As a tech journalist, for the past two years I’ve been reporting on ransomware. During that time, I’ve seen it grow from a nuisance targeting individuals, to one of the most feared, most dreaded corporate cyberattack types in history.
I’ve read countless news reports, analyses and research papers from pretty much every cybersecurity company worth mentioning, from Kaspersky Lab, to Trend Micro, to Check Point. Through all that knowledge and information, I’ve formed a clear picture of what ransomware is, who it targets, how it does it and what businesses must, can and should do to protect themselves. In this article I will try to help you better understand the threat, so you may better protect yourself.
Let’s take it from the top:
What is ransomware?
The word itself is a combination of two words – ransom and malware. Malware is, as Wikipedia puts it, ‘an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs’.
Ransom is when you hold someone prisoner in order to extort money.
Ransomware is when you have a malicious software holding your computer prisoner in order to extort money from you. It became possible with the creation of Bitcoin – a virtual cryptocurrency that can be used to transfer money almost completely anonymously. With such a currency, hackers can ask for money without fear of it being traced back to them.
How does it work?
It works by encrypting all the files on any storage it finds when it first runs. Local drives, USBs, cloud – anything that was connected to the target computer when ransomware was ran, gets encrypted. Usually, ransomware spreads through spam and phishing emails. I will come back to this later, but in short – they are usually spread through email. Once the victim downloads the malicious attachment and runs it, the ransomware will scan the computer and all the connected drives and, at some point just encrypt all of it. The victim will then be greeted with a message saying they have a limited amount of time to pay up, otherwise their computer will be left encrypted for life.
Why is it so effective?
It is effective (and this was particularly true at the very beginning, a few years back), because a lot of anti-virus programs can’t recognize ransomware as a virus. Because, essentially, it is not. You see, encryption itself is not a malicious act. For example, all the emails you send via Gmail are encrypted. All the communication on Viber or WhatsApp is encrypted. There are countless (and totally legit) programs out there doing nothing but encrypting files. The only problem is – you don’t have the encryption key this time.
So recognizing an encryption program as a virus was particularly challenging for cybersecurity companies.
Another reason why ransomware is so effective because it is easy to create new variants. New versions just keep popping up, and cybersecurity companies are struggling to keep up. Just having an antivirus or a firewall set up is not going to be of much help, and that is one of the main reasons why ransomware is so feared.
Why is it so popular?
Ransomware owes its popularity to the fact that it is extremely easy to spread, and easy to earn money off. Its popularity grew dramatically once hackers realized they can target companies, who simply can’t afford to lose their data.
By losing data, businesses risk:
- Lawsuits (extra expenses)
- Ruined reputation (less customers means financial losses)
- Business downtime (financial losses)
Basically, it comes down to money. Ransomware usually asks between $300 and $3,000, depending on the victim and the ransomware variant, and this is usually pocket money for large companies who are risking millions of dollars in losses for locked files. That’s why many companies decide to pay up and be quiet about it – adding another reason to its growing popularity.
What can businesses do to protect themselves from ransomware?
This is where I come back to email. The best, the absolute best way for a company to protect itself from ransomware is to teach its employees about healthy cybersecurity practices. Businesses need to educate their employees not to trust everything they see online, not to click on every link they get in a message, and not to open attachments, especially from people they don’t personally know.
Employees are the number one target for spreading malware, which is why they need to turn their brains on when handling attachments and links. They need to ask themselves:
- Who is this attachment coming from? Do I know this person?
- Why is this person sending this attachment to me? Is it relevant?
- Does the attachment have an execution extension (.exe, .msi, .pif – these are all file types that should not be sent via email and should not be opened. You can find a full list here.
- Does this link look legitimate?
Honestly, you can’t blame employees when things like these happen. In companies with 5,000 employees or more, getting an email from (someone that looks like) a colleague is business as usual. Files get shared all the time, and when people are in a hurry, mistakes happen.
And cybercriminals know this – which is why some emails are created to look ‘important’ and put a lot of pressure on employees to act quickly. ‘URGENT’, ‘FIX IMMEDIATELY’, ‘UNPAID INVOICE’ are frequent subject lines in emails containing ransomware.
Education is the number one way to protect yourself, and your company, from malware. The second best way is obviously backing up your data. Your most valuable files should be backed up frequently and on multiple drives.
By backing up, if you get ransomware, you can just revert to an older version and continue as usual. Also, in many cases, backup copies get compromised, corrupted or misplaced, so make sure you create more than just one backup copy.
What should you do if you get attacked by ransomware?
Security experts agree – if your files get locked and you don’t have a backup copy, there is no way of getting those files back. Maybe (and that’s a big maybe) if you pay, because there have been reports out there suggesting that just a fraction of companies paying ransom actually get their files back.
I would advise against paying any ransom, to anyone – ever. Not only does that not guarantee you getting your files back, but it also motivates these hackers to continue attacking businesses everywhere. Also, there is no guarantee you won’t be attacked by ransomware again, so you could end up paying month in – month out, never getting your files back.
You have to know – if you get hit by ransomware – it’s going to hurt, and there is no way around it. It can either hurt less, or more, depending on how you handle the situation.
From what I’ve learned, being honest and transparent is the best way to go. Notifying the authorities and your customers about the attack is the least painful way. Yes, if you don’t have a proper business continuity plan, it will cost you to get back up, but these things never remain hidden for long.
If such a secret leaks out, the cost could be much, much greater. If you were careless enough to get ransomware, you might as well admit it.
Be careful out there
Once you get ransomware, there’s no way (yet) to remove it. Also, you should definitely not pay any ransom:
- There is no guarantee you’ll get your files back.
- You’re motivating cybercriminals to continue hijacking data.
- They will probably attack you again.
Instead you should focus your efforts on preventing ransomware from reaching your company, and making sure you have backup copies stored away, just in case. Teach your employees about healthy cybersecurity practices – that’s your best bet at staying safe online.
Image Credit: Flickr / Christiaan Colen