Viruses, rootkits and other forms of malware can slow down or put a screeching halt on business operations depending on their magnitude. They can emerge in a variety of ways and their purpose and effect can vary greatly. Additionally, affected individuals may not even realize there is an issue for some time. This not only delays the time it takes to raise an alarm to the relevant personnel, but it also gives the malicious code of malware more time to work in your environment.
Ransomware is potentially the most crippling form of malware to businesses today. It has rendered important files useless throughout entire corporations just because of a single mistake made by a single user. To shed some light on the matter, this piece provides a high-level overview of ransomware.
How Ransomware Works
Ransomware is a special type of malware that is built to yield monetary gain to its creators. There are various ways in which a computer can become infected with ransomware, but the results are the same.
Once a machine is infected, files in various folders go through a silent encryption process. Usually, this results in files being recognized as erroneous file types, which prevents them from being opened and used by their designated program. An example of this is word files, which usually have a file type of doc or docx. These file types indicate that the files work with word processing software such as Microsoft Word. However, encryption by ransomware changes both the file and the file type. The Ryuk Ransomware for example encrypts data and the file type becomes ryk, which is not recognized by any applications. Changing the file type manually does not help (due to the content encryption) and so the file is stuck being useless. Additionally, the ransomware then moves to encrypt files on all systems and servers that the infected user’s profile can access, which can likely cripple operations.
Once the encryption takes place, a notice is generated to bring the infection to the user’s attention. This may be in the form of changing the user’s wallpaper or opening a created text file with the desired information. This is where the ‘ransom’ part comes into play. The notice has a few objectives:
• Communicate that files have been encrypted
• Explain that decryption of files is impossible without the decryption key, which only the attackers possess
• Explain that seeking assistance of the authorities is futile
• Request payment and advise payment details with the promise of decrypting the files once they are paid
Usually attackers provide an untraceable email address for their contact address and they provide details to be paid in Bitcoin as opposed to regular currencies. All these factors come together to create a ransom situation, which is why the name Ransomware was chosen.
What Preventative Measures Can You Take?
The prospect of having the process described above take place in your business is a scary one as it can leave your operations at a standstill as it has for others. The truth is there is no guarantee of decryption of your files even if you were to pay the ransom, however, you are encouraged not to do so as it promotes this kind of attack.
The only preventative measure that can really be taken is that of education for those interacting with your systems. While you can try to instill the basics such as avoidance of clicking on links in e-mail, the recommendation is that you invest in a comprehensive and formal Security Awareness Training. This should be an exercise that is repeated on intervals such as bi-annually or annually to ensure that the message is instilled in employees. You can also invest in Anti-Malware software.
You may also want to consider performing a security assessment of your IT environment. If your current team is unable to do so, consider hiring a firm to do it for you.