With global ransomware damage costs predicted to reach $20 billion this year, it has never been more critical to understand where your business is vulnerable and the types of ransomware attacks you should be ready for. Armed with the knowledge of how to recognize the symptoms of an attack and steps to take if you have been infected, you will be better equipped to prepare and protect your employees, business operations, and critical data.
2 Types of Ransomware Attacks
In a previous blog post, we defined ransomware as a type of malicious software designed to block access to a computer system or network until a sum of money is paid. If one of your employees clicks on an untrusted ad or opens a dodgy email attachment, cybercriminals will take advantage of that opening to exploit your system’s vulnerabilities. Ransomware attacks spread like wildfire and are designed to prevent the victim from using or accessing their files and devices. Although there are many types of strains today, ransomware attacks can be grouped into two main categories:
- Crypto Ransomware
Arguably the most damaging and effective form of malware, these savvy forms of attack encrypt valuable files on a computer so that the victim can no longer access them—although they will still usually have access to any areas that are not encrypted. In this situation, cybercriminals look for flaws and weaknesses in computers and devices and target data that has not been backed up. They then hold files hostage until the victim pays the ransom.
EX. Jigsaw = a ransomware virus encrypts and deletes files until a ransom is paid. It starts with one file after the first hour and deletes more and more per hour until all remaining files are deleted.
EX. Spider = a form of ransomware hidden in Microsoft Word documents that install the malware on a victim’s computer when it is downloaded and begins to immediately encrypt the victim’s data. - Locker Ransomware
This type of ransomware locks the victim out of their device to prevent them from using it. In this scenario, the virus locks and shuts down the entire computer or mobile device, and the cybercriminal demands a ransom to unlock the device. Although this form of attack does not infiltrate the entire network or encrypt files on the device, it is highly effective because it is often made to look like it is from a tax authority or law enforcement agency.
EX. CryptoLocker = a ransomware virus that infects PCs via downloads from infected websites and email attachments that it uses to encrypt or lock files with certain extensions and delete the originals. CryptoLocker infected over 250,000 machines within the first four months it was released in September 2013.
In order to better prevent ransomware attacks, it is crucial to understand the most common types of ransomware strains cybercriminals are using to deliver the threat. There is no one-size-fits-all method to remove ransomware, so the more you know about the different strains out there, the more measures you can get in place to protect your business.
Symptoms of a Ransomware Attack
Although there are many ransomware strains out there, they still rely on similar tactics to take advantage of victims and hold your data or device hostage. Here are some of the symptoms you can expect to occur when your computer or device has been infected by a ransomware virus:
- After opening an attachment or clicking a compromised ad, you suddenly cannot open your files or start to receive errors that a file is corrupted.
- You receive a warning message in a window or set to your desktop with instructions on paying to unlock your files.
- A countdown appears on your screen or a related website with threats outlining the ransom conditions and deadlines.
- You see files in your directory with names like HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.
- A window has opened to a ransomware program, and you cannot close it.
Steps to Take if You Have Been Attacked
If you or your employees have experienced any of the symptoms listed above, your first step is to always report it to the FBI’s Internet Crime Complaint Center (IC3). You will need to provide all relevant information available from the attack, including the email details and Bitcoin address.
As soon as you are notified of the attack, you should try to identify the particular ransomware strain using a website called ID Ransomware. ID Ransomware is a tool that allows you to upload the ransom note and a sample encrypted file. It will tell you more about the strain, how it works, and whether or not there is a known decryptor available. For example, the Locker ransomware strain that infects PCs and prevents access to data and files located on the PC until a $150 ransom payment is made now has a free decryptor to decrypt your files for free.
What you don’t do is pay the ransom. Paying the ransom is now illegal in the U.S. due to the latest government advisory on potential sanctions risks for facilitating ransomware payments. The truth is, there is no honor among thieves, and paying the ransom doesn’t actually guarantee that you will regain your stolen data and stop the attack. In most cases, cybercriminals will continue to try to exploit your business for more.
The only safe way to get your data back is to restore a data backup. Many secure and reliable backup and disaster recovery solutions include on-site and off-site backup solutions and disaster recovery failovers. As soon as you are notified of an attack, you will need to work with your IT team to restore those backups as fast as possible. The longer an attack goes on, the more downtime your business will experience. From data loss and lost productivity to brand damage and missed opportunities, the cost of downtime reported by businesses attacked last year was nearly 50X greater than the ransom requested (Datto Global State of the Channel Ransomware Report, 2020).
Expert Tips to Prevent Ransomware Attacks
Due to the rate at which new ransomware variants emerge and the sophistication of each strain, there is no single solution to prevent a ransomware attack. With decades of experience working with businesses of all sizes and complexities, our talented IT and infrastructure team recommends a multilayered defensive strategy that combines:
- Email security software
- Anti-virus/anti-malware software
- Cybersecurity training
- Endpoint detection
- Patch management
- On-site and offsite data backups
- Business continuity and disaster recovery (BCDR) planning
With business assurance planning and a BCDR solution in place, you are creating the best defense against ransomware attacks. Although nothing can actually prevent cyber criminals from attempting to infiltrate your network, you can have the tools in place to restore your critical data to a point in time before the corruption occurred.
Our team and the cybersecurity and data backup specialists at Datto recently hosted a webinar where we explored some of the most pressing issues related to data security and ransomware prevention. If you want to learn more about expert ways to reduce downtime and the most effective solutions to combat ransomware, watch the webinar on-demand or reach out to Tigunia for help in developing your own strategy.