Skip to Content
September 26, 2016 Article 3 min read
Cybercriminals are using new technologies and strategies to make their ransomware ambushes more powerful. Organizations of all sizes should take these steps to prevent, or recover from, an attack.

Keyboard with lockDid you know that cyber criminals can now hold your technology for ransom? It’s true.

Through the use of malware called “ransomware,” users are blocked from their devices unless a ransom is paid. Ransomware can be downloaded from malicious websites, spam emails, or even dropped by exploit kits onto vulnerable systems. Once executed, it can encrypt files, stop applications from running, and prevent users from accessing Windows. Attackers will then make the user pay money in order to regain access to their files/device; however, there’s no guarantee that paying the ransom will grant that access.

There are two main types of ransomware in circulation today: locker ransomware (computer locker) and crypto ransomware (data locker). Locker ransomware denies access to the device that’s attacked; crypto ransomware prevents access to files and data, mostly through encryption. A 2015 study by Symantec found that about 64 percent of the binary-based ransomware families were crypto ransomware, and the remaining 36 percent were locker ransomware. Over the past few years, attackers using ransomware have adapted new technologies and strategies to make their attacks more powerful:

  • Free software for enabling anonymous connections (Tor network) allows attackers to easily hide the location of the control servers that store the victims’ private keys. This helps attackers maintain their criminal structure and campaigns for a longer period and also enables them to rent their infrastructure to other attackers so they can run similar campaigns.
  • Pletor, a type of encryption ransomware, has helped attackers encrypt data on Android mobile devices by using AES encryption, which locks the data on the phone’s memory card and uses short message service (SMS), or HTTP to connect to the attackers.
  • Synolocker is being used to attack mass-storage devices like Network-attached storage (NAS) disks and rack stations. This malware exploits vulnerabilities in unpatched versions of servers that are attached to the organizations’ network and, in turn, remotely encrypts all data on enterprise servers.
  • Virtual currency is being used a method of payment to pay the requested ransom. This way attackers don’t have to expose their personal information and can avoid the possibility of being traced.

Ransomware can affect anybody with a personal device; however, enterprises are becoming the most popular target for attackers. According to a study published by ESET, “84 percent of businesses would be crushed if infected by ransomware, and 31 percent would have no choice but to pay the attackers.” Attackers use tactics like phishing to gain access to enterprise networks. Once the access is gained, the attackers can use a list of file extensions or folder locations that the ransomware will target to encrypt sensitive files. Once the files are encrypted, it’s practically impossible to decrypt the files without the encryption key. This gives the attackers an upper hand to demand large amounts of money.

According to a study published by ESET, “84 percent of businesses would be crushed if infected by ransomware, and 31 percent would have no choice but to pay the attackers.” 

Experts suggest always keeping a backup of important files on an external drive or an online cloud to lower the risk of losing data to an attack. Using a firewall and an updated security software could also minimize the risk of being compromised by an attack. There are several security steps that everyday consumers, small businesses, and larger enterprises can take to prevent a ransomware attack from happening:

  • Consumers can block ransomware in one step with security software that prevents access to malicious links, stops spam, and terminates infections.
  • Small businesses should go a through a two-layer ransomware protection. They should protect emails to ensure that ransomware can’t make its way to inboxes. They should also provide endpoint protection by blocking malicious sites to prevent malware from running.
  • Larger enterprises must go through a multilayered defense approach when dealing with ransomware. Like a small business, they must provide email and web protection along with endpoint protection. Additionally, they must have server protection to protect servers from exploitable vulnerabilities and network protection to shield networks by preventing ransomware from spreading from server or endpoint to endpoint. Lastly, having a company-wide backup in a remote storage facility can save the business time and effort in case of an attack.

There are various ways to recover from a successful ransomware attack. The easiest way to remove ransomware is by restoring data from a backup or reimaging the device. There are also a wide variety of tools like DecryptoLocker, EasySync CryptoMonitor, BitDefender, Sophos, and McAfee to help remove malware from an affected device. Finally, although unlocking data can be a challenge, it can be done by re-booting the device to run a Linux environment to identify and delete the affected files.