Ransomware has been one of the most widespread and common security issues over the past several years. It has affected both businesses and home users at an alarming rate. We'd like to address this and provide some guidance on how to protect yourself against ransomware and what to do if your machine does become infected.
What is ransomware?
- Ransomware is a type of malware that typically spreads through email, but also via Peer-to-Peer networks and infected websites.
- There are many variants (e.g. CrytoLocker, Cryptowall, KeRanger (OS X)) and it is constantly evolving to evade detection.
- Once a machine is infected, its files are encrypted and the user is presented with a notice telling them that they need to pay a ransom to unlock their files. Oftentimes the request is for Bitcoins to be sent to a particular location. Accusations of the computer being used for illegal activity may also be included in these warnings to scare the user into complying with the request.
- An infected machine will encrypt files on any network drive it has access to. This means all users who access that network drive will be affected by the infection.
- Traditionally ransomware has been a trojan, which is something that appears to be a legitimate file but in reality is malware. More recently there have been worm variants that are spreading across LANs.
- Ransomware will commonly appear as a Word Document (.doc, .docx) or Excel Spreadsheet (.xls, .xlsx), however it can appear as other file types. If you open these files, this will initiate the infection.
- In many cases when running one of these files you'll be asked to approve an administrative action via Windows UAC or OS X authentication. Never approve administrative privileges unless you have launched an application with the intention of modifying the system in some way (i.e. installing an application, modifying system settings, etc.):
How do you protect against ransomware?
- First off, be very careful about which attachments you open. Never open an attachment from someone you don't know and be careful with attachments from people you do know. If something looks off about a file, don't open it and contact the person to ask if it's something they've sent. It's possible their computer is infected and the malware is harvesting their address book to spread itself.
- Never send or open executable files (.EXE) via email. Rarely is it needed to send .EXE files directly. A better way to handle this is to send a link to the website hosting the file, or to use a file sharing service like Dropbox.
- Run up-to-date, modern anti-malware software on all PCs and Macs.
- Be safe when web browsing.
- Keep your Operating System and all other applications fully patched.
- Consider using a user account without administrative privileges. If this isn't an option, be very careful about granting administrative privileges to applications (see above screenshots).
- Most importantly, back up your data:
- While the above steps will greatly reduce your risk of becoming infected with ransomware or some other type of malware, nothing is foolproof because malware is continually evolving.
- Backups should be stored both locally and in the cloud to ensure your data is always available when needed.
- Replication alone is not backup. If ransomware encrypts files that are replicated, the encrypted files will in turn be replicated.
- For this reason, the backup should have the ability to keep point in time snapshots. We recommend keeping snapshots for up to about a year.
- CSR's Backup and Disaster Recovery (BDR) solution goes one step further. It allows for a copy of a server to be run either locally or in the cloud if the server is disrupted for some reason.
What to do if your computer becomes infected with ransomware?
- Hopefully you've followed the steps laid out above.
- If you have a valid backup of your data, make sure you have copies of all of your software licenses / installation media and then reformat your PC, reinstall the OS and restore your backup files.
- We recommend starting fresh because once a machine has become infected with a virus, it can't be trusted again. You have no way of knowing what was done by the malware.
- If you don't have a backup.
- There isn't much that can be done. Your data is encrypted and is irretrievable unless you pay the ransom, which isn't recommended.
Hopefully these steps will help keep you protected from ransomware or at least prepared in case of an infection. If you have any questions or if there's anything we can help with, please free to contact us.