Ransomware is on the rise. Recent research from Malwarebytes found that ransomware targeting businesses has increased by 195% compared to the last few months of 2018.
For hackers, ransomware remains a lucrative business. The average cost of a ransomware demand has now doubled to $36,295 according to new research from Coveware. As long as ransomware remains profitable, hackers will continue to target organizations with these attacks.
How a Ransomware Attack Works
Ransomware is constantly evolving to outmanoeuvre advances in cybersecurity technologies. It helps to understand how a ransomware attack works in order to take precautions to help protect against these attacks. While each ransomware strain is different, they typically follow a general set of steps to infect computers.
1. Find an entry point: To start the infection process, the ransomware has to find a way into the target’s system. There are a variety of ways a hacker can spread ransomware, such as exploiting a vulnerability or sending a phishing email.
2. Install the malware: Once the malicious file is opened, the system begins to install the ransomware. The ransomware then connects to the attacker’s Command and Control (C&C) server to receive the cryptographic keys.
3. Encryption: The ransomware starts to encrypt any files it can find after receiving the encryption key from the C&C server. All original files are deleted from the machine and a new encrypted file is uploaded in its place. In order to decrypt the files, the user must have the decryption key that unlocks the files.
4. Ransom demand: Unlike malware or other attacks that try to hide or evade detection, ransomware attacks want targets to know that their systems have been compromised. Attackers will notify victims of the attack once the encryption process is complete. A ransom demand will appear in every folder of the encrypted files, with directions on how to contact the hackers and how much payment (usually in bitcoin) they request. These ransom messages usually have a deadline for payment and will often threaten to delete files if they are not paid. Unfortunately, paying the ransom doesn’t always mean that the hackers will give victims the decryption keys, which is why there is no consensus on whether organizations should pay the ransom or not.
What to Do If You’re Infected by Ransomware
Prevention and awareness are key to protecting against ransomware. However, mistakes can happen, and anyone can accidentally click on a malicious link. Here’s some things to keep in mind if you find yourself facing a ransomware attack.
1. Isolate the infection: In order to stop the ransomware attack from spreading to other parts of your network you need to isolate the infected machine. Disconnect the computer from the network to help prevent it from communicating with the C&C.
2. Identify the ransomware: Identifying the type of ransomware infection can help with the removal process. The ransom demand will typically identify what kind of ransomware has been installed but you can also do some research online to determine what type of ransomware strain you’re facing. It’s important to note that even if you can remove the ransomware, lingering malware might still be present on the system. For your own safety, ensure your systems are wiped clean so that no remnants remain.
3. Hire a cybersecurity consultant: When you’re in a crisis it can help to have an expert on your side. A cybersecurity consultant can help guide you through the process of dealing with a ransomware attack. They can help you negotiate the ransom and give advice on what to do.
4. Try to recover files: If you have a good backup system that’s isolated from the main network, you might be able to restore your encrypted files from your backup system. If you are unable to do so, ensure that you protect your systems with security solutions and backup all your files so that you are prepared for any future disasters.