Currently, one of the security incidents that most affects companies is ransomware infection, which hijacks our information and endangers business continuity. Do you know how to protect yourself and act against this type of incident? Do not miss any detail.
What Is Ransomware?
The ransomware is a type of malware that enters computers and mobile devices preventing access to information, usually by encrypting it and requesting a ransom ( ransom in English) to be accessible again. After the initial infection, the malware will try to spread to the rest of the systems connected to the network, including shared storage units.
How Infection Occurs?
In most cases, the infection is caused by:
- Emails that use social engineering for the victim to download infected attachments or access a malicious website through a link.
- Attacks using Remote Desktop Protocol ( RDP ), either by exploiting a vulnerability in the system or by brute force attacks.
- Vulnerabilities of services exposed to the internet (FTP, SSH, TELNET, etc.).
- Vulnerabilities in operating systems and browsers that facilitate infection when visiting fraudulent sites.
- Infected external devices that connect to corporate computers.
- Through other malware that has previously entered our device, such as in the case of Emotet.
How Does Ransomware Work?
The ransomware identifies the drives on an infected system and begins encrypting the files on each drive. Rescue software usually adds an extension to encrypted files, for example B. .aaa, .micro, .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault or .petya. to show that the files have been encrypted. The file extension used is specific to each type of ransomware.
The ransomware manifests when the device is infected and the information is no longer accessible. Once you have encrypted all the files, it displays a message on the screen containing instructions on how to pay the ransom.
How do I retrieve the information? It is necessary to know that it is not always possible to decrypt the files and, therefore, to recover the hijacked information. Each type of ransomware has its peculiarities and there may not yet be a solution to reverse its effects. For this reason, it is important that you always make backup copies and check that you can restore them since it is the only way to guarantee that you can always recover your information and guarantee business continuity.
Below we list a series of recommendations on how to act, depending on the circumstances, in the event of an infection of this type.
- Check if there is a solution that allows decryption: for this, we can count on the project endorsed by EUROPOL called No More Ransom. On this website, you can check if there is a decryption tool for the ransomware variant that has encrypted your files. If so, follow the instructions to use it. You must attach a couple of encrypted files, as well as the ransom note left by cybercriminals.
- Do you have a clean and recent backup ?: the backup always ensures you can recover your information. Disinfect infected computers and restore the corresponding copies. Remember the importance of making backups with the 3-2-1 strategy, whose base is the diversification of the copies to guarantee that there is always one available so that we can guarantee to have some of the copies that have not also been encrypted by the malware.
- Do you have Shadow Volume Copy ?: If you have this copy of the files that Windows makes automatically, you can easily restore the information using Shadow Explorer.
- Can affected files be recovered using forensic software? There are solutions used to recover information in the forensic field that can sometimes recover original files deleted by ransomware.
- Should you keep the files encrypted ?: If you have lost information because you did not have a backup and currently there is no software to decrypt your files, save them. There may be a solution in the future for that ransomware variant. In no case is the payment of the ransom a recommended option, since there is no guarantee of recovering the information in this way and promotes the profit of cybercriminals.
Also Read: Definition Of Ransomware