Combating ransomware: Strategies for defense

In today's interconnected world, the threat of ransomware looms larger than ever before across industries. Malicious actors continue to exploit vulnerabilities, and the dark cloud of ransomware shows no signs of dissipating. Recent data from the Verizon Data Breach Investigations Report (DBIR) shows that cost per ransomware incident doubled over the past two years and remains one of the top action types present in breaches.

In this article, we will explore how ransomware works and what steps organizations can take to protect employees and data from these attacks.

What is Ransomware?

Ransomware is a type of malware that is designed to encrypt the files on a victim's computer and demand payment in exchange for the decryption key. Ransomware attacks have become increasingly common in recent years, and they can cause significant damage to individuals, businesses, and even entire cities. Although not all attacks are publicized, examples within the last year include the government of Costa Rica, the San Francisco 49ers and ION Cleared Derivatives.

How Ransomware Works

Ransomware typically enters a victim's computer through a phishing email, malicious website, or infected software. Once it has infiltrated a system, the malware can spread throughout the local network, infecting other systems. Once triggered, the malware begins to encrypt the files on the infected victims’ computers, making them inaccessible without the encryption key.

There are two main types of ransomware: encrypting ransomware and locker ransomware. Encrypting ransomware is the most common type, and it works by encrypting the victim's files using a strong algorithm. Locker ransomware, on the other hand, works by locking the victim out of their computer entirely, making it impossible to access any files or programs.

Once the ransomware has encrypted the victim's files, it will display a ransom note on the screen. This note typically contains instructions on how to pay the ransom, along with a deadline by which the payment must be made. The ransom note may also contain threats to delete or expose the victim's files if the ransom is not paid.

The demanded ransom can vary greatly, ranging from a few hundred dollars to hundreds of thousands of dollars. The payment is usually demanded in a form of cryptocurrency such as Bitcoin, which makes it difficult to trace the attackers.  According to a published report ransomware attacks on healthcare organizations since 2018 have cost the world economy $92 Billion dollars.  And those are just the attacks that are reported. 

Once the victim has paid the ransom, the attackers promise to provide them with the decryption key needed to unlock their files. However, there is no guarantee that the attackers will actually provide the decryption key, even after the ransom has been paid. In fact over 90 percent of victims that pay the ransom never receive access to their data again.

Protecting Yourself from Ransomware

With 74 percent of all breaches including a human element, protecting yourself against ransomware is critical in today's digital world. The best way to safeguard against ransomware is to take a multi-layered approach that includes both preventative measures and a plan for responding to an attack.  Here are some steps businesses and employees can take to protect data from ransomware attacks:

1. Install antivirus software: Antivirus software can help detect and block ransomware before it has a chance to infect your computer. Make sure to keep your antivirus software up to date to ensure that it is able to detect the latest threats.
2. Keep your software up to date: Make sure to keep your operating systems and all software programs up to date with the latest security patches. This can help protect your organization's computers from known vulnerabilities that could be exploited by ransomware.
3. Be wary of suspicious emails: Many ransomware attacks are carried out through phishing emails. Be cautious of any emails that ask you to download an attachment or click on a link, especially if the email is from an unknown sender.
4. Back up your files regularly: Regularly backing up your files can help protect them from being lost or encrypted by ransomware. Make sure to store your backups on an external hard drive or in the cloud, and disconnect the device after the backup is complete.
5. Use strong passwords: Use strong, unique passwords for all of your online accounts, and consider using a password manager to help you keep track of them.
6. Educate yourself: Stay up to date on the latest ransomware threats and educate yourself on how to avoid them. Set up trainings for employees around ransomware and best practices for mitigating and dealing with attacks. The more you know about ransomware, the better prepared you will be to protect yourself from these attacks.

If your organization is infected with ransomware, it is important to act quickly and follow these steps:

1. Isolate the infected device: Disconnect the infected device from any network or external storage devices to prevent the ransomware from spreading to other devices.
2. Identify the ransomware: Identify the type of ransomware that has infected the device. This information can be useful for determining the best course of action and potential solutions.
3. Do not pay the ransom: Paying the ransom does not guarantee that you will regain access to your files and can encourage cybercriminals to continue their illegal activities. Instead, report the attack to law enforcement.
4. Remove the ransomware: Use antivirus software or a malware removal tool to scan and remove the ransomware from the device. However, note that removing the ransomware does not automatically restore access to encrypted files.
5. Restore files from backup: If you have backups of the files, restore them to a point before the ransomware attack. This can help you regain access to the files without paying the ransom.
6. Consider professional help: If you are unable to remove the ransomware or recover the files, consider seeking professional help from a reputable cybersecurity company or IT professional.
7. Take preventive measures: To prevent future attacks, keep your organization’s software and security systems up to date, regularly backup files, and educate yourself and your employees on cybersecurity best practices, such as not clicking on suspicious links or opening attachments from unknown sources.

In the event of a ransomware infection, it is essential to take prompt action, avoid paying the ransom, eliminate the ransomware, restore files from backup, consider professional assistance if necessary, and implement preventative measures to minimize the risk of future attacks.

Image credit: Authorzephyr18/depositphotos.com

John Benkert is CEO at Cigent. John spent 20 years in USAF Intelligence and seven in the NSA where he received the National Scientific Achievement Award for technological innovations in data security. He is the owner of CPR Tools, leading experts in data recovery, forensics, and destruction since 1987.