Ransomware is everywhere. Every industry has been impacted by this menace of the digital twenty first century. Cyber Warfare is happening right in front of our eyes on a monumental scale with no signs of easing up. Large profits and lack of prosecution means the perpetrators will be around for the foreseeable future. But how does a Ransomware attack work?  The scenario below broadly describes the steps of a successful Ransomware attack that leads to a Ransom note appearing on your screen.

1    Installation                         

Your machine is compromised when you click a malicious link. A common example would be clicking a suspicious link or attachment in an email.  The cyber-criminal’s code is then downloaded onto your machine. By incorporating advanced stealth tactics it can evade Anti-Virus detection, enabling it to hide in plain sight.

2     Call Home 

The malicious code calls home over a secured covert communication channel to a server controlled by the intruders. This is bad news for you. The interlopers now have control over your environment and terrible things are just around the corner.

3    Generate Encryption Keys 

Your machine and the malicious server generate an unbreakable pair of cryptographic keys that will be used to encrypt the victim’s files. One key is stored on your device and the other, unfortunately for you, is stored on the perpetrator’s server. Without the key on the malicious server, decryption of files is impossible.

4    Encryption

The Ransomware on your machine starts encrypting files across your network. Before long, your files are scrambled, inaccessible and useless. Applications and Operating Systems crash, and production is ground to a screeching halt.

5   Ransom Demand 

A ransom note is displayed on your screen demanding payment in order to release the decryption key stored on the malicious server controlled by the criminals.  Untraceable digital payment methods such as Bitcoin are the preferred transaction type. After a short period defined by the perpetrators, the decryption key will be deleted, making any decryption impossible.

What to do when you’ve been hit with Ransomware:

Getting hit with a Ransomware attack which has the potential to infect devices across the entire network and compromise organisation-wide operations is an ICT professional’s worst nightmare become reality. Once the infection has been detected there are a number of steps which should be followed to help mitigate the damage and disruption.

1. Isolate – It is vital that steps are taken early on to prevent the infection spreading from infected devices to other devices across the entire network. To that end, all devices should be disconnected from the network.
2. Plan – You should engage with your ICT/ Security provider to formulate a plan on how best to respond to the attack.
3. Quantify – You should determine the scale of the attack by scanning all devices for Indicators of Compromise and identifying the strain of the attack.
4. Recovery – You must assess what recovery options are available to you. This can involve anything from full Disaster Recovery to paying the Ransom. The option you choose to engage with depends upon a myriad of factors, including how quickly the attack was thwarted and the integrity of your backups.

It must be noted that paying the Ransom is never a good idea. Security provider ID Agent recently reported that 34% of companies that pay the Ransom never see their data again. It is very common for a company that has paid a Ransom to get hit with Ransomware again due to a backdoor being left behind as part of the original attack. There are no guarantees when dealing in any form of Ransom. Furthermore Cyberinsurance is highly unlikely to cover any Ransom payment so this is not a safety net.

What can you do to prevent Ransonware? 

Having outlined the steps and options available to you once a Ransomware attack has already begun, the best advice is to take sufficient proactive steps to help ensure that your organization never becomes infected with Ransomware to begin with. Here are a few basic measures you can take to bolster your organization’s defence against Ransomware:

• Restrict the number of administrator accounts on your network.
• Use Advanced Endpoint Protection with Ant-Ransomware detection capabilities.
• Use Firewall, Email and Web Filtering to block advanced malicious content.
• Implement a user awareness campaign incorporating email phishing simulation.
• Take regular offsite backups with Ransomware detection capabilities built in.
• Deploy security solutions that share information and collate data in one place.

Damien Mallon, Senior Systems Engineer, Datapac

For more information, visit  www.datapac.com and follow us on Twitter and LinkedIn to stay updated.