It’s hard to read the news nowadays without seeing some organization falling victim to a ransomware attack.
How does ransomware work? To put it simply: Ransomware is a form of cyber extortion. When a computer is infected, all of the files on the computer are encrypted. Instructions for how to pay the ransom, and the amount to pay, are displayed on the screen. When the victim pays up, they receive a decryption key that will unlock the files so they can access them once again.
These attacks are on the rise, and they are extremely costly. It is predicted that damage from these attacks will cost businesses $5 billion in 2017, up from $325 million in 2015.
How Does Ransomware Work?
Ransomware usually starts with a phishing email that contains a link to a malicious site or an attachment with the malware inside.
If a link is used, when the victim clicks it and visits the malicious website that hosts the ransomware exploit kit, this site communicates with the victim’s computer to see if it is running the software—such as Java or Flash—that the kit is able to exploit. If it does, then it goes to work installing itself on the computer.
In the case of a malicious attachment, the victim downloads the file and the exploit kit launches in the background to install itself on the victim’s computer. These links and files may be distributed in a number of ways, but phishing emails are the most common, and easiest, way.
Once the ransomware is installed on the target computer, it starts the process of deleting any existing shadow copies on the computer so the user cannot revert back to an earlier time before the computer was infected.
Next, it begins searching the computer for files with specific extensions such as images, documents, spreadsheets, etc. These are the files it will encrypt. After this is complete, the ransomware makes copies of itself, usually three of them stored in the AppData, Start, and root (C:) directories.
Once this is done, the ransomware will send the encryption key and other information over to the command and control server.
The last step of the process is to inform the victim that their files have been encrypted and they need to pay the ransom in order to have a decryption key sent to them. This is usually done through an image placed on the computer’s desktop background. Information regarding the ransom and where to send payment is included.
Once payment is made, the decryption key is usually sent over with instructions on how to recover the files. Sometimes, there is a time limit; other variants increase the ransom if the victim waits to send the money.
Beating the Criminals with Best Practices
While some anti-malware solutions have the ability to block certain ransomware from reaching their intended targets, the criminals modify these enough to bypass most security controls.
Because the files are encrypted by the ransomware, even if you are able to remove the malicious file it won’t help to access any files affected. The way to beat the bad guys is to stick with some of the basic best practices and institute a backup and recovery plan for your organization.
Though the ransomware itself will remove local shadow copies that prevent the computer itself from rolling back to an earlier time, a proper backup solution will restore your files. You simply need to wipe the infected machine, or machines, and restore them with your recovery solution to a time prior to the infection.
No need to pay a ransom and downtime is limited to the cleaning and recovery process.
High Availability with Veeam
While technical security controls do little to thwart the ransomware threat, there are solutions that make recovering from these attacks easier. Veeam provides one such solution. Its Availability Platform includes a feature set designed to address business continuity. Companies storing data in a managed cloud or a private cloud such as Microsoft Hyper V can instantly restore any data, along with any applications. Also supported are public clouds such as:
- Microsoft Azure
- IBM Cloud
So, if users in your company are affected by ransomware, you don’t have to pay the attackers and you don’t have to lose your data. Once the infected computers are cleaned, you can instantly have all apps and all data restored so people can get back to work.