Ransomware is becoming increasingly common on our systems. Reveton, WannaCry, Cryptolocker, REvil: if you know these names, it's because they are all ransomware that have caused significant damage.
Ransomware is the monetization method of many hacker groups and represents a real industry with publishers, operators, money launderers, etc.
In this article, we will see how to protect yourself from ransomware, what to do in case of infection, and why paying a ransom is not a recommended solution.
1. Protecting yourself from ransomware
When it comes to protecting yourself from ransomware - as with any cyber threat - having a good cybersecurity strategy is essential. An extremely important point in protecting against these types of software is backup. It is important to regularly back up your data in order to better prepare for external events.
Opt for a backup strategy called "3-2-1": 3 copies of your data, 2 stored locally but on different media, and 1 copy in a different geographical location than the production system. A cloud-based solution can cover two of these points. However, remember to keep an offline backup, i.e., disconnected from the network. In the event of a complete infection of your systems, the ransomware will not be able to access it.
Ransomware comes from outside: it is deployed by the hacker or executed directly from an attachment. Implementing filtering and content analysis solutions in advance also helps reduce the risk of contact with malware. These tools identify emails containing potentially malicious attachments or malicious links to prevent them from landing in your inbox.
Monitor your network activity through monitoring solutions. It is possible to identify certain suspicious connections before the installation or triggering of the ransomware and thus prevent the encryption of your data. Network monitoring helps identify suspicious connections to or from the outside, usually the first step in the development of ransomware. EDR tools, on the other hand, perform process monitoring. They allow you to identify suspicious operations such as launching a script from an office document or encrypting files and block malicious processes early enough to limit the damage.
Finally, it is important to effectively raise awareness among your employees about the dangers of ransomware and how to identify phishing attempts. Indeed, this technique is one of the main vectors of infection for the initial stage before the deployment of ransomware. It is therefore necessary to train colleagues on these issues and on methods for identifying a phishing email.
2. What to do in case of ransomware infection?
It is possible that even by following these recommendations, you may become a victim of ransomware. But in this situation, what should you do?
The rule to be applied by everyone is not to try to restart the infected computer. It may happen that the ransomware is limited by an authorization problem or by files locked by the running system, preventing it from encrypting certain documents. By restarting, your colleagues may inadvertently allow the encryption of previously inaccessible files. It is also sometimes possible to find evidence for decryption in the memory, which will be cleared upon restart.
Disconnect the infected workstation(s) from the network - disable Wi-Fi or unplug the Ethernet cable - to prevent the ransomware from spreading to other computers connected to the same network.
Then disconnect the remaining external systems, such as network-attached storage (NAS) servers, to contain the spread of the ransomware.
If you regularly back up your data, restore the most recent version to recover your files. However, if you have no backup available, cleaning and restoring your computer will be much more difficult. That is why it is important to implement a backup strategy as mentioned earlier. Be careful not to contaminate your offline backups once you connect them to a potentially infected network.
The ANSSI and incident response experts may sometimes intervene and help you recover your files. Security researchers or software publishers may develop tools or obtain encryption keys related to specific ransomware. During the eradication of the Cryptolocker ransomware, two companies, Fox-IT and FireEye, set up an online tool called Decrypt Cryptolocker. They allowed victims to recover their files for free. Check if there is a tool available on the internet to help you recover your data.
3. The issue of paying the ransom
Although paying generally allows you to recover your data and become operational again, it does not mean that the data will not be exploited or published afterwards.
Moreover, it does not address the vulnerabilities through which the hackers were able to install the ransomware. It is therefore entirely possible that they will strike again a few months later.
The Censuswide firm conducted a study in April 2021 for Cybereason on the theme of ransomware. They surveyed 1263 security professionals from 7 different countries. 80% of respondents who chose to pay a ransom during a ransomware attack experienced a second attack shortly thereafter. 46% of them believe they were targeted by the same individuals.
This study also indicates that 3% of those who paid the ransom did not recover their files, and 46% recovered partially corrupted files. Paying does not guarantee that hackers will keep their promise; don't forget that you are dealing with criminals.
Moreover, some proposed legislation aims to ban ransom payments. The consequences of such legislation are still being discussed to determine if it would truly be beneficial.
At Arsen, we recommend not paying the ransom. Besides not having the certainty of getting your files in return, paying the ransom also finances the industry and potentially future attacks. Fueling cybercrime perpetuates an endless cycle.
Prevention is better than cure, which is why it is important to raise awareness and train employees to better protect them and reduce the company's vulnerability to these attacks.