How to Overcome Ransomware

It’s the message that no IT professional, business owner or end user ever wants to see. Your computer screen lights up with a message warning that all of your invaluable files and data have been encrypted. And, unless you pay a ransom, the message says “your data will be destroyed” in a set amount of time.

That, in a nutshell, is an example of ransomware. This malicious form of virtual attack can prey on a computer’s weaknesses (machines that are not regularly updated or patched), or may simply involve sending an email and tricking users into opening an attachment or link. Implementing a strong computer use policy to help end users understand and practice internet usage best practices can be a handy way to prevent these attacks.

According to the April 2017 Internet Security Threat Report (ISTR) by Symantec, ransomware poses one of the most significant online threats to businesses, organizations, and individuals. In 2017, one in 131 emails sent were malicious and “Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $294 a year earlier.”

But, how can you tell whether your computer or network has been hit with ransomware? Let’s take a look at some of the clues that you have been compromised and what you can do about it.

Ascertain Whether Your Computer Has Been Infected

The good news is, relatively speaking, it’s fairly straightforward to tell whether your system has been affected by ransomware.

I’ve put together a list of some of the primary symptoms:

You suddenly can’t open your files.
You receive error messages stating that a file is corrupted or has the wrong extension.
A message containing instructions on how to unlock your files appears on your desktop.
A program window pops up, warning that there’s a countdown until the ransom increases or you’ll permanently lose access to your files.
A window opens to a ransomware program that you can’t close.
You discover files with names like “HOW TO DECRYPT FILES.TXT” or “DECRYPT_INSTRUCTIONS.HTML.”

What to Do If Your System Has Been Affected by Malware

Obviously, those are all bad signs. If you have seen any (or all) of the above-mentioned signs, then you need to immediately take the following actions:

Step One: Disconnect Your Computer

Unplug the network cable from your computer
Turn off any wireless connections (wifi, bluetooth, etc.)

Step Two: Determine the Scope of the Infection

Check again for the aforementioned signs of encryption on the following equipment and devices:

Mapped or shared drives (your network drives)
Network storage devices (NAS drives)
External hard drives
USB flash drives
Cloud-based storage (OneDrive, Dropbox, Google Drive, Anchor, etc.)
Other infected computers/workstations

Step Three: Determine the Strain of the Ransomware

As scary a thought as it may be, ransomware isn’t something new. It has been in existence in one form another since 1989 with the release of AIDS Trojan, which was transmitted via floppy disks.

So, when considering your own organization’s ransomware situation: What kind of ransomware is it? If you’re able to determine which kind of ransomware has infected your systems, then you can be better prepared for how to respond to the situation.

Some of the worst types of ransomware circulating on the Internet over the past several years have included:

WannaCry
Locky
Petya
NotPetya
CryptoLocker
Crysis
Cerber
GandCrab

Step Four: Determine Your Response

How will your company or organization react? What protocols or procedures do you have in place?

How to Recover in the Aftermath

Now that you understand the scope of the damage, it’s time to make repairs and do some cleanup work. Naturally, if you’re one of our clients, your first response should be to call FPA. We’re happy to note, though, that we haven’t had to respond to one of these situations in months because our clients are so well protected. However, if you aren’t a current client and/or your sister company gets hit, here are your options:

Option One: Restore from Backups

Locate your backups
Remove the ransomware from your infected systems
Restore files from backups
Determine how the infection gained access and address the issue (think: user training)

Option Two: Try to Decrypt Your Files Yourself

Although becoming more common, this is still a relatively rare option
Determine the strain and version of the ransomware
Locate a decryptor and attempt to decrypt your files
Determine how the infection got in and address the issue (think: user training)

Option Three: Negotiate and/or Pay the Ransom

Convert funds into some form of cryptocurrency, such as Bitcoin
Pay the ransom via cryptocurrency
Acquire the unlock code
Decrypt your files
Determine how the infection gained access and address the issue (think: user training)

Option Four: Do Nothing

No one wants to have to resort to any of these options. Our FPA team would prefer that our clients didn’t have to deal with these kinds of issues at all. However, to ensure your business is as well-protected as possible against these scenarios, our preferred method is prevention.

I don’t want to sound like a broken record by repeating the same things (so I won’t). Instead, I’ve just put together a brief list of blog resources that can provide you with additional helpful and informative information:

If you are one of FPA’s Managed Service clients and you’re fully on our “FPA Stack,” our core foundational technology platform, then you are already protecting yourself. While there is no 100% guarantee of protection in the cybersecurity world, hackers are more likely to work on less protected networks than spend more time and energy trying to attack your highly-protected assets.

Be sure to share your thoughts on this topic. How do you think this information has been helpful? Let us know in the comments box below or send me an email if you’d like to discuss this in more detail.

How to Overcome Ransomware

Ascertain Whether Your Computer Has Been Infected