Ransomware Protection: Removal, User Education, and Prevention
What Is Ransomware?
Ransomware is a type of malicious software (malware) that uses cryptography to hold information for ransom. Ransomware prevents legitimate users from accessing and using their information. Access is granted only if the organization or individual pays the ransom.
Ransomware attacks employ asymmetric encryption. It is a form of cryptography that uses two keys—a private key to encrypt files and a public key to decrypt them. Threat actors generate each pair of keys especially for the victim.
The private key can decrypt the files held captive by the threat actor. It is offered to victims only after they pay the ransom. In some cases, however, the attacker might take the ransom without providing the decrypting key as agreed. Unfortunately, it is almost impossible to decrypt ransomed files without the private key.
Once ransomware successfully infects a system, it executes a malicious binary. The executed binary then starts searching and encrypting valuable files, such as images, documents, and databases. It can also attempt to exploit vulnerabilities and spread into other computer systems over private or public networks.
Ransomware Removal—What to Do When You Get Infected
Once ransomware successfully encrypts files, it displays a message asking for ransom. When this happens, stakeholders in the organization need to decide whether to pay the ransom or not.
In most cases, it is not possible to recover the encrypted files. However, there are some actions you can take immediately. Here is what you can do when ransomware infects your systems:
- Quarantine the machine—there are certain ransomware variants that try to spread to other machines and connected drives. You can remove access to other targets to limit the spread of ransomware.
Leave the computer on—file encryption processes can affect the stability of the computer. If you try to power off the computer, you might experience loss of volatile memory. To increase the possibility of recovery, keep the affected computer on.
Create a backup—in some cases, you might be able to decrypt files without having to pay the ransom. You can achieve this by making a copy of these files and storing this backup on removable media. This way, if a decryption effort fails and damages the files, you still have a copy to recover.
Check for decryptors—the No More Ransom Project offers free decryptors. You can check this project for a decryptor that matches the ransomware. You should first run the decryptor on a copy of encrypted information to test if it can truly help restore your files.
Ask for help—computers often store backups of files. Digital forensics experts can try to recover these backup copies—but can only succeed if the copies were not entirely deleted by the ransomware.
Wipe and restore—you can restore the machine from an operating system installation or a clean backup. This can help you ensure that all malware components are entirely removed from the device.
Related content: read our guide to Windows 10 Ransomware Protection (coming soon)
User Education: How Users Can Prevent Ransomware Infection
User education is essential for preventing ransomware infection. Training sessions should be conducted periodically to ensure users are aware of important security measures, including:
- Avoid clicking on links from unknown or untrusted sources—including websites and emails.
Avoid revealing sensitive information—including personal and credential data that an attacker could use to launch a ransomware attack. Even if the message appears legitimate, it is better to be cautious.
Avoid opening suspicious email attachments—including attachments that prompt you to run a macro, as this can be an entry point for malware.
Avoid using unknown flash drives—including storage media such as USB sticks that you don’t know where they are from.
Ensure your operating system and programs are regularly updated—this allows you to benefit from the latest patches and prevent attackers from exploiting the newest discovered vulnerabilities.
Avoid downloads from unknown sources—only download files from trusted sites, which can be verified by their trust seals (i.e. https, lock or shield symbols).
Use a secure VPN service for public Wi-Fi—using public Wi-Fi networks can expose your device to attacks, so it is best to avoid carrying out sensitive transactions over a public Wi-Fi connection, or use a VPN.
Protecting against Ransomware: Building an Anti-Ransomware Program
An anti-ransomware program can help protect organizations against ransomware attacks. Here are the five main elements of an effective anti-ransomware program:
Backup can help protect the organization against ransomware. It is an integral component of an anti-malware program. When creating backups, organizations should follow the 3-2-1-1 rule. It means you need to keep three copies of data on two different media types, and store one version off-site in addition to one immutable copy.
You can rotate immutable media as a tape or a disk. You can disconnect it from the network and then take it off-site to a secured secondary location. There is a wide range of vendors that offer cloud-based immutable storage. In addition to protecting against ransomware, secure off-site copies offer easier recovery.
When choosing an off-site option, note that recovery times are often longer from offline backups. Additionally, offline backups can prove difficult to test. You can achieve faster recovery times by replicating to a hot target, like a cloud service or a secondary appliance—which keeps backups in a state readily available for recovery.
Ransomware usually targets Windows operating systems. According to recent findings, over 83% of malware was designed to breach Windows systems. Backup systems usually require many role-based instances for data movement, centralized management, reporting, and search and analytics. It can be quite complex to secure all those machines.
To secure Windows operating systems, consider locking down these components so that they can only perform the actions required and not more. Alternatively, you can employ a solution based on integrated backup appliances. This kind of solution can remove this complexity and also comes hardened by default.
There are many factors that can impede a successful recovery. For example, trying to restore from infected backup copies of machines. This is why you should regularly test the viability of any strategy you create for backup and disaster recovery purposes. You can leverage automated recovery testing, which can help compliment your data management and protection efforts.
You should strive to detect ransomware as early as possible, because early detection can help facilitate faster recovery. The majority of backup vendors offer predictive analytics assisted by machine learning (ML), which can help detect possible attacks. Predictive processes can find abnormal data fluctuations and then alert administrators.
If data is effectively backed up and tested for its recoverability, the organization should be ready to roll the network back to a safe restore point. Once this is achieved, the organization can avoid data failure, downtime, and the consequential revenue loss.
Ransomware Protection with Hysolate
Hysolate creates an isolated workspace on user endpoints, to contain ransomware and other malicious threats, and ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace.
The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity.
Risky links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all threats.