Ransomware Attack! Do’s and Don’ts

Introduction

“Ransomware”. Such a funny little compound word isn’t it? It almost sounds like it could be descriptive of a new type of gaming genre, with games focused on liberating kidnap victims! Sadly, it’s not that, not by a long shot. Its real meaning is far more sinister and the fact that such a word exists is actually a sad commentary on the state of humanity in general. In tech terms, then, it’s known as “A Very Bad Thing”.

You say it’s bad, but what actually is it?

Given that you now know that it’s bad, you might be able to work it out from the name but essentially, it’s a type of software (computer code) that is designed to block access to a computer system until a sum of money is paid. This simple description belies the highly sophisticated nature of this software, and the level of deviousness involved in both its creation and execution.

At its heart, Ransomware is generally file encryption software. File encryption is the scrambling of its contents using a specific key, called an encryption key. By using this, decryption is also possible. It works in much the same way as Microsoft’s excellent “Bitlocker” but clearly, is not a power for good in the same way.

The worst bit is yet to come though; The user of a newly infected machine may not even know they’re infected, for hours or even days! Ransomware is generally very cleverly written and doesn’t show itself (in the form of alarming screens declaring the loss of files and in closing, a demand for money to secure their release) until ALL the target files are encrypted. This is not confined to just a user’s files, either. If that machine is connected to a server and has access to shared drives then they, too, can become encrypted. After all, no one is going to pay big money to retrieve a couple of files, but a couple of thousand may force users to pay up. Short tip – DO NOT PAY.

Ransomware was brought to the public consciousness via the now infamous “CryptoLocker” which actually dates back to 2013. It was powered by a botnet (a network of dumb computers running malicious code) called “Gameover Zeus” and was ultimately defeated by Operation Tovar in June 2014. This defeat allowed the discovery of many decryption keys that allowed at least some victims to recover data that they wouldn’t otherwise be able to access.

How does it get in?

There are many ways that a business can be infected, but it’s usually one of the below:-

1) When a user opens an infected link or email attachment (this is the most common)
2) Through susceptible ports on the company Firewall
3) Infected USB sticks / media being introduced to the Network
4) Inherent unpatched vulnerabilities in Windows
5) Via doors opened by other malware, known as “gateway viruses”

Damn! I’ve been attacked. What now?

First of all, no judgement! There are bigger firms than yours that have fallen foul of this. Secondly, and sadly, you need to note is that there is NO guarantee of getting your files back unless you have an uninfected backup. Moving on, then, the recovery process is three-phase;

1) Prevent further spreading of the ransomware
2) Killing the infections
3) Data / Application recovery

With that out of the way, following the below Do’s and Don’ts are a good start;

DON’T Pay the ransom! Quite aside from rewarding the deplorable behaviour of cyber criminals, it should be borne in mind that that funds acquired through these means are very often channelled toward other illegal activities concerning drugs, firearms, child exploitation etc. No one wants to feel like they’re promoting that.

The other good reason not to pay is that, as we mentioned above, there is NO guarantee that the decryption keys the scammers might send you, will work! It’s not like they’ve earned any trust here, after all.

DO Disconnect any backup drives and cease any pending backup jobs. Failing to do this may compound the problem by actually overwriting good files with their encrypted counterparts.

DON’T Restart your computer / server. There might be chance, later, to recover files through Windows’ “Previous Versions” feature. While this is often targeted for disablement by ransomware, such disablement effort sometimes fails until the machine is rebooted.

DO Physically disconnect any obviously infected PC’s / Laptops / Servers from the network by unplugging the network cable / disabling the WiFi. It might be too late but if it’s not, there is no point in leaving the means of virus transmission open

DO Try to identify the actual infection. This might be obvious from the money-demand screen but failing that, looking at your file folders often reveals small encryption files that when Googled, will identify the precise nature of the infection

DO See if there is a removal tool for that specific infection and if so, run it on ALL machines in your network

DO Run full malware scan on all machines, even if you’ve run the removal tool above. The reason for this is that whilst the removal tool may tackle the infection itself, the means by which the infection got in may still be present. We would recommend a quality, recognised tool such as Malwarebytes for this. Please remember though to;

a) Update the malware definitions prior to scanning
b) Use a custom scan, selecting all files, deep scanning
c) Ensure you also scan for “rootkits” – these, too, can be virus gateways

DON’T Be afraid to kill anything you find in the scans. Kill every infection or PUP (potentially unwanted program). If this breaks something that was working, it usually means that there was a deeper infection lurking within that needed to be attended to. Software and data can be reinstalled / reinstalled later as you are able.

DO Try to restore your data, only when you’re sure the attack is over. The easiest way would be to try Previous Versions. If that fails or is not present, reconnect one backup drive / volume at a time and see how you go.

DO Run a scan right after file restoration

Post-Attack: Prevention Is Better Than Cure

We would be remiss if we did not say it, but it’s easier to stay on your feet than to get back up off the floor. How do you better arm yourself in future? The below is not an exhaustive list, but it’s a heck of a start;

1) Create a “Culture of Caution”. Get users to second-guess themselves and their peers, and to be ultra-cautious when opening mail, links, attachments and when browsing the internet.
2) Invest in quality backups, ideally to Cloud
3) Invest in great cyber protection software, ideally with specific anti-ransomware features
4) Retain the services of a really good IT Support firm to guide you through all these preventative steps and to help you get up and running again as quickly as possible if the worst does happen

We suppose (4) is where we come in! We have helped dozens of firms in pursuit of their data and we’re happy to report that most them became valued clients shortly thereafter. It’s not a nice way of “winning business” as it were, but getting back their valuable data for them definitely has the feel-good factor! Why not Contact Us to find out more about how we can help you out of a spot or, better yet, stop you getting into that spot in the first place?