Guide to How to Recover and Prevent a Ransomware Attack

It’s a nightmare scenario faced by thousands every year.

Maybe you’ve beaten the odds so far, but there may come a day when you boot up your laptop, only to find yourself the victim of a ransomware attack.

You might not even realize it at first, the only signs being odd drops in file associations, lag times, and slowdowns. You might chalk it up to a glitch…until the IT department calls you.

And when they say those three words no one wants to hear, “We’ve been breached,” it will all start to make sense. Especially when you glance down to your screen and see the inevitable truth in black and white (Or red with yellow hazard stripes. Or a skull and crossbones. What can we tell you, scammers have a certain style guide they adhere to).

You’ve been infected with ransomware. You have lots of company.

In 2021, the FBI’s Internet Crime Complaint Center received 3,729 ransomware complaints, and those are just the ones that got reported. Cybersecurity Ventures expects that, by 2031, businesses will fall victim to a ransomware attack every other second, up from every 11 seconds in 2021, every 14 seconds in 2019, and every 40 seconds in 2016—an acceleration greatly influenced by the rise of remote work following the global pandemic.

These trends show us that ransomware attacks are rising at an exponential rate. As such, the financial impact will keep pace. An attack on corporate networks that encrypts sensitive information can cost businesses hundreds of thousands—even millions—of dollars. That same Cybersecurity Ventures report states that ransomware damages reached $20 billion in 2021, and predicts that number to hit $265 billion by 2031.

Ransom amounts are also reaching new heights. One firm, CNA Financial, paid a historic $40 million ransom following a 2021 attack, possibly the largest payout to date. In 2021, payment amounts declined throughout the year, with Coveware reporting average payments of $136,576 for Q2 2021, a decrease of 38% from the previous quarter. This was due to increasing pressure from law enforcement, but seems to have only been a temporary setback. Unit 42 reported an overall increase in ransom payments of 78% by the end of last year.

Ransomware affects all industries, from tech to healthcare, and oil and gas to higher education. Perhaps the most interesting new development has been the rise of attacks against public sector entities. Perhaps spurred by the recent legislative action in a handful of states, which bans the use of tax dollars for ransom payments, hackers have begun targeting smaller, privately-held businesses across all industries.

Ransomware continues to be a major threat to businesses in all sectors, but more and more we see the greatest impact being leveled at businesses between 11 and 1,000 employees. The aforementioned Coveware report shows that companies of this size made up the vast majority (70.4%) of all companies impacted by ransomware attacks.

Regardless of your firm’s size, you’ll want to understand how ransomware works and how recent changes to the law might impact your strategy.

Ransomware and The Law: New Developments

While the federal government has continued responding to these new and evolving ransomware threats, it has pivoted its stance.. For a long time, the FBI’s guidance was essentially, “don’t pay the ransom, just report it.” Occasionally, field offices would issue reminders to businesses in their jurisdiction to bolster their security, but for the most part the government operated in more of an advisory capacity.

Last year, however, the Justice Department hinted at implementing proactive measures to ensure attacks are reported. Speaking at a Senate Judiciary Committee, Deputy Assistant Attorney General Richard Downing was quoted by The Washington Post saying, “The government and Congress does not have a full picture of the threat facing companies. Congress should enact legislation to require victims to report.”

This followed the Colonial Pipeline Hack and lawmakers’ subsequent push to not only crack down on those who perpetrated the acts but also bolster requirements to notify authorities after the attack.

Nothing has been passed yet, but the winds are shifting towards greater responsibility on the victim to report ransomware attacks.

Ransomware Insurance: An Ounce of Prevention

Cyber insurance is nothing new.For over a decade, providers have offered policies that cover outages from viruses, data lost to hackers, and other assorted online pitfalls. Ransomware claims, however, have skyrocketed—now accounting for nearly 75% of all claims filed.

Consequently, the cost of coverage has continued apace, with premiums rising to unprecedented levels. Utility companies, already under the spotlight after Colonial, have seen increases of 25-30% in their premiums. In some cases, premiums have risen 74%.

How Does Ransomware Work?

A ransomware attack starts when a machine on your network becomes infected with malware. Hackers have a variety of methods for infecting your machine, whether it’s an attachment in an email, a link sent via spam, or even through sophisticated social engineering campaigns. As users become more savvy to these attack vectors, hackers’ strategies evolve (see section six, “How to Prevent a Ransomware Attack”). Once that malicious file has been loaded onto an endpoint, it spreads to the network, locking every file it can access behind strong encryption. If you want through that encryption, you’ll have to pay the price.

Encrypting ransomware or cryptoware is by far the most common recent variety of ransomware. Other types that might be encountered are:

• Non-encrypting ransomware or lock screens (restricts access to files and data, but does not encrypt them).
• Ransomware that encrypts a drive’s Master Boot Record (MBR) or Microsoft’s NTFS, which prevents victims’ computers from being booted up in a live OS environment.
• Leakware or extortionware (steals compromising or damaging data that the attackers then threaten to release if ransom is not paid).
• Mobile device ransomware (infects cell-phones through drive-by downloads or fake apps).

What Happens During a Typical Attack?

1. Infection: Whether through a phishing email, physical media (e.g. thumbdrive), or any other method, the ransomware need only install itself on a single endpoint or network device to gain access.
2. Secure Key Exchange: Once installed, the ransomware sends a signal to the perpetrator’s central command and control server to generate the cryptographic keys that will lock the system.
3. Encryption: With its lock in place, the software will begin encrypting any file it can find, both on the local machine and across the network.
4. Extortion: Now that it has gained secure and impenetrable access to your files, the ransomware will display an explanation of what comes next—details of the exchange, the ransom amount, and the consequences of non-payment.
5. Unlocking or restoring: At this point, the victim can either attempt to remove infected files and systems and restore from a clean backup, or pay the ransom. If you are forced to pay, negotiating is always an option, with Unit 42 reporting that average payments generally ran 42.87% of what was initially asked.

Who Gets Attacked?

Ransomware attacks target firms of all sizes—5% or more of businesses in the top 10 industry sectors have been attacked—and no business, from small and medium-sized businesses to enterprises, is immune. Attacks are on the rise in every sector and in every size of business. This leaves small- to medium-sized businesses particularly vulnerable, as they may not have the resources needed to shore up their defenses. With recession fears on the rise, they may be hesitant to invest in ransomware protection.

Also, the phishing attempt that targeted the World Health Organization (WHO), though unsuccessful, proves that no entity is out of bounds when it comes to attackers’ victims. These attempts indicate that organizations which often have weaker controls and out-of-date or unsophisticated IT systems should take extra caution to protect themselves and their data.

The U.S. ranks highest in ransomware attacks, followed by Germany and France. Windows computers are the main targets, but ransomware strains exist for Macintosh and Linux, as well.

The unfortunate truth is that ransomware has become so widespread that most companies will certainly experience some degree of a ransomware or malware attack. The best they can do is be prepared and understand the best ways to minimize the impact of ransomware.

“Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.”—James Scott, Institute for Critical Infrastructure Technology

Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about phishing in “Top 10 Ways to Protect Yourself Against Phishing Attacks”), but other methods have recently become more common. Weaknesses in Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP) have allowed cryptoworms to spread. Desktop applications—in one case an accounting package—and even Microsoft Office (Microsoft’s Dynamic Data Exchange (DDE)) have also been agents of infection.

Recent ransomware strains such as Petya, CryptoLocker, and WannaCry have incorporated worms to spread themselves across networks, earning the nickname, “cryptoworms.”

How to Defeat Ransomware

So, you’ve been attacked by ransomware. Depending on your industry and legal requirements (which, as we have seen, are ever-changing), you may be obligated to report the attack first. Otherwise, your immediate footing should be one of damage control. So what should you do next?

1. Isolate the Infection: Separate the infected endpoint from the rest of your network and any shared storage to prevent it from spreading.
2. Identify the Infection: There are several different strains of malware, and each requires a different response. Scan messages and files on the computer or run identification tools to get a better picture of what you’re dealing with.
3. Report: Regardless of whether you’re legally required to, it’s not a bad idea to report the attack to the authorities. They can help support and coordinate counter-attack measures.
4. Determine Your Options: You have a number of ways to deal with the infection. Determine which approach is best for you.
5. Restore and Refresh: Use safe backups and program and software sources to restore your computer or outfit a new platform.
6. Plan to Prevent Recurrence: Make an assessment of how the infection occurred and what measures you can implement to ensure it won’t happen again.

1. Isolate the Infection

Depending on the strain of ransomware you’ve been hit with, you may have little time to react. Fast-moving strains can spread from a single endpoint across networks, locking up your data as it goes, before you even have a chance to contain it.

The the first step, even if you just suspect that one computer may be infected, is to isolate it from other endpoints and storage devices on your network. Disable Wi-Fi, disable Bluetooth, and unplug the machine from both any LAN or storage device it might be connected to. This not only contains the spread but also keeps the ransomware from communicating with the attackers.

Just know that you may be dealing with more than just one “patient zero.” The ransomware could have entered your system through multiple vectors. It may already be laying dormant on another system. Until you can confirm, treat every connected and networked machine as a potential host to ransomware.

2. Identify the Infection

Just as there are bad guys spreading ransomware, there are good guys helping you fight it. Sites like ID Ransomware and the No More Ransom! Project help the Crypto Sheriff identify which strain you’re dealing with. And knowing what type of ransomware you’ve been infected with will help you understand how it propagates, what types of files it typically targets, and what options, if any, you have for removal and disinfection. You’ll also get more information if you report the attack to the authorities (which you really should).

3. Report to the Authorities

It’s understood that sometimes it may not be in your business’s best interest to simply pay the ransom and move on. Maybe you don’t want the attack to be public knowledge. Maybe the potential downside of involving the authorities (lost productivity during investigation, etc.) outweighs the amount of the ransom. But reporting the attack is how you help everyone from becoming victimized. With every attack reported, the authorities get a clearer picture of who is behind attacks, how they gain access to your system, and what can be done to stop them.

You can file a report with the FBI at the Internet Crime Complaint Center.

There are other ways to report ransomware, as well.

4. Determine Your Options

The good news is, you have options. The bad news is that the most obvious option, paying up, is a terrible idea.

Simply giving into hackers’ demands may seem attractive to some, especially in those previously mentioned situations where paying the ransom is less expensive than the potential loss of productivity. Hackers are counting on this, with Coveware noting that attackers tend to target smaller firms specifically because it often makes more financial sense for them to just pay out.

However, paying the ransom only encourages attackers to strike other businesses or individuals like you. Paying the ransom not only fosters a criminal environment but also leads to civil penalties—and you might not even get your data back.

The other option is to try and remove it.

5. Restore or Start Fresh

There are several sites and software packages that can potentially remove the ransomware from your system, including the No More Ransom! Project. Other options can be found, as well.

Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn’t exist for every known ransomware. The nature of the beast is that every time a good guy comes up with a decryptor, a bad guy writes new ransomware. To be safe, you’ll want to follow up by either restoring your system or starting over entirely.

We have some thoughts, as evidenced by the following very large letters:

Why Starting Over is the Better Idea

The surest way to confirm malware or ransomware has been removed from a system is by doing a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain.

If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.

Be sure to determine the date of infection as precisely as possible from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before activating and making significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.

Select a backup or backups that were made prior to the date of the initial ransomware infection. With Extended Version History, you can go back in time and specify the date to which you would like to restore files.

If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you know weren’t connected to your network after the time of attack, and hence, protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.

So, Why Not Just Run a System Restore?

While it may be tempting to simply use a System Restore Point to get your system back up and running, it is not the best solution for removing the virus or malware that caused the problem in the first place. Malicious software is typically buried within all kinds of places on a system, meaning a System Restore can’t root out every instance. Also, System Restore does not save old copies of your personal files as part of its snapshot. You should always have a reliable backup procedure in place, since System Restore will not delete or replace any of your personal files.

An additional issue is that ransomware can encrypt your local backups. If it’s connected to a computer that is infected with ransomware, odds are that your local backup solution will have its data encrypted along with everything else.

With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. This will also give you the flexibility to determine which files to restore from a particular date and how to obtain the files you need to restore your system.

Of course, you’re going to have to start somewhat from scratch at this point, reinstalling your OS and various software applications, either from the source media or the internet. A solid set of account management and software credentials practices will be immensely helpful in reactivating any accounts. An online password manager which stores your account numbers, usernames, passwords, and other critical information will let you access your entire online life in one interface. That is, of course, if you remember the master username and password you’ve used to access these programs.

6. How to Prevent a Ransomware Attack

“Ransomware is at an unprecedented level and requires international investigation.”—European police agency EuroPol

As we’ve demonstrated, a ransomware attack can be devastating for both your personal online life and your business. Valuable and irreplaceable files can be lost, and ridding yourself of the infection can take hundreds of hours of wasted time.

Every day, the methods that these hackers use to infect unwitting systems with ransomware grow more sophisticated. You don’t have to be one of the growing numbers of victims. Preventing ransomware attacks is simply a matter of savvy practices, vigilance, and good planning.

Know How Viruses Enter Your Workplace and Computer

To truly prepare for an attack, you need to know how ransomware can enter your system. These methods of gaining access to your systems are known as attack vectors.

Attack vectors can be divided into two types: human attack vectors and machine attack vectors.

Human Attack Vectors

Often, the weak link in your security protocol is the ever-elusive x-factor of human error. Hackers know this and exploit it through social engineering. In the context of information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, the weakest point in your system is usually somewhere between the keyboard and the chair.

Common human attack vectors include:

1. Phishing

Phishing uses seemingly legitimate emails to trick people into clicking on a link or opening an attachment, unwittingly delivering the malware payload. The email might be sent to one person or many within an organization, but sometimes the emails are targeted to help them seem more credible. This targeting takes a little more time on the attackers’ part, but the research into individual targets can make their email seem even more legitimate. They might disguise their email address to look like the message is coming from someone the sender knows, or they might tailor the subject line to look relevant to the victim’s job. This highly personalized method is called “spear phishing.” Read more about this type of attack vector in our post, “Top 10 Ways to Protect Yourself Against Phishing Attacks.”

2. SMSishing

As the name implies, SMSishing uses text messages to get recipients to navigate to a site or enter personal information on their device. Common approaches use authentication messages or messages that appear to be from a financial or other service provider. Even more insidiously, some SMSishing ransomware attempt to propagate themselves by sending themselves to all contacts in the device’s contact list.

3. Vishing

In a similar manner to email and SMS, vishing uses voicemail to deceive the victim, leaving a message with instructions to call a seemingly legitimate number which is actually spoofed. Upon calling the number, the victim is coerced into following a set of instructions which are ostensibly to fix some kind of problem. In reality, they are being tricked into installing malware on their own computer. Like so many other methods of phishing, vishing has become increasingly sophisticated with sound effects and professional diction that make the initial message and followup call seem more legitimate. And like spear phishing, it has become highly targeted.

4. Social Media

Social media can be a powerful vehicle to convince a victim to open a downloaded image from a social media site or take some other compromising action. The carrier might be music, video, or other active content that, once opened, infects the user’s system.

5. Instant Messaging

Between them, IM services like WhatsApp, Facebook Messenger, Telegram, and Snapchat have more than 4 billion users, making them an attractive channel for ransomware attacks. These messages can seem to come from trusted contacts and contain links or attachments that infect your machine and sometimes propagate across your contact list, furthering the spread.

Machine Attack Vectors

The other type of attack vector is machine to machine. Humans are involved to some extent, as they might facilitate the attack by visiting a website or using a computer, but the attack process is automated and doesn’t require any explicit human cooperation to invade your computer or network.

1. Drive-by

The drive-by vector is particularly malicious, since all a victim needs to do is visit a website carrying malware within the code of an image or active content. As the name implies, all you need to do is cruise by and you’re a victim.

2. System Vulnerabilities

Cybercriminals learn the vulnerabilities of specific systems and exploit those vulnerabilities to break in and install ransomware on the machine. This happens most often to systems that are not patched with the latest security releases.

3. Malvertising

Malvertising is like drive-by, but uses ads to deliver malware. These ads might be placed on search engines or popular social media sites in order to reach a large audience. A common host for malvertising is adults-only sites.

4. Network Propagation

Once a piece of ransomware is on your system, it can scan for file shares and accessible computers and spread itself across the network or shared system. Companies without adequate security might have their company file server and other network shares infected as well. From there, the malware will propagate as far as it can until it runs out of accessible systems or meets security barriers.

5. Propagation Through Shared Services

Online services such as file sharing or syncing services can be used to propagate ransomware. If the ransomware ends up in a shared folder on a home machine, the infection can be transferred to an office or to other connected machines. If the service is set to automatically sync when files are added or changed, as many file sharing services are, then a malicious virus can be widely propagated in just milliseconds.

It’s important to be careful and consider the settings you use for systems that automatically sync, and to be cautious about sharing files with others unless you know exactly where they came from.

Best Practices to Defeat Ransomware

Security experts suggest several precautionary measures for preventing a ransomware attack.

1. Use anti-virus and anti-malware software or other security policies to block known payloads from launching.
2. Make frequent, comprehensive backups of all important files and isolate them from local and open networks.
3. Immutable backup options such as Object Lock offer users a way to maintain truly air-gapped backups. The data is fixed, unchangeable, and cannot be deleted within the time frame set by the end-user. With immutability set on critical data, you can quickly restore uninfected data from your immutable backups, deploy them, and return to business without interruption.
Object Lock functionality for backups allows you to store objects using a Write Once, Read Many (WORM) model, meaning after it’s written, data cannot be modified. Using Object Lock, no one can encrypt, tamper with, or delete your protected data for a specified period of time, creating a solid line of defense against ransomware attacks.
4. Keep offline data backups stored in locations air-gapped or inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents the ransomware from accessing them.
5. Keep your security up-to-date through trusted vendors of your OS and applications. Remember to patch early and patch often to close known vulnerabilities in operating systems, browsers, and web plugins.
6. Consider deploying security software to protect endpoints, email servers, and network systems from infection.
7. Exercise good cyber hygiene, exercising caution when opening email attachments and links.
8. Segment your networks to keep critical computers isolated and to prevent the spread of malware in case of an attack. Turn off unneeded network shares.
9. Turn off admin rights for users who don’t require them. Give users the lowest system permissions they need to do their work.
10. Restrict write permissions on file servers as much as possible.
11. Educate yourself, your employees, and your family in best practices to keep malware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors.

It’s clear that the best way to respond to a ransomware attack is to avoid having one in the first place. Other than that, making sure your valuable data is backed up and unreachable to a ransomware infection will ensure that your downtime and data loss will be minimal to none if you ever fall prey to an attack.

Have you endured a ransomware attack or have a strategy to keep you from becoming a victim? Please let us know in the comments.