Protect your business from ransomware

Guide

Ransomware is a type of malicious software that allows cyber criminals to take control of your business data or computer systems. It locks or encrypts your files, making them inaccessible, and typically requires you to pay a ransom to regain access to your system.

Ransomware is potentially a serious threat to business. Attacks are largely indiscriminate, usually very disruptive and recovery can be slow and costly. As well as financial losses, your business may suffer:

loss of data
loss of productivity
reputational damage
potential legal penalties for breach of data security or data theft

Read more about the impact of cyber attack on your business.

How does ransomware get on your computer

Most commonly, ransomware enters machines or networks through:

Spam email (phishing) - where the email is designed to look 'legitimate' but typically contains a malicious link or an attachment. Once you access this link or download the file, the ransomware installs on your device.
Drive-by download - where the malware is installed onto your device without your knowledge and permission. You don't have to click anything to initiate the download. It automatically activates when you visit an infected website or a malicious advertisement.

Drive-by downloads rely on using exploit kits, ie pieces of malicious code embedded in a website. This can be a legitimate website that has been compromised or a malicious site designed to look authentic and genuine.

When you visit a website that hosts an exploit kit, it looks for software vulnerabilities in your device or web browser. If it finds a weak spot, it injects malware into it.

Types of ransomware and examples

Two main forms of ransomware are:

Screen lockers - these freeze you out of your device by locking your screen and denying you access until you pay a fee. They don't typically interfere with the underlying system and files. Often, they come disguised as an official-looking warning message from law enforcement imposing a fine for supposed online indiscretions or activities.
Crypto ransomware - these infect your devices and, when installed, begin hijacking your files, turning your data unreadable. When this process concludes, the malware brings up a message demanding payment, often in BitCoin, for a private decryption key that would allow you to regain access to your data. If you refuse to pay the ransom, the criminals threaten to destroy the key and keep your data encrypted.

Cryptolocker and WannaCry are two notorious examples of crypto malware. Hybrids like Petya combine features of both screen lockers and encryptors.

In recent times, ransomware-as-a-service tools such as Shark have become prevalent. The code of such tools is distributed free of charge, but its creators get a percentage of every successful ransom collected.

How to respond to a ransomware infection

If ransomware infects your device, you should follow these steps:

Turn off your computer as soon as possible and disconnect it from the network. This can help prevent the infection from spreading to other devices on the network.
If you can, reboot your device to safe mode and try to identify the specific strain or type of ransomware. This information may help you find the right decryptor or find out what damage the malware has done to your systems.
Use anti-malware software to try to remove the ransomware from your device. This may not always be possible. Even if you can remove the malware, you may not be able to recover your data without the key to decrypt it.
If necessary, decide if you wish to pay the ransom. Security and law enforcement agencies recommend that you do not pay the ransomware demand. There is no guarantee that the criminals will give you a key upon payment, or that the key will even unlock your files. Instead, criminals may release files that contain further malware, simply prolonging or diversifying the attack.
If you decide not to pay the ransom, restoring your backed up data (provided that you have it) will allow you to make a fresh start. Make sure that you recover your device back to a previous clean state, and that you have made changes to prevent re-infection, before reconnecting to your network.
It is not always obvious how your business was infected with ransomware so it is very important to check any compromised accounts have been secured or any weak or compromised password are changed to be more complex. In addition, all software/devices in the business should be updated with any missing security updates. Key user accounts such as admin or finance roles should use two factor authentication to provide additional security.

You should also consider reporting your cyber incident to the relevant authorities.

How to prevent ransomware attacks

Criminals often use email, social posts and even texts to infiltrate computer networks. To protect your business from ransomware, you should:

use integral email security, such as spam filters, that catch phishing emails and malicious attachments
advise staff not to open suspicious links or attachments, even if emails appear legitimate
regularly change passwords to strong, unique combinations
apply updates and security patches regularly to keep the software, browsers and operating systems current on all your devices

Most importantly, you should back up your key business data. The backup will allow you to:

recover your key data if your system is compromised
rollback or rebuild your system to a previous, safe version
resume business operations with minimal disruption and costs

It's important to realise that ransomware can affect connected USB and network storage devices holding data backups, as well as the original data on-disk. It can also compromise connected cloud storage locations containing backups. With that in mind, offline backups or online backups with secure version control protection are probably the best safety net against ransomware.