Ransomware 101: A Complete Guide to Preventing & Removing an Infection
Ransomware has become a huge challenge for businesses—and a financial boon for the hackers who develop it. It’s a problem that isn’t going away anytime soon. But that doesn’t mean you can’t defend yourself.
With the right tools, any organization can dramatically reduce its risk of a ransomware infection and recover quickly from an attack.
What is it? Ransomware 101
Rule number one: Know your enemy. Before you can mount an effective ransomware defense, you need to know what you’re up against.
Here are the basics:
- Ransomware is a form of malware that holds your data ransom
- A typical infection locks you out of your files by encrypting them
- You can’t regain access without paying hackers for decryption keys
- Paying the ransom doesn’t guarantee you’ll get those keys
Infections are designed to spread across networks, bringing your business-critical operations to a standstill. In some cases, additional forms of malware are deployed for secondary purposes, such as data theft and cyberextortion.
How do infections happen?
The majority of ransomware attacks are delivered by email. They come in the form of spam and phishing emails, disguised as invoices, receipts and other legitimate-looking communications.
When an unsuspecting user opens the email attachment or clicks a bad link, the infection takes root.
More sophisticated ransomware strains don’t require user action at all. The 2017 WannaCry attack, for example, exploited vulnerabilities in unpatched versions of Windows. More than 200,000 computers were infected worldwide, because organizations hadn’t updated their systems. Nearly a year later, businesses were still being attacked by WannaCry. And in fact, WannaCry remains the 2nd most prevalent ransomware variant today, with more than 26% of IT providers saying their clients were infected with it in 2019.
How ransomware payments are made
In a successful attack, hackers ask their victims to make a payment via cryptocurrency, such as Bitcoin, in exchange for the decryption keys to unlock the data.
Using cryptocurrency enables the payments to remain anonymous and largely untraceable. This is partially what has allowed the ransomware market to thrive. However, governments are getting more aggressive in disrupting hackers’ access to their loot. In June 2021, the U.S. Department of Justice seized $2.3 million in cryptocurrency from the hacker group known as Darkside, which disrupted American fuel supplies with a ransomware attack on Colonial Pipeline.
Troubling ransomware statistics
Here are some of the most troubling stats we’ve seen in recent months:
- Ransomware has been exploding over the past several years. In 2020, attacks increased by 130%, according to research by The Beazley Group.
- Ransomware now represents 27% of all malware incidents.
- Every 11 seconds, on average, another company is attacked.
- The average ransom demand increased by 33% from 2019 to 2020. The average ransomware payment jumped to $111,605.
- In 2021, CNA Financial paid hackers $40 million (via their insurance company) – possibly the largest ransom payment in history.
- Recovery costs are skyrocketing. For FedEx, a victim of the 2017 NotPetya ransomware attack, the infection caused $300 million in losses.
- It’s not just shadowy cybercriminals who are behind ransomware these days, but powerful governments, like North Korea and Russia, which are suspected of launching some of the most high-profile attacks in recent years.
- Total losses from ransomware were on track to exceed $20 billion in 2021 and are estimated to exceed $265 billion by 2031, according to estimates from Cybersecurity Ventures.
Want to know the most frustrating thing about these attacks? They’re preventable! Ransomware can only infect your network if you let it in.
Here’s what we mean by that …
There’s no denying that ransomware is evolving. More sophisticated attacks like WannaCry and NotPetya took advantage of other vulnerabilities that had nothing to do with user error. These attacks demonstrate that hackers are finding new ways to get into your systems without requiring somebody to open a bad email.
But whether an infection exploits your network vulnerabilities or your employees’ lack of cybersecurity education, these attacks are still preventable. The vulnerabilities are fixable. As long as you’re patching your systems like normal, and training staff on what to look for, the attacks can be stopped.
How to prevent ransomware
Ransomware prevention needs to be a multipronged approach: training and technology. In other words, you need to focus on the human element as much as your infrastructure vulnerabilities.
Your preventative measures should include:
- Employee education: Ongoing training that informs staff of the dangers of ransomware, how to identify suspicious emails and what to do in an attack
- Spam filters & firewalls: A strong filtering system that prevents the majority of malware-laced emails from reaching inboxes in the first place
- Access controls: Tight restrictions on the folders and servers that users have access to, so that ransomware infections can’t spread as far
- System patches: Routine updates for software and operating systems, so that known vulnerabilities are resolved
- Application restrictions: Tight controls over which applications can be executed on machines, so that only whitelisted software can be launched
- Anti-malware software: Commercial-grade anti-malware programs that can detect and remove known ransomware strains
What to do in a ransomware attack
“Oops, your files have been encrypted!”
That message is usually the first sign that you’ve been infected by ransomware. By then, it’s usually too late to recover your infected files (see removal options below) – but you can take steps to prevent the infection from spreading:
- Isolate: As part of your ransomware education program, you should instruct users to shut down and/or remove their computer from the network at the first signs of an infection.
- Power down: Shut down any partially infected (or uninfected) servers and machines. This helps contain the spread and gives you more time to gauge the scope of the attack, so you can begin recovery.
- Delete new registry values and files: On the partially infected machines, scan for newly created (or modified) registry values that are linked to the ransomware. By deleting these, you may be able to stop the malicious program from fully executing.
- Identify the variant: The vast majority of ransomware variants are known and well documented. So their TTPs (tactics, techniques and procedures) may have already been dissected by security experts. If so, there could be tools available to break the encryption and restore some files.
- Find the entry point: Which machine was first to be infected? Identifying the initial access point can help to determine where and how far the ransomware spread across the network.
- Check for signs of stolen data: Hackers are increasingly stealing the data they encrypt as extra leverage for cyberextortion. Check network tools for signs of exfiltration, such as a large data transfer.
As for removing the ransomware, unfortunately you don’t have too many options. Decrypting the files is usually impossible without the keys, unless it’s a weak ransomware variant for which decryption tools exist online. And as we mentioned above, paying the ransom doesn’t guarantee you’ll get your files back.
But there’s one incredibly simple and effective method for ransomware removal: recovering a data backup.
Backing up your data is the single best way to ensure that ransomware doesn’t kill your business. In an attack, you can simply restore a clean backup from before the infection occurred. That removes the ransomware and gets you back to work. So, as long as you’re backing up frequently, and your backups are recoverable, you can greatly minimize the impact of an attack.
If restoring a backup isn’t an option, here are a few other ways to remove ransomware.
Don’t pay the ransom. Here’s why.
Paying your ransomware attackers can be tempting when other recovery challenges seem insurmountable. But if you can avoid paying the ransom, you should.
A recent survey by Datto showed that 15% of businesses never got their data back after shelling out the cash. Even more recently, a report highlighted by Forbes found that as much as 92% of businesses that pay their attackers don’t get anything in return. So there’s a strong chance you’ll simply be dumping money down the drain if you pay up.
Additionally, paying the ransom supports the ransomware industry. As long as businesses and individuals keep paying their attackers, ransomware will only get worse. Finally, by giving the cybercriminals the money they want, you may also be inadvertently funding other types of illegal activity.
But businesses are doing it anyway …
Small, medium and large businesses paid a total of $370 million in ransom in 2020, according to numbers highlighted by CNBC. That’s up from $301 million in 2017. This is why ransomware has become such a moneymaker for cybercriminals.
Here are some interesting figures on these payouts according to a 2020 Datto report:
- 15% of surveyed businesses were forced to pay the ransom
- $274,200 was the average cost of downtime caused by ransomware
- Downtime costs have increased 94% since 2019 (and 486% since 2018)
Fewer than 1 in 3 businesses reported the attack to the authorities. The FBI strongly encourages businesses to report every attack to law enforcement.
Who’s being targeted
Healthcare and finance/insurance have become two of the biggest targets. In Datto’s 2020 survey, 59% of IT providers said that healthcare organizations were the most susceptible to ransomware, followed by finance/insurance with 50%.
Within healthcare, hospital ransomware attacks have become particularly problematic. A sudden loss of data isn’t just costly for a healthcare facility – it also hurts patient care. During the height of the COVID-19 pandemic, attackers specifically targeted hospitals in an attempt to disrupt their operations even further and thus increase their odds of a payment. The situation got so bad that fall that the FBI warned of “imminent” attacks against the healthcare industry (though ultimately no such simultaneous attacks materialized).
Why are these industries being singled out? It’s not just the big payouts. Cybersecurity vulnerabilities in the healthcare sector are well documented. Reports show that computer systems are often unpatched, and staff are susceptible to social engineering, like phishing emails.
No OS is safe
Just because those industries are taking the brunt of ransomware attacks doesn’t mean attackers won’t come for you. And increasingly, it doesn’t matter what operating system you’re running.
Every major operating system can be infected with ransomware, including Windows, Apple OS X, Linux and Android. If your systems haven’t been patched, and a user inadvertently lets in an infection, that’s all it takes.
A survey of 1,000 managed-service providers (MSPs) asked the question: What systems have you seen infected by ransomware? Here were the results:
- Windows PCs: 91%
- Windows Server: 76%
- Windows Tablet: 8%
- Apple MacOS: 7%
- Android: 6%
- Apple iOS: 4%
While Windows remains the biggest target, given the high adoption rate, other operating systems are still at risk. A 2017 Linux ransomware infection surprised security researchers who at the time believed that such an attack wasn’t even possible.
Smarter ransomware defense
As a leader in data protection, Datto understands how dangerous ransomware can be to businesses. The company’s backup and disaster recovery (BDR) technologies are a smart choice for several reasons: hybrid backup storage (cloud and on-site), high backup frequency, backup integrity and instant virtualization options (each backup is a fully bootable virtual machine).
But Datto went a step further in 2016 by adding ransomware defense directly into its BDR appliances. Datto’s ransomware protection detects the earliest signs of a ransomware infection (for example, file content being rapidly overwritten by random data). The system then notifies administrators, instructing them to restore a clean backup.
Remember, in a ransomware attack, every second counts. Early detection such as this can greatly minimize a disruption by identifying the location of an infection and allowing administrators to take swift action.
Restoring data from a backup
Not all backup restore options will be successful after a ransomware attack. If data across a large network has been infected, it could take days or weeks to fully recover all lost data from a conventional backup system. In many cases, it may make sense to build a completely new environment and then migrate clean data over to the new systems.
This is another area where Datto’s solutions excel. Datto’s Rapid Rollback feature is a restore option designed specifically for incidents like ransomware. The tool identifies all unwanted changes between two recovery points, so that only the encrypted data needs to be restored, instead of the entire backup.
Additionally, Datto’s backup virtualization enables businesses to boot their backups as virtual machines. This provides near-instant access to protected machines, including files, software and operating systems.
Negotiating a ransom
While the Feds urge businesses not to pay a ransom, they are mindful that some organizations have few other options. In its documentation on Ransomware Prevention and Response for CISOs, the FBI states:
“USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.”
In other words, if it means the business will not survive without its data, then paying the ransom may be the last resort.
If you must pay, however, security experts recommend negotiating with the attackers. This can help to lower the ransom demand or take other threats off the table, such as the public release of stolen data. Today’s cyber-insurance firms typically partner with experienced negotiators and attorneys who can handle the negotiation on your behalf.
A few important tips:
- If the attackers claim to have stolen data, ask for proof. Ask for a sample of the data or even a directory structure.
- As with all ransomware attacks, there are no guarantees. You could spend days negotiating, then finally make the payment agreed upon but never get your data back.
- Keep in mind that paying a ransom could violate federal law if the payments go to known U.S. adversaries, such as terrorist groups or nations that are sanctioned by the U.S. So that’s an additional risk to consider.
Is your organization prepared for a ransomware attack? Use this checklist to see if you’ve eliminated the most common vulnerabilities.
- Have you trained employees how to identify spam and phishing attacks? Do they know how to handle such messages?
- Are applications, operating systems and devices patched and up to date? Have all updates been applied?
- Have you applied the rule of least privilege to your file access? Do employees only have access to the folders they need?
- Do you have backups? How often are backups performed? How quickly can they be restored?
- Are filters and firewalls working properly? Many threats can be prevented at the perimeter with strong network firewalls, as well as additional spam and IP filtering.
- Have you configured application whitelisting? This can help prevent ransomware executables from loading in the first place and ensures that only whitelisted applications can be executed.
Ransomware is a dangerous form of malware designed to encrypt your data and disrupt your operations. The threat is not expected to go away anytime soon. Businesses that do not take proactive measures to prevent an attack are at great risk of becoming a victim. In a successful attack, restoring data from a backup is typically the fastest and most dependable way to remove the infection. This is why it’s critical for businesses to have a robust data backup system in place, in addition to other preventative measures.
For more information on how your company can defend against ransomware and other data threats, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email success@invenioIT.com or request a free Datto demo today.