A practical guide to surviving a ransomware infection

Published on the 16/09/2016 | Written by Steve Victor


If the idea of a hooded youth in Kazakhstan corrupting your IT systems unless a hefty ransom is paid sounds scary, it should…

With instances of malware attacks and cyber ransom demands increasing at a frightening pace, it’s important to know how to minimise your risks, quickly recognise the symptoms of an attack and be prepared to deal with it.

The threat is real.  In the first quarter of 2016, Kaspersky Lab security solutions saved 372,602 users from ransomware attacks. The number of attacked users increased by 30 percent compared to Q4, 2015. Additionally, the FBI estimates that US$209 million was paid to ransomware criminals in Q1 2016.

What exactly are ransomware and cryptolocker?
There are two types of malware that are commonly used known as ransomware and cryptolocker. Understand these will help with protecting your network from becoming infected.

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key.  Others may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, which is disguised as a seemingly legitimate file.

CryptoLocker is a ransomware Trojan which targets computers running Microsoft Windows. CryptoLocker is propagated via infected email attachments or via an existing botnet. When activated, the malware encrypts certain types of files, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the files if a payment (through bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the cost of the decryption increases to a significantly higher price.

How do I know if I’ve been affected by a ransomware virus?
It’s usually quite easy to tell – the symptoms include:

  • You suddenly cannot open normal files and get errors such as ‘the file is corrupted’ or ‘the file has the wrong extension’
  • An alarming message appears on your desktop background with instructions on how to pay to unlock your files
  • A program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files
  • A window opens to a ransomware program and you cannot close it
  • You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML

How does an infection occur?
The following are common vectors (or pathways) for malware to enter your IT network.

Email attachment: By far the most common scenario involves an email attachment disguised as an innocuous file.  If you receive an email with an attachment or even a link to a software download, and install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection.

Drive-by downloads: Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in, or an unpatched third party application, can infect a machine.

Free software: Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavours such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall.

I’m infected, now what?
It’s imperative that you take action immediately.  At a high level, you need to follow these four steps to minimise your exposure:

  • Disconnect immediately: disconnect from any network, turn off wireless capabilities and unplug any storage devices
  • Determine the scope: determine exactly how much of your file infrastructure is compromised or encrypted
  • Determine the strain: so you know exactly which ransomware you’re dealing with
  • Evaluate your response: essentially you have four options, including restoring from a recent back up, decrypting your files using a third party decryptor, do nothing, or negotiate/pay the ransom.

Do you have a recovery plan in place?
A Disaster Recovery Plan (DRP) is a documented process or set of procedures to recover and protect a business’ IT infrastructure in the event of a disaster.  Given organisations’ increasing dependency on information technology to run their operations, a DRP is essential and should be developed and tested in advance to best facilitate the recovery of information technology data, assets and facilities.

Interested to find out more about protecting your business?

Contact OneNet today or watch this video where OneNet’s CTO, Tony Weston, shares four key factors in IT Security.

About OneNet:
OneNet can provide an availability assessment to review your availability requirements and assess your preparedness to deal with an unforeseen issue or outage. OneNet’s consultants can discuss this with you in confidence so that you can make an informed decision. As a NZ-based technology solution provider we are on the ground and here to help.

Contact OneNet by clicking here.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Follow iStart to keep up to date with the latest news and views...