In ransomware fight, updated system, offline backups critical: Here are 10 things to do in an attack
Thursday, December 1, 2016
Posted by: Brian Monroe
By Brian Monroe
December 1, 2016
Ransomware, previously a relatively minor threat in the cybercrime landscape, has become a high-profile problem in recent years.
Opportunistic organized crime groups, and even lower level foreign players, have been able to lock up larger companies, healthcare firms, hospitals, law firms and even the very law enforcement officials charged with investigating these types of crimes.
At its heart, ransomware is a type of malicious software that encrypts users' files or blocks access to their computer systems until the user ponies up funds to pay the criminal a fee to finally release them – typically paid in difficult-to-trace virtual currency, such as Bitcoin.
This type of exploitation scheme targets and takes advantage of both inherent human weaknesses and more arcane technical vulnerabilities, such as an unpatched computer system, antivirus program or leaky firewall.
In May 2016, the FBI reported that ransomware infections caused more than $1.6 million in losses in 2015 for individuals and businesses of all sizes, according to the American Bankers Association.
That’s why the Association of Certified Financial Crime Specialists (ACFCS) has put together this quick rundown of things you can do before, during and after a ransomware attack to help survive and get your data back, without paying a bogus fee and supporting a criminal network.
1. Use firewalls and antivirus programs – and please keep them up to date: In some instances, hackers use security vulnerabilities in a system or weaknesses to get inside a system and hold it for ransom, particularly if they can’t find access to financial or bank account details. Some people even forget to simply click on their firewall in Windows or put off updating anti-virus software, which would be inviting disaster.
2. Don’t click on what you don’t know – the email fail whale: Most people know they have to be wary of a strange email telling them to update their bank password. But criminals are increasingly creative. That email can look like it came from your IT person or Microsoft or some official sounding source. Right click on the source of the email and ensure it’s not just from a site similar to your company’s or Microsoft. If you are unsure, send an email to your IT specialist and ask it came from him or her. Most likely, it didn’t. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
3. Don’t click on what you don’t know, part 2 – browsing for a bruising: If you are doing normal things on the Internet, you shouldn’t get something that urges you to “immediately” update your chrome browser or, also in an urgent manner, update your Adobe PDF or something or other. Just close the window. Scan every executable file from the Internet before installing on your computer. And if the pop up box comes up asking you if you want to install system you aren’t trying to install, click no. You also shouldn’t get a page that pops up telling you that your bank account, Facebook and Instagram account have been compromised and you need to call a “Microsoft” engineer and they happen to have the number for you to call right on the page that won’t go away.
4. Make sure you can move forward – by backing up: Use a third-party service or, better, yet back up your system and important files and programs in an external hard drive not connected to any of your networks. Make sure to test your backups regularly to ensure they are current. Do it monthly or at least every few months.
5. During an attack fight back – by unplugging: If you do get attacked, unplug from the power and Internet. If the group is able to get access to your computer, unplugging will make it more difficult to pull more data from your system. If you see a ransomware note and you can’t click it away and your system is totally unresponsive, unplug as quickly as possible and reinstall from a backup.
6. Know thine enemy – but do it from a clean system: if you want to try and find out what type of ransomware is attacking you, don’t use the same computer, or others on your network, as you can risk further infection to other systems. Use a clean computer on another network and try to see what others have done to break the encryption, clean their system or what solutions are available.
7. Don’t pay – or you will end up paying more: In ransomware attacks, even if the person pays, the attackers may still hold some or all of their systems hostage or attack again at another time, starting the cycle again. Try to remember, as official and polished as these criminals may make their “tech site help” look, they are still criminals and just want your money.
8. Don’t give attackers permission, by restricting permissions: Construct your system that only certain individuals with certain rights, privileges and passwords can access or make changes to more critical parts of the computer or network. That way you can limit users’ ability to install and run unwanted software, which may prevent the spread of malware to one or more computers. The mantra should be the lowest privilege gets least access to the system.
9. They found flaws in your system – now look for flaws in theirs: If you didn’t back up your system, there could be some options to unlock and recover your data. Some variants of ransomware, though seemingly ironclad and airtight, have flaws in the way they implement the encryption used to lock your files.
10. As a last resort, bring in the big guns – and say no to paying that ransom: A collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers. The site is www.nomoreransom.org.
Acknowledgements and further resources: