Michael has a Newcastle University Certificate in Cybersecurity and experience in combatting cybercrime.
What is Ransomware?
Ransomware can be defined as a malicious software program that cybercriminals use to access the assets of an individual or a business by infecting a susceptible computer system.
The objective of the attack is to first block access to records that belong to the individual or business, including file volumes and databases, and then demand a ransom from the victim in order for the latter to receive a decryption key. The user is forestalled from gaining entry into their own system.
Not only does the ransomware program restrict access, it also disables the antivirus programs that are meant to protect the computer. A deadline is set for the payment of the ransom and if this passes, then the ransom amount is either increased or the stolen data is rendered permanently irretrievable.
CyberEdge Group documented the responses of 1,200 IT security professionals from 19 industries in 17 countries in their seventh-annual Cyberthreat Defense Report. What they found was that 81% of the participants had their networks breached in 2019. 62% of these breaches were due to ransomware attacks.
Ransomware has come a long way ever since the first malware extortion, i.e. the AIDS Trojan or PC Cyborg which was circulated through more than 20,000 floppy disks among AIDS researchers.
There has been a rapid increase in ransomware attacks, especially due to the economic stalemate brought about by the global pandemic. Cyber experts reported a total of almost 200 million ransomware attacks worldwide in the third quarter of 2020 alone.
How Ransomware Attacks are Executed
Some ransomware infiltrations occur through the Remote Desktop Protocol (RDP) where the attacker, having seized an employee's login credentials, is able to access computers connected to the network. The attacker is then able to download and execute the malware on all the computers under his control.
The ransomware program will typically take over the graphical user interface of the system and provide means by which the victim can communicate back to the attacker so the payment of the ransom can be organized.
There are different ways in which ransomware attacks are perpetuated. Some block access to computer systems or networks while others either encrypt or erase the victim's data records. They can be spread through various means including phishing emails, spam, website links, or even through social media.
As technologies continue to advance, methods through which computer systems can be infiltrated and infected continue to increase. There are cases where the attacker will demand a ransom, not in exchange for a decryption key, but in order to keep sensitive information from being divulged to the public.
This involves a different line of attack, such as the use of leakware or doxware. However, since the process of locating and extracting such sensitive data can be challenging, these cyber criminals mostly stick to encryption ransomware.
The following are measures you can take if your system is ever infiltrated by a ransomware program.
Cyber experts reported a total of almost 200 million ransomware attacks worldwide in the third quarter of 2020 alone.
1. Data Subject Request (DSR)
Despite the fact that many businesses cover their networks with layers of security, they still end up being susceptible to ransomware attacks. Fortunately today, there are tools and resources available which cybersecurity service providers can use to break through file encryptions and remove traces of malware.
A Data Subject Request (or DSR) can help you identify the weak points or loopholes in your company's network and isolate the functions that have been infected with ransomware and Cryptolocker malware.
DSR works by transmitting a formatted message from the data subject to the data controller, instructing the latter to carry out certain tasks with regard to security. These can include correcting, transferring, or deleting specific data points.
2. Security Services
There are several reputable tech solution companies that provide all-round surveillance and protection. This includes installing programs and updates, supporting your hardware and software, securing all your networks, and monitoring your systems. They additionally provide device firewalls, Endpoint Detection and Response capabilities, which help teams detect and block attacks occurring on endpoints in actual time.
Despite the challenges that ransomware presents, software security companies have developed technologies to combat the vice. Such service providers like XFER have years of experience in the field can be able to assist even days after the onset and spread of the infection.
You need the services of a specialist because attackers can sometimes unwittingly reveal or fail to completely protect parts of the encryption code they are using. Such gaps when identified can be used to undo the attack and eliminate the threat.
Launched in July 2016, NMR has since then helped nearly 200,000 people, with resources available in 36 different languages, and over 90 tools capable of decrypting more than 100 different types of ransomware.
3. Decryption and Malware Removal
Computer programmers develop decryptions and these are geared toward recovering information that has been held up for ransom. The effectiveness of the decryption depends on the type of ransomware. McAfee Ransomware Recover is an example of a framework that supports such descriptions.
Other services like Avast Premium Tech Support (APTS) focus on solely eliminating the malware itself, though it may mean that you will not be able to retrieve the encrypted data.
In certain cases, the ransomware may not respond to the decryption program or may have an added level that is too advanced for the latter. Ransomware programs may also be set to remove themselves after the encryption is complete in order to prevent any scrutiny or decryption.
When trying to address the situation, avoid any countermeasures offered by dubious or unverifiable sources and only work with reputable security service providers. There are fake solutions out there in form of tools that promise to resolve the problem by quickly decrypting the infected files. Sometimes the same attackers or other cybercriminals are behind them.
If your system has already been attacked or compromised, try to log into your computer in safe mode and then run your antivirus software to identify and remove the malware. This may not decrypt your data, but it will avoid any further damage.
4. No More Ransom
Europol’s European Cybercrime Centre, McAfee, and the Dutch Police National High Tech Crime Unit developed an initiative called No More Ransom (NMR). The goal of the initiative was to help ransomware victims retrieve their information without making any payments to the cybercriminals.
It was launched in July 2016 and since then it has helped nearly 200,000 people, with resources available in 36 different languages, and over 90 tools capable of decrypting more than 100 different types of ransomware. Through NMR, victims can now have their information restored free of charge.
The process is simple. The victim visits the online portal, selects the language, uploads the ransomware note and encrypted files to NMR's Crypto Sheriff. The latter is a tool that analyzes the information that has been encrypted by the hacker. If it is encryption that it recognizes, Crypto Sheriff provides the victim with a hyperlink where the latter can download the decryption program.
Ransomware or Scareware?
Things may not always be as they seem. Before you react, bear in mind that the threat may not be actually real at all. Your files may not be encrypted and you may be dealing with what is known as scareware.
If you respond and pay, you will have lost your money. Sometimes scareware is made to appear like an antivirus or security software in your system. It sends a fake pop-up message that malware has been found on your PC. This is accompanied with a message concerning the cost you need to pay in order to eliminate the threat. This is also a type of attack on your system, but it does not preclude you from accessing your information.
Ransomware As A Service (RAAS)
Some cybercriminals use ransomware-as-a-service (RAAS) to perform their attacks and then divide the plunder with the developer. An example of this is Cerber which works in the background to encrypt files and also blocks antivirus programs and other security measures in order to prevent system restoration.
After quietly encrypting the data, it uses the desktop wallpaper to display the ransom notice. This is a business arrangement for mutual profit where the developer is the supplier who recruits cybercriminals as his distributors.
Another example is Maze, which when unleashed, infiltrates every PC it comes across, encrypts and exports the data onto the servers of the attackers where they are held for ransom. The attackers can then disseminate the information publicly if the ransom is not paid.
Should You Pay the Ransom?
Unfortunately, several businesses and organizations are quite attractive to attackers because they are more likely to pay a ransom. This is due to the sensitive nature of their operations. Such include medical institutions and certain government agencies.
According to CyberEdge Group's 2019 Cyberthreat Defense Report, only 19% of those who pay the ransom actually receive the key to recover their files. The added problem to this is that the money obtained from ransomware victims is used to fund further illegal activities. This is why a majority of security experts discourage ransom payments.
First, there is no guarantee that the files will be restored. Second, such payments only serve to perpetuate the crime and make it more difficult to combat. Further, some criminals will instruct the victim to only pay them in Bitcoins or some other form of cryptocurrency. This makes it much more difficult for the funds to be tracked later. It is now illegal in certain jurisdictions to actually pay such ransoms.
Protecting Yourself from Ransomware Attacks
The most effective method of keeping your data safe from ransomware attacks is to block malicious malware from accessing your computer devices in the first place. Due to the fact that many enterprises do not have sufficient ransomware prevention processes in place, the attacks lead to massive financial and operational losses annually.
In addition to this, there are new strains of known ransomware programs like MedusaLocker which are often being discovered by researchers. This makes it difficult for ransomware encryption algorithms to be decrypted using available tools. It also compromises attempts to block the activation of secondary malware and the deletion of stolen files.
Prevention is always better than cure, so keep the following in mind.
- First, be educated on the threat, how it works, and what means are available to deal with it.
- When installing or updating software programs, ensure that you always go for official versions from reputable companies.
- Avoid accessing dubious websites or clicking on suspicious dialog boxes, pop-up windows, or links, including those forwarded via email.
- Secure your system with powerful anti-malware software and ensure that your operating system and all security programs are up to date.
- When conducting your daily business, avoid using accounts with admin or superuser rights.
In addition to the measures mentioned so far, there are competent services available that provide protection against ransomware. Such include Malwarebytes, which is a cost-effective resource.
They claim to have stopped over 8 million threats to date. For a price as low as €3.33, you can have your PC protected. Their premium and privacy price for 5 devices will set you back only €7.08 a month.
It is essential to seek the assistance or cooperation of law-enforcement agencies if you have become a victim of a ransomware attack. They will have more advanced resources and experience in dealing with ransom criminals compared to trying to cope with the menace on your own.
The rise of such threats has led to the formation of specialized units within their departments. Their intervention can fast track the remedial process.
One effective way of combatting ransomware is through backups. As noted before, the purpose of the attack is for the criminal to obtain compensation in exchange for restoring access to stolen digital resources.
By habitually backing up your data, you essentially thwart the purpose of the attacker because you will not require his decryption key to restore your files. The ransomware program scans and either encrypts or deletes all records in the system including data in backed-up files or folders. Therefore, it is necessary to have your backup outside the local network.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.