Ransomware 101: A Complete Guide to Preventing & Removing an Infection
Ransomware has become a huge challenge for businesses—and a financial boon for the hackers who develop it. It’s a problem that isn’t going away anytime soon. But that doesn’t mean you can’t defend yourself.
With the right tools, any organization can dramatically reduce its risk of a ransomware infection and recover quickly from an attack.
What is it? Ransomware 101
Rule number one: Know your enemy. Before you can mount an effective ransomware defense, you need to know what you’re up against.
Here are the basics:
- Ransomware is a form of malware that holds your data ransom
- A typical infection locks you out of your files by encrypting them
- You can’t regain access without paying hackers for decryption keys
- Paying the ransom doesn’t guarantee you’ll get those keys
Infections are designed to spread across networks, bringing your business-critical operations to a standstill.
How do infections happen?
The majority of ransomware attacks are delivered by email. They come in the form of spam and phishing emails, disguised as invoices, receipts and other legitimate-looking communications.
When an unsuspecting user opens the email attachment or clicks a bad link, the infection takes root.
More sophisticated ransomware strains don’t require user action at all. The 2017 WannaCry attack, for example, exploited vulnerabilities in unpatched versions of Windows. More than 200,000 computers were infected worldwide, because organizations hadn’t updated their systems. Nearly a year later, businesses were still being attacked by WannaCry.
Troubling ransomware statistics
Here are some of the most troubling stats we’ve seen in recent months:
- Ransomware exploded in 2017. There were 4x as many ransomware variants as there were in 2016.
- 15% of businesses in the top 10 industries were hit by ransomware.
- Every 40 seconds, another company is attacked.
- The average ransom demand tripled over just two years. In 2017, a Web hosting company in South Korea paid their attackers roughly $1 million!
- Recovery costs are skyrocketing. After a recent attack on the city of Atlanta, the city spent more than $2.6 million on recovery costs alone. (The ransom demand was $52,000.)
- It’s not just shadowy cybercriminals who are behind ransomware these days, but powerful governments, like North Korea, which was suspected of launching the WannaCry attack.
Want to know the most frustrating thing about these attacks? They’re preventable! Ransomware can only infect your network if you let it in.
Here’s what we mean by that …
There’s no denying that ransomware is evolving. More sophisticated attacks like WannaCry and NotPetya took advantage of other vulnerabilities that had nothing to do with user error. These attacks demonstrate that hackers are finding new ways to get into your systems without requiring somebody to open a bad email.
But whether an infection exploits your network vulnerabilities or your employees’ lack of cybersecurity education, these attacks are still preventable. The vulnerabilities are fixable. As long as you’re patching your systems like normal, and training staff on what to look for, the attacks can be stopped.
How to prevent ransomware
Ransomware prevention needs to be a multipronged approach: training and technology. In other words, you need to focus on the human element as much as your infrastructure vulnerabilities.
Your preventative measures should include:
- Employee education: Ongoing training that informs staff of the dangers of ransomware, how to identify suspicious emails and what to do in an attack
- Spam filters & firewalls: A strong filtering system that prevents the majority of malware-laced emails from reaching inboxes in the first place
- Access controls: Tight restrictions on the folders and servers that users have access to, so that ransomware infections can’t spread as far
- System patches: Routine updates for software and operating systems, so that known vulnerabilities are resolved
- Application restrictions: Tight controls over which applications can be executed on machines, so that only whitelisted software can be launched
- Anti-malware software: Commercial-grade anti-malware programs that can detect and remove known ransomware strains
What to do immediately
“Oops, you’re files have been encrypted!”
That message is usually the first sign that you’ve been infected by ransomware. By then, it’s usually too late to recover your infected files (see removal options below) – but you can take steps to prevent the infection from spreading:
- Isolate: As part of your ransomware education program, you should instruct users to shut down and/or remove their computer from the network at the first signs of an infection.
- Power down: Shut down any partially infected (or uninfected) servers and machines. This helps contain the spread and gives you more time to gauge the scope of the attack, so you can begin recovery.
- Delete new registry values and files: On the partially infected machines, scan for newly created (or modified) registry values that are linked to the ransomware. By deleting these, you may be able to stop the malicious program from fully executing.
As for removing the ransomware, unfortunately you don’t have too many options. Decrypting the files is virtually impossible without the keys. And as we mentioned above, paying the ransom doesn’t guarantee you’ll get your files back.
But there’s one incredibly simple and effective method for ransomware removal: recovering a data backup.
Backing up your data is the single best way to ensure that ransomware doesn’t kill your business. In an attack, you can simply restore a clean backup from before the infection occurred. That removes the ransomware and gets you back to work. So, as long as you’re backing up frequently, and your backups are recoverable, you can greatly minimize the impact of an attack.
If restoring a backup isn’t an option, here are a few other ways to remove ransomware.
Don’t pay the ransom. Here’s why.
Paying your ransomware attackers can be tempting when other recovery challenges seem insurmountable. But if you can avoid paying the ransom, you should.
A recent survey by Datto showed that 15% of businesses never got their data back after shelling out the cash. So there’s a strong chance you’ll simply be dumping money down the drain.
Additionally, paying the ransom supports the ransomware industry. As long as businesses and individuals keep paying their attackers, ransomware will only get worse. Finally, by giving the cybercriminals the money they want, you may also be inadvertently funding other types of illegal activity.
But businesses are doing it anyway …
Small to medium-sized businesses paid $301 million in ransom between Q2 2016 and Q2 2017, according to a report by Datto. This is why ransomware has become such a moneymaker for cybercriminals.
Here are some interesting figures on these payouts:
- 35% of surveyed businesses paid the ransom
- $500-$2,000 was the most common ransom demand
- 1% of businesses were asked to pay $20,000+
Fewer than 1 in 3 businesses reported the attack to the authorities. The FBI strongly encourages businesses to report every attack to law enforcement.
Who’s being targeted
Healthcare and manufacturing have become two of the biggest targets. Together, they represented 76% of commercial attacks in 2016-2017, according to Datto’s research. Within healthcare, hospital ransomware attacks have become particularly problematic. A sudden loss of data isn’t just costly for a healthcare facility – it also hurts patient care.
Why are these industries being singled out? It’s not just the big payouts. Cybersecurity vulnerabilities in the healthcare sector are well documented. Reports show that computer systems are often unpatched, and staff are susceptible to social engineering, like phishing emails.
No OS is safe
Just because those industries are taking the brunt of ransomware attacks doesn’t mean attackers won’t come for you. And increasingly, it doesn’t matter what operating systems you’re running.
Every major operating system can be infected with ransomware, including Windows, Apple OS X, Linux and Android. If your systems haven’t been patched, and a user inadvertently lets in an infection, that’s all it takes.
A survey of 1,700 managed-service providers (MSPs) asked the question: What systems have you seen infected by ransomware? Here were the results:
- Windows: 100%
- OS X: 3%
- Linux: 3%
- Android: 3%
Remember the $1 million ransom payout we mentioned above? That was the result of a Linux ransomware infection, which many believed wasn’t even possible until that attack.
Smarter ransomware defense
As a leader in data protection, Datto understands how dangerous ransomware can be to businesses. The company’s backup and disaster recovery (BDR) technologies are a smart choice for several reasons: hybrid backup storage (cloud and on-site), high backup frequency, backup integrity and instant virtualization options (each backup is a fully bootable virtual machine).
But Datto went a step further in 2016 by adding ransomware defense directly into its BDR appliances. Datto’s ransomware protection detects the earliest signs of a ransomware infection (for example, file content being rapidly overwritten by random data). The system then notifies administrators, instructing them to restore a clean backup.
Remember, in a ransomware attack, every second counts. Early detection such as this can greatly minimize a disruption by identifying the location of an infection and allowing administrators to take swift action.
For more information on how your company can defend against ransomware and other data threats, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email success@invenioIT.com or request a free Datto demo today.