BACK TO Insights

Deep dive on ransomware

Posted by Esolvit on May 2018Share

Although ransomware has been around for nearly 20 years (in various forms), the current age of ransomware began with CryptoLocker in 2013. Since then, hackers have continued to develop more sophisticated exploits.

Ransomware refers to malware (i.e., malicious software developed by cybercriminals) that take over victims' computers and denies them access to their files by encrypting or deleting them. The attacker sends along a note containing the ransom amount as well as instructions on where and how to pay it.

Some experts believe that the increased sophistication of ransomware attacks was precipitated by the advent of digital currencies such as Ethereum and Bitcoin - giving hackers the means to conceal their dubious transactions.

In previous years, ransomware attacks were targeted at medium to large-sized enterprises; however, a troubling amount of ransomware is now directed at small businesses and individuals. As such, it is likely that you have encountered or will encounter various strains of ransomware in the near or distant future. No one is safe from the exploits of cybercriminals who use ransomware to achieve their financial ends.

Tackling this cyber menace requires individuals to understand ransomware, how it gains access to endpoints and networks, its mode of operation, what to do in the event of a ransomware attack and how to prevent such attacks from occurring.

Types of ransomware

There are two major kinds of ransomware that one cannot remove by simply rebooting the system or clearing the browser cache.

Screen-locking ransomware

The first type is referred to as screen-locking ransomware. Once the ransomware gains access to the system and executes, it locks out the user and flashes a message on the screen stating the ransom demands. It also displays a warning informing users that the computer will remain unusable until the ransom is paid.

Encrypting ransomware

The second most common type of ransomware is known as encrypting ransomware. It works by deleting or encrypting the files stored on infected computer systems and databases. In recent years, more and more hackers are creating and deploying encrypting ransomware. Some of the more popular strains such as Crysis, GoldenEye and Jigsaw are programmed to slowly delete stored files over a 72-hour span.

No matter the type of ransomware, it's always a good idea to verify the authenticity of the threat before taking further action. Fraudsters regularly send out fake ransom notes that claim to delete or encrypt your files if their demands are not met.

How to remove screen-locking ransomware

Before attempting the removal of ransomware, ensure that the infected system is not linked or connected to any device. Disconnect all peripherals such as webcams, printers, external hard drives, and other external storage media. You should also disconnect the infected system from the Internet.

To remove the screen-locking ransomware from a Windows system, try opening Task Manager and ending the compromised application by simultaneously pressing the Control, Shift and Esc keys. For Mac Systems, open Activity Monitor and press the Command, Option and Esc keys.

If this doesn't work, you need to consider your options. Take a screenshot of the ransom note as evidence in case you decide to file a police report. Restart the system in Safe Mode where you can use a free malware removal tool to disable the ransomware. If this doesn't work, attempt to restore your system to an earlier date using Windows System Restore or Time Machine.

How to remove encrypting ransomware

The steps required to remove encrypting ransomware are similar to that for screen-locking ransomware. Once in Safe Mode, you can attempt to recover your files whether they've been deleted or encrypted. If you're dealing with encrypted files, there are solutions you can use to identify the encryption used by the attackers. There are also websites that are equipped with decryption tools that can remove some kinds of ransomware encryption.

If this doesn't work and you have your files backed up on an external device, it's best to reinstall your OS and import these files back to your system.

How to prevent a ransomware attack

Generally, you can prevent a ransomware attack by installing robust endpoint security solutions and following these practices:

Ensure that your operating system is up-to-date and patched. This ensures that there are fewer vulnerabilities for hackers to exploit.

Never install software from unknown or untrusted third-party sources. Ensure that you know what a software does before giving it administrative privileges.

Install the latest antivirus software (which detects and prevents ransomware from executing their exploits) and whitelisting software (which prevents the execution of unauthorized software like ransomware).

Backup your files regularly. Although this doesn't prevent a ransomware attack, it reduces the impact of such attacks and enables you to continue executing business-critical functions.

Once you understand the various vectors through which ransomware can enter computers, you should take proactive steps to prevent their ingress by installing AV software and following good security practices.