Ransomware (malicious software that criminals use to hold computers or computer files to ransom), is an increasingly popular way for malware authors to extort money from companies and consumers alike and Ireland is a prime target.
Paying criminals is never a good idea, even when it seems expedient. Ransomware authors are under no obligation to actually give you back what you pay for, and there have been plenty of cases where either the decryption key did not work or the note asking for ransom never even appeared. Suffice it to say that criminals are not generally renowned for their excellent software testing or devotion to quality customer service.
What can you do about it?
On the one hand, ransomware can be extremely scary – the encrypted files can essentially be considered damaged and beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. There are a few things that you can do to keep ransomware from wrecking your day.
Back up your data
The single most important thing you can do to prepare for emergencies, including being affected by ransomware, is to haveregularly updated backups. Many ransomware variants will encrypt files on drives that are mapped.
This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores to which you have assigned a drive letter. So your backup needs to be on an external drive or backup service that is disconnected from your devices and network when not in use, and secured both physically and digitally.
Keep your software up to date
Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to get onto systems unobserved. It can significantly decrease the potential for malware infection if you make a practice of updating your software often. Enable automatic updates if you can, update through the software’s internal update process, or go directly to the software vendor’s website.
Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behaviour. Malware authors frequently update their creations to try to avoid detection, so it is important to have both these layers of protection. If you run across a ransomware variant that is so new that it gets past anti-malware software, it might still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.
Show hidden file extensions
One popular method malware uses to appear innocent is to name files with double extensions, such as “.PDF.EXE”. By default, Windows and OSX hide known file extensions; malware takes advantage of this behaviour to make a file appear to be one that would commonly be exchanged. If you enable the ability to see the full file-extension, it can be easier to spot suspicious file types.
Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may want to deny mails that arrive with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (For example, “Filename.PDF.EXE”). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can send them within ZIP files or via cloud services.
Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finishes encrypting your files. If you disconnect yourself from the network immediately you might decrease the number of files that it can encrypt.
Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it doesn’t hurt to try.
Set the BIOS clock back
Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.
Ransomware can certainly be frightening, but there are many benign problems that can cause just as much destruction. That is why it has always been, and always will be, best practice to protect yourself against data loss with regular backups kept offline. That way, no matter what happens, you will be able to restart your digital life quickly. It is my hope that if anything good can come out of this ransomware trend, it is an understanding of an importance of performing regular, frequent backups to protect our valuable data.