What To Do If You Get Ransomware

Ransomware locks a computer by encrypting files and demands a ransom to unlock and restore the encrypted files. It sends the victim the instructions on how to pay the ransom, often demanding a large sum of money to pay as bitcoin transactions. In this post, you can find out what to do if you get hit by this kind of attack.

Introduction

Ransomware attacks keep growing every year, affecting users of all types and becoming a serious cybersecurity threat. The average ransomware payments significantly increase every year. These attacks have become so common that in 2021, a new organization will fall victim to ransomware every 11 seconds. 

Ransomware statistics and trends

Here are some key ransomware statistics and trends:

• During the initial six months of 2022, there were approximately 638 instances of ransomware attacks directed toward each customer.
• In 2022, a significant majority of victimized organizations—amounting to 92%—lacked robust data loss prevention protocols, thereby resulting in substantial loss of critical data due to ransomware incursions.
• Analysis of data breaches involving malware in 2022 reveals that ransomware constituted a noteworthy proportion of approximately 30% of all such breaches.
• Despite the considerable reduction of 235% in the prevalence of global ransomware attacks during the year 2022, the total number of attacks remained alarmingly high, with 236.1 million attacks recorded worldwide.

There are several different ways that ransomware can get access to your computer. At present, the most common method of infection includes malicious spam email or malspam, phishing emails and messages, and downloads from malicious websites. 

Targets of Ransomware

Cybercriminals target organizations that rely on critical and sensitive information. They also target organizations with out-of-date security procedures and systems that have many security vulnerabilities. One of the common threats of ransomware gangs is seeling sensitive data on the dark web. 

• Small and Medium Businesses – Small and Medium-sized businesses have become easy targets, which account for 43% of all cyberattacks, due to their inability to invest in proper security mechanisms. 
• MSPs – Managed Service Providers (MSPs) who simultaneously serve many clients have lately become the focus of ransomware attackers. Attackers will reach more clients if they gain access to their platform. The best source of access is the security vulnerabilities in remote access tools they use.
• Health Care – Health care facilities have become frequent targets since they use medical records of patients that require immediate access. For example, in 2017, the UK National Health Service (NHS) had to cancel surgeries and 19,000 appointments due to Wannacry ransomware which cost them 92m pounds.
• Governments – According to security Intelligence, ransomware attacks on the government accounted for 33% of total attacks in 2020. Some Government bodies store security information which makes them popular targets.
• Education – Universities utilize sensitive research data and intellectual property, yet they use poor cybersecurity systems due to budgetary constraints. This makes them vulnerable to various cyber-attacks. In addition, the rise in online learning due to covid-19 has further increased this vulnerability.  

Ransomware Types

Locker Ransomware

Locker ransomware locks the victim’s data files or blocks the devices disabling the victim to access them. This type of ransomware does not encrypt the files, and it will only allow interacting with the area that contains the ransom note. Locker ransomware can partially disable the victim’s mouse or keyboard and deny access to the desktop.

Locker ransomware usually gets into a system through malicious websites. Once infected, the victim will receive a pop-up demanding not to shut down and providing a phone number to contact the attackers. Canceling this pop-up will lock the victim’s computer, making it unusable.

Crypto Ransomware

When a device is infected with Crypto ransomware, it will encrypt files using an encryption algorithm that is difficult to crack. However, it won’t lock your device like locker ransomware so that you can still access the other areas of the system. Crypto ransomware usually gets into a victim’s device when the user clicks on an attachment of a phishing email, a malicious link sent via Facebook or WhatsApp message, or a  compromised web page using ‘exploit kits’ that contain malicious codes.

After entering the system, Crypto ransomware will identify backup files, and some may uninstall security software in the system. Then, it will encrypt the files in the device using its military-grade encryption method. The attacker will be the only one who knows the private key.

Ransomware types examples

WannaCry – Released in 2017, Wannacry targeted Windows Operating Systems and was delivered through Microsoft’s Server Message Block (SMB) protocol vulnerability. 

CryptoLocker – This ransomware was created in 2013 and shut down by 2014. It was delivered through malicious email attachments. CryptoLocker victims were required to get the decryption using an online service.

Locky –  Locky ransomware spreads through word documents attached in spear-phishing emails. These word documents contain a malicious macro that can download the ransomware. 

CryptoWall – This ransomware gets infected by Malicious pdf attachments and exploits kits in infected websites. It also scrambles the file names so that victims cannot recognize them easily. 

Netwalker: Created in 2019 by the cybercrime group Circus Spider, Netwalker is an example of Ransomware-as-as-service. It allows other cybercriminals to rent the malware code for the percentage of the ransom they get. 

Conti – This ransomware first appeared in 2020 and has affected Microsoft Windows machines ever since then. It is detailed and faster ransomware that uses its version of AES-256 encryption.

Ryuk – First detected in 2018, Ryuk is used with another malware such as TrickBot. Variants of Ryuk can automatically spread to other devices connected to the local network if they hold a high-power account.

Petya – Appeared in 2016; Petya encrypts your computer’s Master Boot Record (MBR) and the Master File Table (MFT).  It operates with the Mischa ransomware to enable access to the MBR or MFT as it does not have access to them.

Steps To Recover Your Data

1. Isolate The Infection

If you have become a victim of ransomware, the first thing you need to do is isolate the infected device from other devices as quickly as possible. It will prevent ransomware from spreading further as most ransomware tries to gain access to other systems connected to the affected device and establish a network connection with the control center. So disconnect the infected device from all the other computers, network connections, and storage devices connected to it.

Remember, if your computer belongs to a corporate network, there can be several other attacked computers. There can be ransomware in some other computers that are not yet activated or in a dormant state. Thus, apply the necessary security measures to protect all the other devices connected to the network. If shared folders have been encrypted, you can find out the users that have accessed them and locate the patient zero by the number of open files.   

2. Identify The Ransomware

Identifying ransomware will help you understand its propagation methods, the kind of files they encrypt, and any available decryption options. If the ransom note doesn’t contain the ransomware name, you can look for the name of the file extension to identify what the infected ransomware is. The earlier ransomware variants had a common extension. However, they are using different extensions as new ransomware variants emerge.

You can find out more information regarding the infected ransomware from pc troubleshooting and tech forums.  

• Microsoft Community
• Reddit (r/Ransomware)

Additionally, there are several websites that provide free ransomware identification services. 

• ID Ransomware
• No More Ransom! The project
• Crypto Sheriff

3. Report The Attack

Contact your local FBI field office to request assistance or submit a tip online. Reporting ransomware incidents helps law enforcement authorities understand the threat level, the criminals behind the attack, their ransomware delivery methods, and ultimately track them down. In addition, reporting helps ransomware researchers to identify related information and prevention measures. 

File a report with the FBI’s Internet Crime Complaint Center (IC3). Before that, prepare the following information they may require from you.

• Infection date
• Ransomware variant name
• Victim or the Victim company details
• Ransom amount
• The method of delivery
• The loss due to the attack
• Attackers account detail

4. Choose A Course Of Action

If you have become a victim of ransomware, there are few options available for you to choose from.

Pay the ransom

You may choose to pay the ransom if the ransom amount is affordable for you or you need to recover the data as soon as possible. However, the FBI does not recommend this option.

What The FBI Says: “The FBI does not support paying a ransom in response to a ransomware attack. Paying or negotiating a ransom does not guarantee that you or your organization will get the decryption key and restore your data. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” 

Kaspersky revealed that more than 56% of the victims pay the ransom, but only a quarter of them could get their data returned.  

Attempt to Remove The Malware and decrypt the files

If you decided not to pay, then the next best option is trying to remove the ransomware. Always try to get the help of an IT expert when attempting to remove it by yourself. There are several ransomware removal options as the following.

• Check if the ransomware has been deleted on its own.
• Use more powerful antivirus software to remove it.
• Manual removal.

After that, you can try to find any decryption tool available for that ransomware type. There can be different decryption tools on the internet, yet there is no guarantee that they can successfully decrypt your data back. Some decryptors may not work for newer versions of ransomware. Note that there’s no decryption software for all types of ransomware, especially due to their strong encryption methods.

Many online websites, including the No More Ransomware project and other how-to articles, provide these tools. However, be careful not to fall into another trap by downloading tools from untrusted sources as they may contain another malicious software instead of decryption tools.

Wipe Your System

Even though this option doesn’t sound good to many, this is the best method if no other recovery options are available. You can ensure that the malware has been completely removed by wiping out everything in your machine. The ransomware infected your machine may remove itself. After causing the damage, cybercriminals don’t want to leave any trace to help others create decryption tools. Thus, wipe out everything from your storage devices, and format the hard disk to ensure no malware remains.

Then start reinstalling everything from the beginning. If you have been following a good backup strategy, you can directly use the latest backup to restore your files, folders, and software to the state where they were before the attack. Finally, run good antivirus software or ransomware detection software to scan for any sign of ransomware.

Tips to prevent ransomware  

• Avoid clicking on links in suspicious emails- Always check the email address and sender information of any email. If they contain any links or attachments, check with the sender to confirm their legitimacy. 
• Ensure that your Operating system(OS) and the other software are up-to-date with their latest versions as they contain security patches for any security vulnerability in previous versions.
• Keep regular backup copies of the files, especially outside your network and in multiple locations. 
• Educate your employees about malware and provide the necessary training for them. – For example, security awareness training and ransomware phishing simulations. 
• Never Download from untrusted websites. Always check the url of the website you visit to see if it has HTTPS or the padlock sign in the address bar. 
• Use the least privilege principle to grant the minimum level of permissions to your users. Provide higher privileges for only trusted individuals to access the sensitive data in the system. 

• Refrain from overexposing your personal information, particularly in social media. The ransomware attackers may collect your personal information to deduce the best attack strategy.
• Invest in good anti-ransomware software which keeps scanning your system automatically, isolate and delete any ransomware found. 

Conclusion

Once attacked, ransomware can cause serious havoc to any individual or organization. Since new variants of ransomware are growing each year, you must always be aware of what to do if you become a victim of them. This article provides just that right information. Keep in mind that prevention is better than cure. Thus, make sure to protect your devices with the best security measures and make yourself and others aware of potential ways ransomware can infiltrate your system.