“Send Us the Money or Else…” What to Do If You Contract Ransomware

“Buy decryption and get all your files back.” That’s what the note might say. And while it may not be built of letters cut from magazine headlines, it’s demanding ransom. It’s a form of malware, and a particularly nasty one at that. Ransomware is a type of Trojan virus, often disguised as legitimate software. It begins operating behind the scenes, encrypting files one by one. Usually, by the time you notice your computer has been infected, a lot of damage has already been done.

At a certain point, the ransomware will “hold your computer hostage” and demand a fee. Usually, it’s in the form of a popup message, with a headline like “Your Computer Has Been Locked!”

Underneath is a ransom note, which can take a variety of forms. The malware might masquerade as the Federal Bureau of Investigations, saying it’s detected inappropriate material on your computer. Or it may go with a subtler approach, claiming it’s detected software that’s been obtained illegally, and it will demand you pay for it. In some instances, it doesn’t even hide its intentions, simply saying files have been encrypted and you’ll have to pay if you want them decrypted.

What’s worse, it’s becoming really common. According to this recent article, almost half of U.S. businesses (41%) have been hit by ransomware.

If you’ve fallen victim to ransomware, here’s the number one takeaway:

Never pay.

In a lot of cases, if you pay, you do get your files back. But that doesn’t necessarily mean they come back free. Some hackers will send the files to an offsite server, where they still have access even after they return them to you. So the hackers could just keep demanding payment.

This is where the nature of ransomware becomes truly nasty. Some hackers will threaten to publish the content on the web. This could be devastating, especially if they’ve acquired sensitive data about your clients. If the data gets leaked online, you might face a class-action lawsuit.

But it might not have to get to that point. Here are three steps you can take:

1. Know what to look for.

If files begin behaving wacky, don’t ignore them. Too many times, an employee notices a file name change to a long string of numbers and characters, like an encryption key, and shrugs it off. Or maybe the file name stays the same, but the extension changes. An employee notices documents convert to .zepto, but ignores it. Your best defense is to keep an eye out for an attack. When it comes to extensions and known ransom files, it’s difficult to provide a comprehensive list. As soon as somebody releases a patch for one exploit, a new one comes out. But this list is a useful starting place.

2. Disconnect from the Internet.

The second you notice file names changing, take the computer offline. The longer your computer remains connected to an Internet source, the more files you will have encrypted. Depending on which computer became infected, you might have to take other parts of your system offline. Ransomware seizes everything an infected computer has access to. This includes USB drives, external hard drives, and network shares.

3. Have great backups.

Here’s the thing: Ransomware can access whatever files the infected computer can access. This makes features like System Restore not particularly useful against ransomware. The ransomware already has access to the feature. But here’s the other thing: Ransomware can only access whatever files the infected computer can access. If you set up a backup system that encrypts files and requires two-factor authentication, ransomware would not be able to access the files. So, for a quick and dirty fix, you could institute a cloud backup. A cloud backup encrypts files to an offsite location (or possibly a hybrid array onsite), where the data is protected. Here are two cloud backup providers you might consider:

  1. Code42 CrashPlan. Code42 CrashPlan backs up data to the destinations of your choice, with no user intervention required. Files are encrypted in-transit and at rest, and an encryption key is required to restore files.
  2. Backblaze. Backblaze automatically backs up files to the cloud. The data is stored in a secure datacenter with 24-hour staff, biometric security and redundant power. Recently, as an extra layer of security, Backblaze instituted two-factor authentication.

Cloud backups do have one drawback: They can take significantly longer to restore data: about five to ten times longer than local backups.

Ransomware is a particularly nasty Trojan, one we hope you never have to deal with. Should you contract it, it’s not necessarily the end of the world, or even the end of your business. You just need the right defense. At Techs, we can build secure backups for your organization, and we’re available to answer any questions. Contact us today.

Leave a Reply

Your email address will not be published. Required fields are marked *