Ransomware Attack Guide: How to Prevent And Recover After
The value of digital data has been continuously increasing over the last years — and so does the art of hacking: in contrast to attacking systems at random that intruders used to resort to before, today their methods develop and improve into tools which are much more sophisticated and targeted. According to the latest report of Security Boulevard, based on data from more than 230,000 submissions to Emsisoft, threat actors are increasingly targeting larger and more profitable aims such as schools, businesses and government organizations, crippling a multitude of public entities across the U.S. and allowing its distributors to generate millions, perhaps even billions, of dollars in ransom payments.
Ransomware itself represents an advanced malware (a common computer virus or network worm) that attacks both enterprises’ and individuals’ computers by encrypting data, making it impossible to access until the assigned ransom amount — usually it ranges from one to ten Bitcoin — is paid to the hacker. Most of the ransomware programs can also have set a time limit for payment to be made, at the end of which either the price increases many times, or all encrypted user files are permanently deleted.
The contamination takes place as soons as the infected executable file is launched, or during an attack through a vulnerability in a network service: it gets into the victim’s computer, the program encrypts most of the working files (e.g. all files with common extensions), leaving the computer operational in most cases, but locking all user data.
How Is It Spread?
Just like other malware do, ransomware is transmitted through common ways, such as:
- browsing untrusted, doubtful, or malicious websites
- following malicious or corrupt links contained in emails (or passed through any other social media chat applications)
- opening or downloading files from unknown senders
- pirated software installation as well as outdated software programs
- free software: games, bogus software, screensavers, etc
- accessing PC that is part of the infected network
Who Is Targeted by Ransomware Attack?
As it was said before, literally anyone can be exposed to it: from private users to big enterprises and companies, and even government agencies. All devices that have the capability to connect to a network or internet are susceptible to ransomware attacks: desktops, laptops, tablets, mobile devices, etc.
The worst thing about ransomware infection is that it no symptoms are showed early enough to avert the disaster. Moreover, with Bitcoin — an anonymous payment method — it has never been easier for intruders to escaped capture since these digital transactions can’t be traced. All this results in the increase of variations of ransomware in the cyber-world — and thus overall cybercrime.
What Types of Ransomware There Are?
Encrypting ransomware — or cryptoware — is by far the most common type; yet, depending on the desired outcome of the attack, ransomware can be classified into 5 major categories:
1. Locker ransomware: locks the attacked system and demands a ransom from the victim to regain the access to the stored files.
2. Coryptoware: encrypts files and coerce a user into paying a specified amount of money to decrypt their data.
3. Scareware: victim’s computer is bombarded with pop-ups stating the system is infected with a virus; the user is asked to pay for an antivirus that will remove the virus.
4. Android Device Ransomware: either permanently locks user’s smartphone and asks for a ransom to get it unlocked, or thieves their sensitive data and demands to pay to return it.
5. IoT Ransomware: designed to gain access to an IoT device, at the same time making it inaccessible to a user.
How to Recover Encrypted Data?
There is a dozen of solutions to restore files captured by a ransomware. In the following parts, Salvagedata suggests you a few practical methods to consider.
Disconnect from everything
First of all, disconnect the computer the network (both wired and Wi-Fi) and storage devices as soon as it is suspected of being infected. That is necessary to prevent ransomworms from finding connections which may be used for it to succeed in spreading across the network and encrypting vital data.
Discover what kind of ransomware you deal with
Determine then which malware strain you are dealing with from messages and identification tools. Each of the ransomware types operate a little differently, so that will help you to find out what recovery options you have. Try an identifying tool, like ID Ransomware, to identify which strain of the virus has encrypted your files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information; it will also direct you to a decryption implement, should one be available.
Take a picture of the ransomware screen
When attacked, you will be provided with a message that identifies the ransom, including the amount to be paid and where to send the payment. Take a picture of your screen (it will help data recovery specialists to determine which unlock methods should be applied) and report to the authorities for further coordination measures to counter attack.
Use data recovery software
The original files are not encrypted directly, but deleted by the virus: the files ransomware creates are only copies, thus you can try using a data recovery software tool to restore the removed source files — it is worth a shot, indeed. However, the ransomware tools are continuously changed and improved, so the data recovery software may not be helpful in case some more advanced viruses took place.
In that situation, you will have to contact a professional data recovery services company to restore your files from a ransomware attack.
Having a regular backup of your device data in an external hard drive, SSD, SD card, tape, cloud, or any other storage may save you a great amount of money in case you encounter your important data being compromised by a malware attack. If you have a backup, reinstall everything from scratch, recovering the encrypted files from the original ones as it will be the best to perform a complete wipe of your system: formatting the hard disks will ensure that no remnants of the malware remain.
Finally, the biggest mistake you can make is to send any money to the criminals in the hope they will provide you with the instructions for decrypting your files (as it’s probably promised in the ransom message). Transferring money to intruders doesn’t guarantee anything, but only means the way of sponsoring their malicious practice: as it is mentioned in the Security Boulevard’s report, there have been lots of instances where no decryption tool being delivered after payment — which means you may end up with lost money and no files recovered.
A couple of backups stored in a safe place can help you minimize potential losses, reducing significantly the amount of corrupted data needed to be restored. However, if you haven’t got your system and data backed up providentially, carry the situation with dignity and rebuild your lost data yourself, if possible, or with the help of a data recovery company.