Ransomware locks a computer by encrypting files and demands a ransom to unlock and restore the encrypted files. It sends the victim the instructions on how to pay the ransom, often demanding a large sum of money to pay as bitcoin transactions. In this post, you can find out what to do if you get hit by this kind of attack.
Ransomware attacks keep growing every year, affecting users of all types and becoming a serious cybersecurity threat. The average ransomware payments significantly increase every year. These attacks have become so common that in 2021, a new organization will fall victim to ransomware every 11 seconds.
Here are some key ransomware statistics and trends:
There are several different ways that ransomware can get access to your computer. At present, the most common method of infection includes malicious spam email or malspam, phishing emails and messages, and downloads from malicious websites.
Cybercriminals target organizations that rely on critical and sensitive information. They also target organizations with out-of-date security procedures and systems that have many security vulnerabilities. One of the common threats of ransomware gangs is seeling sensitive data on the dark web.
Locker ransomware locks the victim’s data files or blocks the devices disabling the victim to access them. This type of ransomware does not encrypt the files, and it will only allow interacting with the area that contains the ransom note. Locker ransomware can partially disable the victim’s mouse or keyboard and deny access to the desktop.
Locker ransomware usually gets into a system through malicious websites. Once infected, the victim will receive a pop-up demanding not to shut down and providing a phone number to contact the attackers. Canceling this pop-up will lock the victim’s computer, making it unusable.
When a device is infected with Crypto ransomware, it will encrypt files using an encryption algorithm that is difficult to crack. However, it won’t lock your device like locker ransomware so that you can still access the other areas of the system. Crypto ransomware usually gets into a victim’s device when the user clicks on an attachment of a phishing email, a malicious link sent via Facebook or WhatsApp message, or a compromised web page using ‘exploit kits’ that contain malicious codes.
After entering the system, Crypto ransomware will identify backup files, and some may uninstall security software in the system. Then, it will encrypt the files in the device using its military-grade encryption method. The attacker will be the only one who knows the private key.
WannaCry – Released in 2017, Wannacry targeted Windows Operating Systems and was delivered through Microsoft’s Server Message Block (SMB) protocol vulnerability.
CryptoLocker – This ransomware was created in 2013 and shut down by 2014. It was delivered through malicious email attachments. CryptoLocker victims were required to get the decryption using an online service.
Locky – Locky ransomware spreads through word documents attached in spear-phishing emails. These word documents contain a malicious macro that can download the ransomware.
CryptoWall – This ransomware gets infected by Malicious pdf attachments and exploits kits in infected websites. It also scrambles the file names so that victims cannot recognize them easily.
Netwalker: Created in 2019 by the cybercrime group Circus Spider, Netwalker is an example of Ransomware-as-as-service. It allows other cybercriminals to rent the malware code for the percentage of the ransom they get.
Conti – This ransomware first appeared in 2020 and has affected Microsoft Windows machines ever since then. It is detailed and faster ransomware that uses its version of AES-256 encryption.
Ryuk – First detected in 2018, Ryuk is used with another malware such as TrickBot. Variants of Ryuk can automatically spread to other devices connected to the local network if they hold a high-power account.
Petya – Appeared in 2016; Petya encrypts your computer’s Master Boot Record (MBR) and the Master File Table (MFT). It operates with the Mischa ransomware to enable access to the MBR or MFT as it does not have access to them.
If you have become a victim of ransomware, the first thing you need to do is isolate the infected device from other devices as quickly as possible. It will prevent ransomware from spreading further as most ransomware tries to gain access to other systems connected to the affected device and establish a network connection with the control center. So disconnect the infected device from all the other computers, network connections, and storage devices connected to it.
Remember, if your computer belongs to a corporate network, there can be several other attacked computers. There can be ransomware in some other computers that are not yet activated or in a dormant state. Thus, apply the necessary security measures to protect all the other devices connected to the network. If shared folders have been encrypted, you can find out the users that have accessed them and locate the patient zero by the number of open files.
Identifying ransomware will help you understand its propagation methods, the kind of files they encrypt, and any available decryption options. If the ransom note doesn’t contain the ransomware name, you can look for the name of the file extension to identify what the infected ransomware is. The earlier ransomware variants had a common extension. However, they are using different extensions as new ransomware variants emerge.
You can find out more information regarding the infected ransomware from pc troubleshooting and tech forums.
Additionally, there are several websites that provide free ransomware identification services.
Contact your local FBI field office to request assistance or submit a tip online. Reporting ransomware incidents helps law enforcement authorities understand the threat level, the criminals behind the attack, their ransomware delivery methods, and ultimately track them down. In addition, reporting helps ransomware researchers to identify related information and prevention measures.
File a report with the FBI’s Internet Crime Complaint Center (IC3). Before that, prepare the following information they may require from you.
If you have become a victim of ransomware, there are few options available for you to choose from.
You may choose to pay the ransom if the ransom amount is affordable for you or you need to recover the data as soon as possible. However, the FBI does not recommend this option.
What The FBI Says: “The FBI does not support paying a ransom in response to a ransomware attack. Paying or negotiating a ransom does not guarantee that you or your organization will get the decryption key and restore your data. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
Kaspersky revealed that more than 56% of the victims pay the ransom, but only a quarter of them could get their data returned.
If you decided not to pay, then the next best option is trying to remove the ransomware. Always try to get the help of an IT expert when attempting to remove it by yourself. There are several ransomware removal options as the following.
After that, you can try to find any decryption tool available for that ransomware type. There can be different decryption tools on the internet, yet there is no guarantee that they can successfully decrypt your data back. Some decryptors may not work for newer versions of ransomware. Note that there’s no decryption software for all types of ransomware, especially due to their strong encryption methods.
Many online websites, including the No More Ransomware project and other how-to articles, provide these tools. However, be careful not to fall into another trap by downloading tools from untrusted sources as they may contain another malicious software instead of decryption tools.
Even though this option doesn’t sound good to many, this is the best method if no other recovery options are available. You can ensure that the malware has been completely removed by wiping out everything in your machine. The ransomware infected your machine may remove itself. After causing the damage, cybercriminals don’t want to leave any trace to help others create decryption tools. Thus, wipe out everything from your storage devices, and format the hard disk to ensure no malware remains.
Then start reinstalling everything from the beginning. If you have been following a good backup strategy, you can directly use the latest backup to restore your files, folders, and software to the state where they were before the attack. Finally, run good antivirus software or ransomware detection software to scan for any sign of ransomware.
Once attacked, ransomware can cause serious havoc to any individual or organization. Since new variants of ransomware are growing each year, you must always be aware of what to do if you become a victim of them. This article provides just that right information. Keep in mind that prevention is better than cure. Thus, make sure to protect your devices with the best security measures and make yourself and others aware of potential ways ransomware can infiltrate your system.