top of page
  • douiriothmane

What is a Ransomware and How to protect from it

Keeping your computer safe from malware on the internet has become problematic in recent years, and one of the most egregious types of malware is ransomware. But before we can protect ourselves from it, we must understand what it is and what it does. This article will define what ransomware is, what it does, and how you can protect yourself from this scourge.


What is Ransomware?

At its core, ransomware is malware (malicious software) that encrypts a user’s files. This renders data unusable and inaccessible, which is a disaster for anyone that has essential files, documents, and data on a system. Once this is done, a message is usually displayed that demands payment for the decryption key. The most common currency that is requested is a cryptocurrency such as Bitcoin, which is instant and allows people from around the world to receive payments.


Ransomware infects computers by infiltrating the safeguards of the operating system, such as an outdated antivirus or a misconfigured spam rule. Once ransomware has been executed, it starts its attack by using very strong encryption that is very strong and almost impossible to brute force to decrypt it. This means that the only way to decrypt files is to use the decryption key, and the only way to get the key is to pay a ransom.


A pop-up window usually appears with the details of where payment can be made and how much needs to be transferred. Most ransomware has a countdown timer that states that the decryption key will be deleted if no payment is made in time. This makes users panic and usually results in a cryptocurrency payment to the cybercriminals behind the ransomware, but that does not guarantee that the code will be sent.



Common Methods of Ransomware Attacks

  • Email via Phishing: Phishing is the most commonly used method of delivering ransomware, and it still affects businesses despite phishing being a relatively well-documented security threat. Spear phishing, which is targeting specific users via social engineering, is also widely used to deliver Ransomware.

  • Malicious Websites: Malicious websites serve up malware that enables ransomware to be injected into the website visitor’s computer. Once downloaded, the ransomware is executed, and the files on the computer get encrypted.

  • Infected Software Applications: Software applications sometimes harbour ransomware infections executed when installed. Software that is illegally shared is sometimes cracked so that users can use it without paying for it. The software can have malware added to it either by the original team that cracked the application or by a third party that downloads the software and then re-uploads it with the malicious payload

  • RDP Compromise: This vector will mostly be leveraged by attackers to target small and medium enterprises who are prone to leaving RDP port (TCP 3389) exposed to Internet. The attackers will then usually brute force the credentials or use another technique (social engineering, buying credentials on the dark web, etc.) to gain access to the target server.

  • Social Engineering: Social engineering is the process that cybercriminals employ to manipulate people by presenting themselves as genuine customer or user and extracting information about an account or password. Someone posing as a trustworthy source can get an unsuspecting employee to click on a bad link or open a malicious attachment.

The Importance of Ransomware Protection

Now that we know what ransomware is, we understand why it is so essential to protect ourselves from it. Most people store vital information on their home computers and laptops. This creates willing victims that are more likely to pay ransoms when irreplaceable pictures and documents have not been backed up, so they continue to be targeted. This is not isolated to only home users, though, and businesses are usually the primary targets for ransomware campaigns.


Suppose an organization has a critical database or file server encrypted by malware. In that case, they can lose incredible money if they cannot restore data from backups and remove the ransomware infection. Additional pitfalls also exist within the business, like reputational damage when it becomes public and legal action from customers if data is inaccessible or compromised. This makes prevention very important, rather than trying to recover from the damage.


What Effect Does Ransomware Have on A Computer?

The first thing that happens to a computer is that its data gets encrypted. Different ransomware variants target different files, but the primary targets are documents, pictures, database files, and anything else that has value. The process takes mere seconds and is irreversible without the decryption key.


Ransomware doesn’t want to make the computer inoperable, as it will scan the network for additional targets, such as file servers and computers with file shares. In some cases, it replicates across the web and infects further machines.


Next, the demand for ransom starts to appear. It has all of the information about how much needs to be paid and where to send the cryptocurrency and other details such as the cut-off date for when payment must be made. Some ransom demands will increase if the deadline payment is not made in time, while others threaten to delete the encryption key or both.


Some of the more advanced ransomware variants, such as Conti, REvil/Sodinokibi, and Darkside ransomware, use something known as double extortion, which threatens to release exfiltrated data that it was able to copy during the encryption process. Data theft is a serious aspect of ransomware attacks that are sometimes overlooked and not spoken about.

Data theft is a serious issue that can affect your business if revealed to the public. This can result in reputational damage, financial loss, and legal problems and has the potential to cripple even the most prominent corporations if the damage is sufficiently widespread. The threat of data leaks looms even if the company can decrypt the data without paying a ransom.


Preventing Ransomware Attacks

Now that we know what ransomware is and what it does, we need to look at how to prevent it from infecting your network in the first place. The good news is that you might already be doing some of the things that we recommend, but if not, then it is not too late to start.


System and Software Updates

This is one of the easiest ways to stay ahead of ransomware. Keeping systems up to date with the latest patches and hotfixes will insulate your network from the most common malware, including ransomware. As vulnerabilities are discovered, patches remove these as potential weak points so malware cannot attack from that vector. This also applies to software such as email clients, internet browsers, and other applications that you use throughout the day.

Antivirus and Security Software

To add additional layers of security to your computer, you should look at installing antivirus software and endpoint software that identifies malware and viruses as they come into contact with your system. Even new malware variants are identifiable by modern operating systems, and if your system catches suspicious operations, it can stop them before they are entirely carried out and inform you.

Backups and Disaster Recovery

One of the most critical yet overlooked aspects of ransomware protection is disaster recovery, such as backups and restoring systems. If you have valuable data to you and your business, then you must have sufficient backup protocols in place. Backup and restore tests must be carried out regularly to ensure that the data you are backing up is usable once restored. Another key element here is that a lot of Ransomware have the ability to delete backups especially if the threat actor has domain admin credentials, it is thus critical to have 3 backup copies on 2 different media with 1 of them offsite (the 3-2-1 rule) and implement MFA.



User Training and Education

Prevention is better than cure, and the best way to prevent ransomware is to educate your users, especially if they have access to the internet and email. If your employees can identify phishing emails and suspicious links, you are already on your way to protecting your business from ransomware. Employees must have a standard operating procedure that tells them how to handle the situation when suspicious emails are encountered so that infections can be prevented altogether.


At Altis Technologies, we can help you evaluate the security of your assets and make sure your data is protected from Ransomware attacks. Contact us for a free consultation.


Comments


bottom of page