Ransomware has become a hot topic in the news recently, until you would almost imagine that the Russians have declared a cyberwar on the West. No such thing has happened. What has happened is that black hat hackers have discovered that medical records in the US, Canada and the UK are insufficiently protected and are taking advantage of this fact. In any and all other industries which deal in PCI or PII proper security is also a concern. This includes banking, brokerages, in fact any company which handles credit card or other financial data, or any other data of a sensitive or private nature.
The ransomware which is currently in the spotlight is of the family which encrypts the files on a desktop, or yes, even on a network, and demands a ransom for decryption of the encrypted files. Ransomware, encryption and the like are actually highly technical topics, but that is the concept in summary. With that basic definition, let’s look at how safe you are from ransomware and what you can do if you should become infected.
First, let’s look at Alice. Alice is careful, she follows best security practices, and never opens suspicious email attachments or clicks on links in emails. Bob is not so careful. Bob receives and opens an email attachment he should not have opened and infects his machine. Since Bob is a colleague of Alice, when Alice receives an email attachment or link from Bob’s infected email, no matter how careful Alice is, she gets infected as well. Not opening a suspicious attachment or clicking suspicious links is a good beginning, but it is not enough.
Since it is not sufficient to avoid suspicious email attachments or links, what responses can you take to respond to ransomware once it has infected your computer? There are a lot of news items on the topic, but they boil down to three responses: pay the ransom, restore your backed up files, have IT look for a workaround. Since the last option is the easiest and the cheapest, it is the option most users will choose first. Let’s look at the possibility of success by IT for recovering from ransomware without paying a ransom.
IT has no chance at all of recovering your encrypted files if the ransomware used encryption properly. Encryption is what keeps your online purchases secure and banking information private. There have been a relatively few stories of ransomware being reversed by security researchers, but let’s be clear: they did not ‘crack’ the encryption. These security researchers discovered that a small portion of the ransomware out there ‘in the wild’ was poorly written, which allowed researchers to discover the decryption process without paying the ransom. In effect, these researchers hacked the hackers. However, this is not usually the case. It is very rare that this free option is available for most ransomware infections.
Backing up your files on a regular basis is always a best practice. Anyone who has ever lost files on a computer which crashed can attest to the need for backing up critical files, but as with a system crash, backups must happen before you are infected with ransomware, not after. With a proper backup process in place, ransomware will be inconvenient but relatively inexpensive to recover from.
Paying the ransom is morally uncomfortable, and will most likely still require the expertise of experienced IT people to navigate the world of bitcoin or other obscure payment methods which criminals use. Strangely enough, criminals who send ransomware appear to keep their word and quickly send the promised decryption key which will restore your files. These criminals know that if they do not, soon no victim will ever pay a ransom again.
In the end, backing up your files before the fact will give you the most options. Once your files are encrypted by ransomware, your options are limited, which is, of course, exactly what the criminals want.
Virtualization can reduce the severity of a ransomware attack, but is no substitute for best practices. A virtual machine can be restored in the event that one copy is compromised, but this approach is a second best solution. The best solution is to avoid ransomware in the first place.
For more information on ransomware, avoiding it, and recovering from it, please contact us.