dollar per year market in the U.S. alone. Despite claims that payouts make ransomware more enticing, the insurance business is booming.
As long as they are profitable, ransomware attacks are likely to continue. In the first quarter of 2019, the SamSam ransomware alone collected an estimated $1 million.
Strengthening security helps prevent ransomware attacks from succeeding. However, depending on the sensitivity of the data on your website, you may want to consider other protective measures such as a web application firewall (WAF).