You must have heard of ransomware time and again. Maybe, you have ignored it, or maybe you thought that you have an antivirus program, and it will take care of the threats. It is about time that you shed off this casual approach and start taking ransomwares seriously.
So, what really is a ransomware and what makes it a big threat? What are the diverse types of ransomware present? What type of damage do ransomwares cause? What is the history of ransomware?
In this detailed blurb, we are going to discuss everything that is worth knowing and that you must know.
So, let us not waste time any further and begin.
What is a Ransomware?
A ransomware is a malicious software (popularly known as malware). Ransomwares come from cryptovirology.
In cryptovirology people study cryptography and find out new ways of designing powerful and malicious software. What is bad is that the field of cryptovirology was born with the sole purpose of creating malware.
While it is easy to go astray while talking about cryptovirology, we will keep ourselves composed and just let you know that the first cryptovirology attack was invented by two people – Moti Yung and Adam L. Young. The attack was called “cryptoviral extortion.”
It was first presented in the IEEE Security & Privacy conference in the year 1996. Many years later, the media gave it the name ‘Ransomware.’ In 2016 cryptovirology attacks became rampant, especially for healthcare providers, it went up to an epidemic level.
Now that you know where the term “Ransomware” comes from, it is important to know what really a ransomware is and what it can do to you.
A ransomware will take control of a person’s data (stored on a digital device like a computer) and then demand a ransom to unblock. If the ransom is not paid, the ransomware threatens to perpetually keep the data access blocked.
Now, ransomwares can be as simple as a program that will simply lock a person out of his device and demand a ransom. If the victim is knowledgeable enough, he may manage to bypass the lock and access all the data.
Unfortunately, certain ransomwares are not that simple. They are highly advanced and use the method called cryptoviral extortion, wherein, the ransomware in question, will encrypt the data of the victim. Decryption will not be possible unless the victim pays the demanded ransom.
The problem is that even after paying the ransom, the attacker may not decrypt the files. Instead, the attacker may choose to either destroy the files or even as for more ransom. There are times where the encryption method used by the ransomware will damage the files, so, even if the files are decrypted, the data will be lost.
What makes advanced ransomware attacks or cryptoviral attacks a big threat is that the attacker demands ransom in cryptocurrencies like Bitcoin or paysafecard. When ransom is paid in such cryptocurrencies, it becomes enormously difficult for authorities to pin down the perpetrator because tracing cryptocurrencies is exceedingly difficult.
How does a ransomware attack work?
Okay, now you know what a ransomware does. But how does it do that? It is a bit technical than you might think it to be. If you are up for it, here is quick explanation of how ransomware scams work.
First thing first, the attackers will use a trojan for carrying out ransomware attacks. The trojan will be disguised as a legit file. The attackers will attach the trojan with an email and trick the victims into downloading it and then opening it. Once it opens, it starts its job.
The cryptoviral extortion in which the ransomware encrypts the files of the victim works with a three-round protocol. The protocol remains between the victim and the attacker.
Here are the steps that take place:
Step 1: Starts with the attacker and goes to the victim.
In this step, the attacker will generate a key pair – the private key and the public key. The public key is embedded inside the malware and then it is released out in the public.
Step 2: The victim responds with no other option left.
Once the malware finds the victim computer or device, it will immediately create a random symmetric key. The malware will then use the symmetric key for encrypting the data on the victim device. Once the data is encrypted, the embedded public key inside the malware will encrypt the symmetric key that malware generated to encrypt the data.
So now, the data is encrypted by the symmetric key and the symmetric key is further encrypted by the public key. This method is called hybrid encryption.
Once the hybrid encryption is completed, two types of ciphertexts of the user data are created. One type is a small asymmetric ciphertext (which contains the symmetric key) and the other type is a symmetric ciphertext.
The malware will then zeroize the symmetric ciphertext and of course, the plaintext data so that it cannot be recovered.
Once this is done, the victim gets a message that contains the asymmetric ciphertext along with the information on how to pay the ransom to get the data back.
The victim is left with no option but to pay (unless, of course, he has a complete backup) using the method mentioned. Additionally, the victim also needs to send over the asymmetric ciphertext to the attacker.
Step 3: The attacker gives back the data (theoretically).
Once the attacker receives the payment and the asymmetric ciphertext, the attacker will use the private key to decipher the asymmetric ciphertext and retrieve the symmetric key. The attacker then sends this symmetric key to the victim. The victim then uses the symmetric key to decrypt the data and get the access back.
Few things to note
- The symmetric key that the malware generates is completely random. So, if one victim pays the ransom and gets the symmetric key to decrypt the data, he cannot share it with another victim. They key will not work. Simply put, the symmetric key is unique for every victim.
- The trojan that is used for carrying out a ransomware attack can be sent using an attachment to the email, as a link embedded in a phishing email, or even through a vulnerability present inside a network service.
A ransomware can be less sophisticated, or it can be highly sophisticated as the cryptoviral extortion. No matter what the case be, the trojan that enters a system will run a payload.
In the case of a highly sophisticated ransomware attacks the payload will encrypt user data in the fashion described above. For those that are less sophisticated, the payload can do any of the following:
- It will somehow lock the victim’s device and demand a ransom.
- It may claim to have locked the system and make it look like it did lock the system but, it does not do that (scareware).
- It can take control of the Windows Shell or modify the computers partition table and/or master boot record, thereby preventing the operating system from booting up unless repaired.
- It can display a fake warning from an entity (of course disguised) like a law enforcement body stating that the system was used for piracy (pirated media content like movies, music, etc.) or for storing pornography (if pornography is prohibited in the jurisdiction), or some other illegal activity.
Whatever the case me, a general noob will always take such events very seriously and even pay the ransom without investigating any further.
The attackers usually release the system
Of course, there are concerns on whether a victim will get back the data after paying the ransom or not. In several cases, the attackers simply wipe out the data even after receiving the ransom. In certain cases, the data is encrypted in such a way that even after decrypting the data, the data becomes unusable.
Those are unfortunate events, and often a result of personal grudge. In general, however, the attackers give back the data access to the victims. The reason is quite simple. These ransomware attacks are usually motivated with the goal of earning money by coercing the victims with the threats of data destruction or making private data public.
If the attackers do not give back the data, the word will go out and people will know that even if they pay, they are not going to get back the data. So, they will simply deny payment. This is not in the interest of the attackers and the whole stint will be useless.
Interesting trends found in a study
If you are to believe the 2020 Sophos study, 95% of the organizations who became victims of ransomware attacks had their data restored after they paid the ransom.
The same study also finds that if an organization decides not to pay the ransom and remedy the attack by themselves, the total costs come to UD 732,520 (accounting for things like downtime, device cost, lost opportunities, network costs, people time, and so on). For those companies that pay the ransom to get the data restored, the cost rises to USD 1,448,458.
The study found that almost 3 quarters of the ransomware attacks managed in encrypting the data of the victims. 73% of the organizations that were hit by ransomware attacks had their data encrypted by the criminals.
What is interesting is that many companies have insurance against ransomware attacks, and in 94% of the times, it is the insurance company that pays off the ransom.
History of Ransomware
Ransomware is quite an old thing. If you thought that it is quite a new variant of malware, you cannot be more wrong!
The Evolution of Encrypting Ransomware
The AIDS Trojan
The first known encrypting malware extortion or ransomware attack happened in the year 1989. It was known as the “AIDS Trojan.” The author of the ransomware was Joseph Popp.
AIDS is an acronym for Aids Info Disk. It also goes by the name PC Cyborg Torjan. Once into the system, the trojan would simply replace the AUTOEXEC.BAT file. It would then start counting the number of times the PC booted. When the boot count hit 90, AIDS would go ahead and hide every directory in the C drive and encrypt all the names of all files in the C drive.
Once that happened, the system became unusable, and the victim would see a message asking for license renewal, asking the user the send USD 189 to a Panama-based post office box.
What is interesting is that AIDS Trojan had a very serious design flaw. The decryption key was hidden right inside the Trojan code. So, anyone with proper knowledge could get the control back using the decryption key. However, that was not true for every use.
Joseph Popp was arrested but he never went into a trial because he was deemed mentally unfit. However, Popp did agree on donating the profits he made using the program to fund AIDS (disease) research.
AIDS Trojan, which also goes by the name PC Cyborg.
This was an idea developed by Sebastiaan von Solms and David Naccache. The duo came up with a hypothetical scenario in 1992 based on the idea developed by David Chaum. They authored a paper in which they explained that the whole idea of blind signatures (an extension of digital signatures concept) that can used for protecting a person’s identity and privacy in electronic payment and service networks, can also be abused to perform perfect untraceable crimes.
In the paper, Sebastiaan von Solms and David Naccache showed how anonymous cash systems can be abused for safely collecting ransom by kidnapping humans.
Since cryptocurrencies did not exist back then, the duo used a newspaper publication scenario in which they showed how a person can abuse the anonymous cash system without getting traced provided the person uses a blind signature system.
Public key cryptography
In 1996 came Moti Yung and Adam L. Young. They were responsible for introducing the idea of data kidnapping using public key cryptography. The developed their work by picking up on the flaw of the AIDS Trojan.
It was pretty obvious that the AIDS Trojan used symmetric cryptography and hid the decryption key inside the Trojan code. Anyone with proper knowledge could extract the decryption key from the code and nullify the extortion attempt.
So, as an experiment, Yung and Young implemented a cyrptovirus on Mac system (Macintosh SE/30). The cyrptovirus that Yung and Young created used hybrid encryption to encrypt user data. The hybrid encryption was achieved using Tiny Encryption Algorithm (TEA) and RSA.
What Yung and Young did was that they used public key cryptography, and hence, the cryptovirus they created only had the encryption key. The private decryption key was not present in the virus code.
In their experiment Yung and Young showed how the attacker can make the victim send the asymmetric ciphertext to the attacker, and the attacker would then decipher the ciphertext and send back the symmetric decryption key to the victim but only against a fee.
Once the victim gets the symmetric decryption key, he or she can decrypt the data and get back full access.
Through this experiment, Yung and Young demonstrated how electronic money could also be extorted (even though electronic money did not exist back then). The duo clarified that even if the owner of the electronic money encrypted it previously, the cryptovirus writer can encrypt it again, preventing the owner from using it. The virus writer can then hold all the money as ransom until the money owner agrees to pay a certain part of it to the cryptovirus author.
The Rise of Encrypting Ransomwares
Encrypting ransomware rose to prominence starting 2005 (May). By 2006, several types of ransomwares already present in the market. Some of the most popular ones were:
It became evident as the time passed, the newest of the encrypting ransomwares started using more powerful RSA schemes. For instance, in 2006, Gpcode.AG (a variant of Gpcode) used 660-bit RSA public key.
Two years later, another variant called Gpcode.AK came to the market using 1024-bit RSA public key, making the encryption virtually unbreakable without a distributed effort from many users and many computers.
In late 2013 came CryptoLocker. This ransomware used the digital currency of Bitcoin for collecting ransoms.
It is estimated that between October 15, 2013, and December 18, 2013, CryptoLocker amassed as much as 27 million USD from users in ransom. Then followed CryptoLocker 2.0, CryptoDefense and finally in 2014, there was trojan that targeted Synology’s Network Attached Devices.
There are cases where the payload followed a two-stage work. First, the victim was fooled into running a script. This script would then download the primary virus to infect the device. The script usually comes in the form of a macro-enabled MS Office Word document in most of the cases. However, self-contained Microsoft PowerShell scripts are also used quite often.
The Evolution of Non-encrypting Ransomware
There are some non-encrypting ransomwares as well. For instance, a Trojan called WinLock came into prominence and in 2010, several people were arrested by the Russian authorities for using that ransomware.
WinLock did not encrypt anything. WinLock was used for locking out users from their systems and displaying pornographic material. It then asked users to send premium-rate SMS costing USD 10 to receive a code that could unlock their systems.
The group that used this ransomware made around 16 million USD by scamming many people in Russia and in countries neighboring Russia.
In 2011, another Trojan came into prominence, and it imitated the notice that Microsoft shows for Windows Product Activation. The notice told users that they have been a victim of fraud and their Windows needs to be reactivated.
For activation, the Trojan gave two options. The first one was that of online activation, but that never worked. The next option was that of calling one of the six provided international numbers to input a 6-digit code.
The Trojan did say that the call will not cost any money, but in reality, the call was routed through a rogue operator with very high call charges. The call was intentionally put on hold so that high charges were incurred by the users.
Other forms of non-encrypting ransomwares made their way into the world in the following years. For instance, in 2013 a Trojan based on Stamp.EK exploit kit showed up with services like GitHub and SourceForge being the distribution vector. Another one specific to OS X showed up the same year and it accused people of downloading child pornography.
There was another type of ransomware called leakware that came into prominence back in 2003 or earlier. The purpose of this cryptovirus was not to lock users out of their systems and then extort money, but to steal user information and then threatening to release it publicly unless the user agrees to pay a certain demanded amount.
Finally, we have the mobile ransomwares designed specifically for mobile operating systems. These ransomwares were not really designed for encrypting data. The reason was simple. People could easily restore everything using online synchronization – a nice feature you will find in smartphones today.
Most mobile ransomwares are meant for blocking and using target the Android operating as it allows people to install applications using APK files from outside Google’s Play Store. Some of the mobile ransomwares were intended for blocking access by displaying a message on top of all apps. Some other were clickjacking ransomwares meant for tricking users into giving elevated privileges so that the virus could get deeper device access.
However, it doesn’t mean that iOS users were safe. Different tactics were used for iOS devices. Ransomwares tried locking device access by exploiting Find My iPhone and iCloud accounts.
It is also possible to infect DSLR cameras using ransomwares because digital cameras are known for using PTP or Picture Transfer Protocol for transferring image files. Unfortunately, the PTP has vulnerabilities that can be easily exploited.
Most Popular Ransomwares to Date
Okay, now that you are aware of what a ransomware is and how it works, it is time that you learn about some of the most popular ransomwares of all time. Let us begin.
If you happen to be a Windows power user, you have probably heard this name. It was a utility that was shipped with Windows NT-based operating systems. The utility allowed users to encrypt user database using a password. However, a whole network of technical support scam emerged wherein the scamsters took remote control of the users’ systems and used the utility to lock the users out using a password known only and only to the scammers.
Sounds like a superhero flick, but DarkSide is the name of a hacker group that emerged in 2021, specifically on May 7 when the US Colonial Pipeline came under a cyberattack. DarkSide – a European cybercriminal group – launched a ransomware attack on the US Colonial Pipeline leading to the shutdown of the main pipeline responsible for 45% fuel supply to US’ East Coast.
In 2016, a new ransomware came into prominence. It was selectively targeting JBoss servers. The ransomware was called SamSam. SamSam works in a very rudimentary format. Instead of deploying sophisticated means, this ransomware relies of brute force to guess weak passwords including the Remote Desktop Protocol.
SamSam is excellent in hiding itself. After the initial infection, it will lay low until the time is ripe enough. That ripe timing is nothing more than the nighttime when the organizations are most likely at their worst when it comes to countering such attacks.
SamSam creators would not ask for ransom right away. Instead, they would sit and wait to see whether they could penetrate deeper. They started encryption of files and folders only when there was least network activity and/or user activity.
What is unique about SamSam is that it creates a unique RSA key for every computer it infects, thereby forcing an organization to pay for each infected device.
SamSam primarily targets healthcare and government organizations. The two people who launched this ransomware are Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi (both born in Iran). They allegedly made $6 million in ransom using SamSam and caused damages worth 30 million dollars. [Source]
That is not the name of a bedtime story. It is a ransomware. The Bad Rabbit ransomware was first detected on October 24, 2017, and it was reported by a few users in Ukraine and Russia. The ransomware encrypts a system’s file tables and then demands ransoms in Bitcoin. If you are to believe ESET, the ransomware was distributed via an update by Adobe Flash.
Ukraine’s Ministry of Infrastructure, Kyiv Metro, Odesa International Airport, and Interfax were some of the organizations that were hit badly by Bad Rabbit.
Bad Rabbit used the network structures of corporates to spread. As a result of this, it managed to make its way into various other countries including the United States, South Korea, Japan, Poland, Germany, and Turkey.
The spread of Bad Rabbit was stopped because the sites that were distributing the bogus Flash update either went offline, or they selectively removed the problematic files. [Source: 1]
WannaCry ransomware led to one of the worst ransomware attacks in this history of the world. The infection spread to 150 countries and infected 230,000+ computers. It made use of 20+ different languages to ask for ransom using Bitcoin.
The attack took place in May 2017 and targeted only those computers that use Microsoft Windows. The ransomware used EternalBlue – an exploit that the NSA (National Security Agency) created for the older Windows systems. A group called The Shadow Brokers stole the exploit in 2016.
WannaCry was a network worm with a transport mechanism capable of spreading automatically. The mechanism for self-propagation had a transport code capable of scanning vulnerable systems and then using the EternalBlue exploit to gain access. It also had a tool called DoublePulsar that allowed the ransomware to install and execute a copy of itself. By the time the attack ended the attackers made USD 130,634.77.
Though the money extracted as ransom was not much, the managed caused by the ransomware ran in millions to billions of dollars. Both the US and the UK pin the blame of the WannaCry attack on North Korea. [Sources: 1, 2, 3]
This ransomware was initially discovered in March 2016. Petya infected the MBR or the Master Boot Record and encrypted the file tables of NTFS file system using a payload that came into action the next time the system rebooted.
Because the encryption happened when the system rebooted, the system simply failed to boot up. Encryption was removed only after the user paid the demanded ransom. Petya’s approach was quite innovative. However, it failed to infect as many computers as other prominent ransomwares of the same time managed to do.
In 2017, however, a heavily modified version of Petya came into existence. Its primary target was Ukraine, but it managed to reach many countries. This new version of Petya used the same propagation method as WannaCry (that is, it used EternalBlue). However, this new modified version never unlocked the system after the ransom was paid by the victim, making security experts believe that the whole purpose of the ransomware was to cause damage and not to make illicit profits. [Sources: 1, 2]
CryptoWall targeted Windows operating system, and it first came to notice in 2014. CryptoWall had several strains, and one of those strains was used for a malvertising campaign. The malvertising campaign was launched against an ad network called Zedo.
That strain of CryptoWall targeted various websites where the ads simply redirected to other websites that used browser plugin exploits for downloading the payload. What is interesting is that the payload even had a digital signature so that it appeared to be trustworthy.
Not just that! The ransomware communicated with its servers by creating and running new instances of svchost.exe and explorer.exe. This allowed it to evade detection. During the file encryption process, CryptoWall 3.0 completely deleted volume shadow copies, and it even went a step further to install a spyware for stealing Bitcoin Wallets and passwords.
This one appeared in 2013. The CryptoLocker created a 2048-bit RSA key pair and uploaded the key paid directly to its command-and-control center and used the keys for encrypting files using a specific list of file extensions.
CryptoLocker threatened the victims that it would delete the private key in case the payment was not made within 3 days either using Bitcoin, or in the form of a pre-paid cash voucher.
Since the CryptoLocker ransomware used a very long key, it was almost impossible to repair the systems infected with CryptoLocker.
Those who failed to make a payment within the deadline of 3 days had an option of recovering the private key by paying 10 Bitcoin.
The botnet called Gameover ZeuS was seized as a part of Operation Tovar, which managed to isolate the CryptoLocker ransomware and let to its shutdown. However, before it was shutdown, it managed to grab $3 million in ransoms. [Sources: 1, 2, 3]
TorrentLocker and CryptoLocker.F
In 2014, several trojan ransomwares came out in the market, affecting Australians. They called themselves CryptoWall and CryptoLocker. Unfortunately, they were not the same as the original ones. Symantec named it CryptoLocker.F (the one that identified itself as CryptoLocker).
The spreading vector for these new trojans were fraudulent emails claiming to be from Australia Post. The emails were all about failed parcel delivery notice. To avoid detection by automatic email scanners, the variants made the victims visit a page where they had to solve a CAPTCHA. Once they solve the CAPTCHA, the payload started downloading. The automatic email scanners could not break through the CAPTCHA challenge, and hence, they could not scan the payload.
Australia Broadcasting Corporation became one of the biggest victims of the trojans.
TorrentLocker was yet another trojan among the various that surface in 2014. TorrentLocker used the same keystream for all the computers it infected, making it much easier to overcome the encryption. The creators of TorrentLocker fixed this problem later. By end of November 2014, TorrentLocker had infected 9,000+ people in Australia, and even managed to make its way into Turkey where it infected 11,700 computers. [Sources: 1, 2, 3]
Reveton was a ransomware trojan that started spreading in 2012. This ransomware was based on Citadel trojan, which was in turn, based on Zeus trojan. The ransomware displayed a warning message on the victim’s computer stating that the computer was used for illegal activities like child pornography or unlicensed software.
What is interesting is that the notice appeared to come from law enforcement bodies and said the victims that their computers could be unlocked only if they pay a fine using prepaid cash services like paysafecard or Ukash. Just to make sure that the notice appeared authentic, often the IP address of the computer was displayed or a footage from the victim’s webcam was displayed to give him or her the notion that the law enforcement was recording them.
In fact, the developers of Reveton even went a step further and created localized versions to show logos for different law enforcement bodies in specific areas. In early 2012, Reveton spread in various European countries, and later by August 2012, Reveton started to spread in the United States, but it was a new variant of Reveton. In 2014 Avast recognized a new variant of Reveton capable of spreading a malware (as a part of the payload) designed to steal passwords. [Sources: 1, 2, 3, 4]
Now there is something called Ransomware-as-a-Service. It is essentially an economic model in which people who develop ransomware do not distribute their ransomware by themselves.
Instead, they allow criminals who are non-technical by nature to buy their ransomware and launch the infections. Of course, the developers also give the instructions on how to launch the ransomwares.
Not only do the developers charge the non-technical criminals for using their creations, but they also take a cut out of the total money the criminals make out of the ransomwares. This allows the developers to stay risk-free (relatively).
Some RaaS require a subscription while others require registration. One such popular RaaS service is RaaSberry. It uses the subscription method.
Such services can be accessed only on the dark web and usually available through TOR networks. One such website on the dark web where you can purchase a ransomware can be found at this address: hxxp://kdvm5fd6tn6jsbwh.onion.
Be careful about accessing this address from your computer connected to the Internet of Things. Your ISP can track what you are doing and accessing the above web address can get you into trouble.
Basically, the ransomware is available on a website where people are allowed to customize the ransomware. They also need to provide a Bitcoin address. A percentage of the ransom earned is sent to the person purchasing the ransomware and spreading it, while the rest goes to the developer. Generally, the purchaser (and the spreader) gets the majority of the ransom while the developer only keeps a small amount.
In the example above you can see that the developer only takes 10% of the ransom earned while the 90% goes to the person spreading it.
How to Protect Yourself from Ransomware?
There are several things that you can do to protect yourself from Ransomware attacks. Here are a few important tips that you should always consider seriously:
Not online storage, not network attached storage! I am speaking about an external device not attached to your internet-connected device. Keep all your data backed up! In the event of a ransomware attack on your device, you can simply reinstall your operating system and restore all files.
MAKE SURE that all your confidential files (such as your personal photos and other stuff that can defame you or your family) are available only on a computer not attached to the internet). This is particular important if you want to avoid Leakware attacks.
2. Powerful Antivirus and Anti-Malware Program
Not that these software will protect you from new and more powerful ransomware, but they can always keep you protected against known ransomwares and other online threats. Do not thing of using any pirated antivirus or anti-malware program. That is not going to help you. In fact, those cracked and pirated versions can have malware and ransomware hidden in them. I strongly recommend using Kaspersky Total Security, but you also have other good choices.
3. Do Not Open Email Attachments from Suspicious Senders
This can be a bit tricky because an email can be genuine, but if you see an email that looks suspicious in some way, make sure that you discard the email right away. Remember the saying – ‘curiosity killed the cat.’ This is precisely what causes the problem everywhere.
4. Safe Surfing
Visiting torrent sites, porn sites, and such malicious sites can be detrimental. Often such ransomware and other viruses are injected through browser plugins via such shady sites. Make sure that you use an antivirus program capable of telling you which websites are safe to visit and which ones should be avoided. Do not download stuff from untrusted sources.
5. Secure Network
Avoid using public Wi-Fi networks. Try using a VPN that will give you a secure connection to the internet whenever you go online. A VPN is not always for accessing Netflix or Hulu. It can keep you safe.
Keep your operating system and your security software up to date. Ransomwares and other online threats use system vulnerabilities to attack. Updated software are meant for patching loopholes. If you want to keep yourself protected, this will be instrumental.
What to Do When Infected with a Ransomware?
There are the things you should do when you are infected with a ransomware:
If you have multiple devices connected to the same network, isolate the device that has been infected. Make sure that you isolate it immediately after understanding that it has been infected. A well-designed ransomware can infect all connected devices. This can be catastrophic. So, make sure that you isolate the device infected.
2. Disconnect from Network
It is not necessary that the device you identified to be infected with ransomware is patient zero. It does not guarantee that the ransomware is absent in other places on the network. Turn off your network immediately. This will ensure that the ransomware is not spreading deeper into your network.
3. Damage Assessment
Go through all your devices and check for damages. Look for weirdly named files and see if you are having trouble opening certain files. If you see computers that have not been completely damaged by the ransomware, remove the files that are intact and save them from damage. Go through logs, if possible, to find out where it all began (if you have a network) and find the possible vector.
Talk to everyone using the network to learn whether someone opened a suspicious looking email or downloaded something from somewhere. This can help you to identify the source of the malware (ransomware) and help you to identify patient zero. This is easier said than done because there can be multiple patient zeros.
4. Decryption Option
There is a service called No More Ransom. It is a worldwide initiative, and it is many free decryption keys available. What is interesting is that No More Ransom can help you to identify the type of Ransomware that has hit you. All you need to do is upload an encrypted file to the site and a tool called Crypto Sheriff will scan it to find a match.
If you know the ransomware that has hit you, you can then find a decryption key on No More Ransom to unlock your data. However, do not forget that the decryption keys can be helpful only when you have removed all traces of the ransomware from your infected devices.
5. Do No Pay
This is the standard thing that security experts and agencies will tell you, and so will I. Paying the ransom gives the cyber criminals the much-needed incentive to carry out such attacks and there is no guarantee that you will get back your data. So, it is important that you do not pay the ransom.
Instead, practice taking backups frequently. This will ensure that even when you are hit by a ransomware, you can wipe clean your computer and reinstall the operating system. This will remove the malware and give you access to your computer. You can then put all the data back into your computer.
If you do not have backups and you do not find a decryption key, there will be two options – pay the ransom and hope to get back your data, or simply move on. When I say move on, I mean that you should try rebuilding all your data from scratch (if you are not willing to pay or you don’t get your data back even after you pay), but if that is not a possibility (which is most likely the case), try to move on. There is nothing you can do.
The best defense against ransomware is not a cure but a prevention. You must prevent ransomware attacks. Staying informed and making sure that you are implementing best security practices will ensure that you are staying safe. The only true and most-effect defense is an isolated backup copy of your data. No matter how big a ransomware attack happens, if you have data backup, you will stay safe.