Defending against Malware is something we all need to do. This post will discuss a particular form of malware called Ransomware and how to put some defences in place to mitigate its effects.
What is Ransomware?
Ransomware is a form of malware that when it infects a system will encrypt files making then inaccessible to the user. Once a file is encrypted you need the decryption key to be able to decrypt your files so that you can access them again.
Ransomware can infect your system through various attack vectors, for example:
- A Phishing email, text message or IM message
- Social Engineering, particularly by email
- Accessing a malicious website that installs the malware
- Malware probing your system for vulnerabilities.
Once this malware invades your system there is little you can do to recover the files unless you have recent secured (for that read offline) backups, or you have a decryptor programme. The hackers will leave a ransom note on your system requesting you pay them a sum of money, normally in Bitcoin or some other cryptocurrency. Once you pay the ransom, they will then provide the decryption key which if you are lucky will decrypt and release your files.
However, here is the nasty part. Even when you pay the ransom, the hackers often don’t provide the decryption key and you are left high and dry.
Let’s be clear about this. Ransomware is the instrument Cyber Criminals are using to extort money from you. It is extortion! It is also a crime in all civilised countries and should be punished as such when they are caught. It is not a prank, or a bit of fun, it is often a business run by cyber criminals in much the same way any other business, or organised crime syndicate, is run. It is devastating for anyone who gets hit by this form of malware. It is also used as an instrument of cyber warfare to reduce the effectiveness of military forces by crippling defence systems – hence these critical systems are often air-gapped.
Case Studies …
Most people will have heard of the WannaCry Ramsomware attack back in May 2017. This was a global event and in the UK attacked vulnerable computers in the UK National Health Service (NHS). This was largely because the NHS were running outdated versions of Windows XP which were vulnerable to the EternalBlue vulnerability, an exploit developed by the United States National Security Agency (NSA) and released into the wild by hackers. This ransomware attack cost the NHS £millions to fix, and to update and protect their systems. This is money that could have been used to fund medical procedures and save lives. However, the NHS were negligent in maintaining their systems and hopefully they have learnt their lesson.
More recently (May 2019) the city of Baltimore in the US has been attacked by a Ransomware attack. The hackers have requested the equivalent of $100,000 in Bitcoin (approximately 3 Bitcoins), but they are refusing to pay the ransom. As a result their systems are still out of service over a month after the attack. In this case the RobbinHood ransomware invaded their systems. By the reports I have seen, the City of Baltimore have funding issues and their IT infrastructure is largely outdated. Hopefully they will also learn their lessons from this incident.
The GandCrab ransomware was provided to anyone who wanted to pay a subscription for it. See my blog on Malware as a Service for more info on this.
I could fill this blog with examples, as this form of Malware is rampant across the internet. Bleeping Computer provide a weekly roundup of the various ransomware attacks that have been reported. The June 21st edition is here. This report makes frightening reading just by the shear amount of active attacks. This publication is also a very good source of all things related to cyber security.
How do you defend against Ransomware?
There are several ways to reduce the attack surface available to any form of malware, not just Ransomware, such as:
- Keeping your PC’s, phones and servers fully updated with the most recent security patches
- Install, and keep updated, an anti-malware/end point security application (e.g. AVG, Avast, McAfee, Sophos) and enable all its features
- End Point Security software will help defend your emails, but at the end of the day some malicious emails evade the AV software and the spam detection algorithms at your email provider and you need to need to be cautiouswhen you click on links or open emails from untrusted sources
- Take regular backups of all your sensitive files
- Establish a disaster recovery procedure.
The rest of this blog will be a set of tips that will help you defend against this form of malware.
TIP 1 – Be Observant
There may be other software based methods, but the most important one is education and being aware of the messages you are receiving. A malicious email could arrive in your mailbox stating your iCloud account was being locked and you must click on a link to unlock it. When you click on the link, it downloads and installs the ransomware which then goes to work encrypting everything it can. If you are lucky it will stop at the PC it has infected, but in most cases it will try to access other PC’s on the network and servers and infect them too.
If you are observing the encryption of your files, the best thing for you to do is switch off the affected PC and remove its network connection. In an office this is often a cable in the back of the PC, but more and more this is Wi-Fi and you will have to switch this off by going into AirPlane mode.
TIP 2 – Patch, Patch, Patch …
Every month Microsoft (Windows), Apple (IOS, MacOs), Google (Android) as well as many other less well known software companies, issue security patches. These will fix bugs in your systems that can lead to them being vulnerable to all forms of malware, including RansomWare.
My advice is to install these patches as soon as they are issued. However, my experience with Microsoft Windows is that some of their patches cause other problems, so I wait 10 days before I install them (there is a setting you can make in the settings app).
These patches will often mitigate disclosed and undisclosed vulnerabilities. If it hasn’t been disclosed, there will in all likelihood not be active exploits using them, but that isn’t guaranteed. In some cases an active exploit is available and being used by hackers, so this is what is called a zero-day where the software company has zero days to issue a mitigating patch.
Installing these security updates and keeping your systems up to date on supported versions of the OS should be the first thing you do. Mif you are on an unsupported version you are wide open. Unsupported versions of Windows are:
- Windows 2000
- Windows XP
- Windows Vista.
And their server variants. Windows 7 will be going out of support in January 2020. Windows 8.1 is still supported and Windows 10 is actively supported but you have to be aware that this is done through feature updates which have an shorter shelf life.
Android in a particular issue since budget phones are often on older versions of Android that are unsupported. Google typically supports Android version for a number of years with security patches, which it issues to its partners to be integrated into their devices. The problem here is that older versions of Android don’t get these patches, and even newer versions are not always patched by the phone manufacturer.
This happens with the iPhone/iPad as well as Windows, but at least these companies take control of the patching process and support their products a good many years. However, Windows 10 feature updates are typically supported for around 18 months from release when you will be forced to install the latest feature update to retain the level of support.
Linux systems are also regularly patched, but you need to be on a supported version of the distribution. Depending on the distribution, this can be easy or manual. However this wont be an issue for consumers and/or small businesses, but will be if you are using Linux in a server.
This is a large subject, and I cannot cover every variant. It is up to you to ensure when you buy a device it has a good support history and that you know how long the device will be supported for. In other words, don’t just go for the new shiny offer, but do your homework. It may cost you a little more, but in this case you definitely get what you pay for and paying a little more could reduce the risk to malware.
TIP 3 – Backup your Files
I have written an extensive blog on this subject, so I will refer you to that post for the details.
In essence, if you take regular backups and secure them in an offline location, preferably in a different location to where your device is, you should be able to recover to a point in history.
This has several benefits:
- If you delete that important file, it is likely in one of your backups and can be recovered
- More importantly, if you are hit with a Ransomware attack you can wipe your PC and restore all your files from your backup.
If you store backups on cloud drives, make sure they are disconnected when not in use. It is also not inconceivable that a smart ransomware will access your disconnected cloud drive and attack the files there to.
The best policy is to automate your backups, and how this in done will depend on the system you are running. Routinely copying the backups to an offline drive and store a copy in a remote location is the best policy.
TIP 4 – Decryptors
There is a very useful website that stores decryption software for a large number of Ransomware variants. It is called:
In some cases a decryptor has been developed to mitigate a particular Ransomware variant, and often it is posted on this site. However, a web search may turn up other sources, but as always be very careful as this could just be another malware source.
The hackers will promise to provide the decryption key if you pay their ransom, but WHY SHOULD YOU!! In addition, they may just take your money and not provide the decryption key.
Let me be very clear about this. I do not, and never will, advise anyone to pay a ransom to decrypt their files. If you do, and don’t put in place measures to defend yourself, they will just try again and in all likelihood the ransom will be higher since they know you will pay up.
TIP 5 – Disaster Recovery Procedures
Most large companies will have redundancy built into their data centres to mitigate any form of disaster (e.g. earth quake, flood, power outage). This is often tested regularly by switching over to the backup to test the process. However, for smaller businesses and consumers, this is not often possible.
What can the small business do? For this I am talking about a business that has only a few employees, maybe a sole trader.
Firstly, you need to observe the tips above and make sure you employ all of them. You can also have a backup Phone/PC that could be the Phone/PC you upgraded from, that can be pressed back into service while you fix your main device. However, make sure this device is also supported, particularly a PC, with all the known patches installed.
Make sure you have your backups so that you can recover your critical files.
The advice for consumers is very much the same for small businesses.
Of all the different forms of malware that we have to contend with these days, I find Ransomware to be the most frightening. When struck by an incident you are often powerless to defend against it unless you have put in place measures to mitigate thee incidents. You will feel invaded, and abused and in all likelihood never fully recover from it.
A few years ago I contacted a builder to quote for some construction work I needed at my home. While I had an acknowledgement I didn’t hear from him for about a month with the quote. In the end I phoned him and found out that he had lost the record of my request due to a ransomware attack.
Ransomware can bring down a company, can even bring a government to its knees. And even if they recover their systems, the loss of reputation, and loss of confidence by their clients, can be devastating.
For consumers, you may lose access to precious files and photos. While not necessarily as critical, this loss can be devastating especially of you have lost that one photo you had of a lost one.
As with all malware, you have to be diligent and take precautions. Most of the tips I have posted above are also relevant to recovering from any form of malware attack. However, Ransomware is one of the most prevalent variants of our time.
I hope you have found this post of interest and it has helped you to defend yourself. I won’t be posting specific details of individual Ransomware variants on this site, but I will re-tweet any articles I find relevant to this topic on Twitter. Please follow us there and keep an eye open for any new ransomware variants and attacks.
Headline photo provided by Shutterstock.