What does ransomware mean?
In simple terms “ransomware” means trouble. More specifically, it refers to a form of malware that aims to trick or force its victims into paying a fee to regain access either to their computers or to their data. It’s possibly the most hated form of malware in existence and if you fail to pay sufficient attention to prevention and protection, it can do serious damage to your business. Here’s what you need to know about it.
There are numerous different forms of ransomware in the wild
Although ransomware is a relatively new form of malware, its massive growth means that there are a lot of different versions of it, plus some of the established versions are continually being updated to make them harder to combat.
At present, there are three main forms of ransomware. These are scareware, lockware (screen lockers), and encryption ransomware. The first two are most prevalent in the consumer world and the last is most prevalent in the business world.
Scareware, as its name suggests, is pure trickery and can usually be removed with minimal hassle. Lockware can be a bit more of a challenge, but can generally be sent on its way by anyone who knows how to boot into safe mode with command prompt and restore to a previous date.
Encryption ransomware, however, is a different matter entirely. Not only do you need to find and remove the malware itself, but you also need to deal with the fact that you will have lost access to what might have been extremely valuable data. If it’s personal data then you could be in even more trouble since this will be covered by data-protection laws. This means that if it has been stored unencrypted, then you must add the possibility of data theft to your list of concerns.
Decryption tools exist but are not guaranteed to work
Victims of encryption ransomware generally receive a ransom note containing instructions for payment and a sample of the encrypted files to show that the attacker means what they say. More sophisticated forms of ransomware even scramble the files to make it even harder for their victim to fight back.
There are ransomware identification tools which analyze the ransom notes and the files sent to see if they can identify which form(s) of ransomware could have been used. The victim can then see if there is a decryption tool available for that specific form of ransomware.
The problem is that ransomware is so lucrative that malware creators have the means, motive, and opportunity to keep on developing it so it stays at least one step ahead of the tools intended to fight it. In other words, as soon as word gets out that someone has created an effective decryption tool for one form of ransomware, its creators will work to find a way to thwart it or will create an entirely new strain of ransomware.
Prevention and protection are your only sure defenses
You need to be realistic about the fact that you are at risk of a ransomware attack no matter how good your security processes are because humans are humans and are invariably going to make mistakes and standard IT security protections are only effective against known threats. They may not be able to identify a brand new strain of malware.
That said, you certainly want to do everything you can to minimize the likelihood that you will be attacked so you need to combine robust security software (an anti-malware product, email scanner, and firewall), with proper security hygiene, in particular promptly updating operating systems and apps, with sensible processes and effective user education. In short, you want to make yourself as hard a target as possible.
Notwithstanding this, however, you also need to have an effective approach to data backup as this is basically your last line of defense against having to write off your files (or ignore all advice and give in to the demands for a ransom knowing that you will be encouraging further attacks).
There are two key points to note here. First of all, it is dangerous to rely purely on local backups. These are fine for recovering from mishaps such as changes that have unforeseen consequences, but if your production system is attacked, then your local backup may be compromised too. You, therefore, need an offsite data backup.
Secondly, part of the reason why local data backups are vulnerable is that automated data backups can pull an infected file into your backup system, thus defeating the point of having it. This is often called the “ricochet” effect.
Please click here now to start your free 30-day trial of Xcitium AEP.
Endpoint Detection and Response