Ransomware Virus FAQ: Everything You Wanted to Know, but Were Too Afraid to Ask
What should you do after being infected with a ransomware virus? Is there a way to remove it without paying the ransom? Should you call the police? How do you prevent an attack in the first place?
These are just a few of the many common questions about ransomware, which cost businesses an estimated $1 billion in ransom payments in 2016, on top of an estimated $75 billion in operational downtime.
But despite the fast-growing number of attacks, many organizations are still unfamiliar with the unique threat of ransomware. In many cases, stakeholders haven’t been aware of the threat until after an attack occurred. And by then, it’s too late. Once your data has been locked, you only have a few options.
In this comprehensive guide, we go over those options in detail, as well as answers to other frequently asked questions about ransomware.
14 Questions about Ransomware Virus Prevention & Removal
1) What is ransomware?
Ransomware is a form of malware that encrypts data on your machine and then demands a ransom payment, usually in the form of bitcoin, in exchange for the decryption keys to unlock the data.
2) How does a ransomware virus get onto a computer?
Email is the most common delivery method for ransomware. Often, the malware is included within an email attachment that has been disguised as an invoice, electronic fax, statement, spreadsheet, Word document or other files.
Some emails will also include a link, which directs the user to a malicious website that infects the user’s computer with the ransomware virus.
3) Can you get ransomware from a legitimate website?
Yes. Cyber attackers are increasingly using exploit kits and other forms of malware to deliver their malicious code through otherwise legitimate websites.
This was the case in 2016 when some of the Internet’s biggest websites inadvertently displayed banner ads that infected users’ computers with ransomware. The New York Times, BBC, AOL, MSN, NFL and Newsweek were just a few of the sites affected by this unique attack.
4) Can anti-virus software prevent ransomware?
Yes and no. While it is important to use reliable anti-malware and virus protection, these solutions do not guarantee that your system won’t become infected. Like all forms of malware, your software needs to recognize it to prevent it from executing. So if your software hasn’t been updated recently, a newer strain of malware may slip through. Also, it’s important to note that newer variations of ransomware are popping up all the time, and those too can infect your machine if they are unrecognized by your anti-malware system.
5) How do you know you’ve been attacked?
Typically, users don’t realize the infection is present until it’s too late. Once the system is infected, the malware will quickly and quietly work to encrypt every file and folder it can access.
Users generally become aware they’ve been attacked when they can no longer access their data, and a message appears on screen letting them know they’ve been infected, along with instructions for sending the ransom payment.
6) Can it spread to other computers?
Yes. In addition to the first machine it infects, ransomware can also infect any attached devices, shared drives and other computers on the same network.
7) Do attackers target individuals or businesses?
Both. However, attackers are increasingly targeting businesses, as such attacks often result in greater ransom payments.
8) How common is ransomware?
A study by IBM estimated that 40 percent of all spam email in 2016 contained some form of ransomware virus. Thousands of computers are infected every month. Between 2015 and 2016, the rate of infections ranged between 23,000 and 56,000 per month.
9) How much are the ransom demands?
The average ransomware demand typically ranges from $500 to $2,000. However, some businesses are asked to pay much more. IBM found that half of surveyed victims who paid the ransom in 2016 shelled out more than $10,000, and 20 percent paid more than $40,000.
10) Should you pay the ransom after a ransomware attack?
No. The FBI strongly discourages businesses from paying the ransom, unless all other viable options have been exhausted.
Some businesses decide to pay the ransom because they are unable to restore their data manually. In other cases, it’s because the expense and time to achieve a technical solution far outweigh the cost of paying the ransom.
In 2016, a Los Angeles hospital made national headlines after officials admitted to paying a $17,000 ransom. The attack had effectively halted operations at the hospital, forcing it to declare an internal emergency and to divert some emergency patients to other facilities. The attack had such far-ranging effects on operations that officials decided the fastest resolution was to pay up.
This is a common scenario for many businesses who are ill-prepared for a ransomware virus attack, but organizations are still advised to avoid paying the ransom if possible. Paying the ransom only emboldens the attackers to target more businesses. Additionally, the FBI states, “By paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
11) Does paying the ransom guarantee you’ll get your data back?
No. After paying the ransom, some victims have reported never receiving the decryption keys they were promised. In other cases, upon paying the amount requested, businesses were asked to pay even more. What’s more, victims who pay the ransom set themselves up to be targeted again. Some businesses who paid the ransom were attacked again at a later time.
12) What should you do in a ransomware attack?
When a ransomware attack has been identified, the best course of action is to shut everything down and notify authorities.
Here’s a step-by-step breakdown of what to do, as advised by the FBI:
- Immediately isolate the infected machine. Remove any attached drives and devices, and remove it from the network to prevent the ransomware virus from spreading to other computers.
- Shut down, or isolate, any other networked devices that have not yet been infected.
- Check the integrity of your backups to ensure they have not been infected. Take them offline or ensure they are not connected to the infected network.
- Contact your local FBI field office. Reporting the incident is important, but also, law enforcement may be able to provide assistance in retrieving your data. According to the FBI, “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations. Law enforcement can enlist the assistance of international law enforcement partners to locate the stolen or encrypted data or identify the perpetrator.”
- After removing the system from the network, change all account and network passwords.
- Delete registry values and files to stop the program from loading.
13) What’s the best way to resolve an attack without paying a ransom?
Restoring a clean backup is the best—and often the only—way to recover your critical data after a ransomware. By having a reliable backup system in place, you can restore data without having to pay a ransom.
New back-up solutions from Datto are designed to combat ransomware head-on. Datto’s products now have built-in ransomware detection that automatically identifies an infection and notifies administrators to roll back to a healthy back up right away.
14) How can you prevent a ransomware attack?
There are many sides to ransomware prevention, each of which should be thoroughly addressed within your business continuity planning. With proper planning, an organization can significantly minimize the risks of an infection and also ensure a rapid resolution if an attack does occur.
Here are some critical preventative steps and protocols to consider:
- Employee training: Remember that most ransomware attacks are typically the result of an innocent user inadvertently opening an infected file. By training all personnel on proper security cautions and protocols, you can significantly reduce the chances of an infection.
- Access controls: In the event that someone does open a malicious file, the attack could be contained to fewer files and folders if that user’s system account has limited write-access. Configure strict access controls and permissions across the organization to eliminate write-access to only those who need it.
- Anti-virus & anti-malware: Be sure you’re using dependable software solutions to detect and eliminate malicious files. These solutions should be set to automatically scan and update regularly. You should also use firewalls to block access to known malicious IP addresses.
- Application whitelisting: Eliminate the ability for unknown applications to execute on system devices.
- Risk assessments and penetration tests: This should already be part of your cybersecurity business continuity planning. Assess the risks of ransomware to better understand how well your organization is protected. Use penetration tests to test that preparedness and determine if your safeguards are strong enough to stop an attack.
Protect Your Data
To learn more about data-backup solutions that can ensure business continuity in a ransomware attack and other disaster scenarios, contact the experts at Invenio IT. Learn more at www.invenioIT.com, call (646) 395-1170 or email us at [email protected].