What is Ransomware?
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Ransomware can be devastating to an individual or an organization.
Ransomware is a subset of malware in which the data on a victim’s computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as Bitcoin, so that the cybercriminal’s identity is not known.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. Attacks have also used remote desktop protocol and other approaches that do not rely on any form of user interaction.
How ransomware attacks work
Ransomware kits on the deep web have allowed cybercriminals to purchase and use a software tool to create ransomware with specific capabilities. They can then generate this malware for their own distribution and with ransoms paid to their bitcoin accounts. As with much of the rest of the IT world, it is now possible for those with little or no technical background to order up inexpensive ransomware as a service (RaaS) and launch attacks with minimal effort. In one RaaS scenario, the provider collects the ransom payments and takes a percentage before distributing the proceeds to the service user.
Types of ransomware
Attackers may use one of several different approaches to extort digital currency from their victims. For example:
• Ransomware known as scareware will try and pose as security software or tech support. Victims may receive pop-up notifications saying malware has been discovered on their system (which, an un-owned security software would not have access to this information). Not responding to this will not do anything except lead to more pop-ups.
• Screen lockers, or lockers, are a type of ransomware designed to completely lock a user out of their computer. Upon starting up the computer a victim may then see what looks to be an official government seal, leading the victim into believing they are the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on their computer, the victim is given instructions for how to pay an electronic fine. However, official government organizations would not do this; they instead would go through proper legal channels and procedures.
• In encrypting ransomware, or data kidnapping attacks, the attacker will gain access to and encrypt the victim’s data and ask for a payment to unlock the files. Once this happens, there is no guarantee that the victim will get access to their data back- even if they negotiate for it.
• Similar to encrypting ransomware, the attacker may also encrypt files on infected devices and will make money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
• In doxware, an attacker may also threaten to publish your data online if the victim does not pay a ransom.
• Mobile ransomware is ransomware which affects mobile devices. An attacker can use mobile ransomware to steal data from a phone or lock it and require a ransom to return the data or unlock the device.
• The victim may also receive a pop-up message or email ransom note warning that if the demanded sum is not paid by a specific date, the private key required to unlock the device or decrypt files will be destroyed.
While early instances of these attacks sometimes merely “locked” access to the web browser or the Windows desktop — and did so in ways that often could be fairly easily reverse-engineered and reopened — hackers have since created versions of ransomware that use strong, public-key encryption to deny access to files on the computer.
Screenlocker vs. Encryption Ransomware
Screenlockers and encryption ransomware are the two main types of ransomware. Knowing the difference between them will help in knowing what to do next in the case of infection.
As described above, screenlockers will completely lock a user out of their computer until a payment is made. Screenlockers deny a user access to the inflicted system and files; however, the data is not encrypted. In Windows systems, a screenlocker will also block access to system components such as Windows Task Manager and Registry Editor. The screen is locked until the payment is made. Typically the victim is given instructions for how to pay. Screenlockers will also try to trick the user into paying by posing as an official government organization.
Encryption ransomware is one of the most effective forms of ransomware today. As mentioned above, an attacker will gain access to, and encrypt the victim’s data, asking for payment to unlock the files. Attackers will use complex encryption algorithms to encrypt all data saved on the device, making it difficult for users to detect or even replicate. A note will commonly be left on the inflicted system with information on how to retrieve the encrypted data after payment. Compared to screenlockers, encryption ransomware puts the victims data in more immediate danger, and there is no guarantee of the data returning to the victim after negotiation.
Ransomware Attack Prevention
To protect against ransomware attacks and other types of cyberextortion, experts urge users to back up computing devices regularly and update software, including antivirus software, regularly. End users should beware of clicking on links in emails from strangers or opening email attachments. Victims should do all they can to avoid paying ransoms.
While ransomware attacks may be nearly impossible to stop, there are important data protection measures individuals and organizations can take to ensure that damage is minimal and recovery is as quick as possible. Strategies include compartmentalizing authentication systems and domains, keeping up-to-date storage snapshots outside the primary storage pool and enforcing hard limits on who can access data and when access is permitted.
How to Remove Ransomware
There is no guarantee that a victim can stop a ransomware attack and regain their data; however, there are methods that may work in some cases. For example, a victim can stop and reboot their system in safe mode, install an anti-malware program, scan the computer and restore the computer to a previous, non-infected state.
Victims could also restore their system from a backup stored on a separate disk. If in the cloud, then victims could reformat their disk and restore from a previous backup.
Mobile ransomware is malware that holds a victim’s data hostage, afflicting mobile devices- commonly smartphones. Mobile ransomware operates on the same premise as other types of ransomware, where a user is blocked access to the data on their device by an attacker until they make a payment to the attacker. Once the malware is downloaded on the inflicted device, a message will show up demanding payment before unlocking the device. If the ransom is paid, a code is sent to unlock the device or decrypt its data.
Typically, mobile ransomware will hide itself as a legitimate app in a third-party app store. Hackers will commonly pick popular apps to imitate, waiting for an unsuspecting user to download it, and with it, the malware. Smartphone users may also get infected with mobile ransomware by visiting websites or by selecting a link that appears in an email or text message.
Tips to avoid becoming a victim to mobile ransomware include:
• Do not download apps using third-party app stores (stick to the Apple App Store and Google Play Store).
• Keep mobile devices and mobile apps up to date.
• Do not grant administrator privileges to applications unless absolutely trusted.
• Do not click on links that appear in spam emails or in text messages from unknown sources.
Mobile device users should also have their data backed up in a different location in the case their device is infected. In the worst case scenario, this would at least ensure the data on the device won’t be lost permanently.
Different Types of Ransomware
CyptoLocker botnet is one of the oldest forms of cyber attacks which has been around for the past two decades. The CyptoLocker ransomware came into existence in 2013 when hackers used the original CryptoLocker botnet approach in ransomware. CyptoLocker ransomware is the most destructive form of ransomware since it uses strong encryption algorithms. It is often impossible to decrypt (restore) the Crypto ransomware-infected computer and files without paying the ransom.
WannaCry is the most widely known ransomware variant across the globe. The WannaCry ransomware has infected nearly 125,000 organizations in over 150 countries. Some of the alternative names given to the WannaCry ransomware are WCry or WanaCrypt0r.
Bad Rabbit is another strain of ransomware which has infected organizations across Russia and Eastern Europe. It usually spreads through a fake Adobe Flash update on compromised websites.
Cerber is another ransomware variant which targets cloud-based Office 365 users. Millions of Office 365 users have fallen prey to an elaborate phishing campaign carried out by the Cerber ransomware.
Crysis is a special type of ransomware which encrypts files on fixed drives, removable drives, and network drives. It spreads through malicious email attachments with double-file extension. It uses strong encryption algorithms making it difficult to decrypt within a fair amount of time.
CryptoWall is an advanced form of CryptoLocker ransomware. It came into existence since early 2014 after the downfall of the original CryptoLocker variant. Today, there are multiple variants of CryptoWall in existence. It includes CryptoDefense, CryptoBit, CryptoWall 2.0, and CryptoWall 3.0.
GoldenEye is similar to the infamous Petya ransomware. It spreads through a massive social engineering campaign that targets human resources departments. When a user downloads a GoldenEye-infected file, it silently launches a macro which encrypts files on the victim’s computer.
Jigsaw is one of the most destructive types of ransomware which encrypts and progressively deletes the encrypted files until a ransom is paid. It starts deleting the files one after the other on an hourly basis until the 72-hour mark- when all the remaining files are deleted.
Locky is another ransomware variant which is designed to lock the victim’s computer and prevent them from using it until a ransom is paid. It usually spread through seemingly benign email message disguised as an invoice.
When a user opens the email attachment, the invoice gets deleted automatically, and the victim is directed to enable macros to read the document. When the victim enables macros, Locky begins encrypting multiple file types using AES encryption.
Apart from the list of ransomware mentioned above, Petya, NotPetya, TeslaCrypt, TorrentLocker, ZCryptor, etc., are some of the other ransomware variants that are well-known for their malicious activities.
Step 1: Create A New Case
Click here to Submit A New Case
The purpose of the evaluation is to determine the type and complexity of infection and cost associated with the recovery. Every infection is unique and we can only determine the cost of recovery after proper evaluation.
We have 100% success rate with most ransomware infections like JAVA, Arrow, ETC, ETH, 888, Phobos, AYE, Cryptolocker, DMA, XTBL, Kyra, Locky, Thor, CrytpoMIX, Microsoft Crypto, Aleta, Arena, Nuclear, NM4, Gryphon, BTC, and Zepto (to mention few!)
We operate on No Data = No Fee!.
When submitting a ticket, you will be asked for the following information
- Enter your details
- Select the type of evaluation
- Free Evaluation 10-14 days on average
- Priority Evaluation
- Cost of Priority evaluation is $350
- The cost of the evaluation will go towards the recovery of your files
- You are covered by our No Data = No charge policy
- 4 to 24 hours response time in most cases (for Dharma and Gandcrab response time in 1-4 hours)
- Send 2-3 small sample files with different extensions plus the ransomware note (the ransomware note contains important information about your ransomware infection)
Step 2: Evaluation
Depending on the evaluation you have selected we will commence analysing your files to determine the cost associated with recovery.
If you have elected for a priority evaluation you will receive an invoice from our accounts department and upon receipt of payment we will commence the evaluation.
A proper tax invoice will be issued clearly mentioning no data no charge.
Priority Evaluation can take 4-24 hours.
Step 3: Quote
Upon completion of the evaluation, a quote will be sent to you. 80% of most jobs are between $750 – $4000 and can only be determined after we run the evaluation. We provide two levels of service. Standard Recovery service (6-10 days) or a priority service (1-5 days) on average.
* Most of our jobs are recovered within 1-2 days but we do allow up to 5 days
* All jobs are started immediately after quote acceptance.
Step 4: Acceptance of Quote
Once you accept the quote, an invoice will be sent to you to commence recovery. Upon receiving remittance advice, your job will start immediately.
Step 5: Initial Recovery Process
We will work on the original sample files submitted as part of the ticket until we reverse-engineer the decryption key. Once the key has been identified, we will contact you or update the ticket to start the recovery. We will need remote access via team viewer (https://download.teamviewer.com/download/TeamViewerQS_en.exe) or screen connect (http://pclink.gotdns.com:8040). Further instructions will be sent by email
Step 6: Actual Recovery
Upon a successful remote connection to your infected computer, we take a snapshot of your infected files before and after the recovery on an excel spreadsheet for your records. We start the recovery process and check random files to ensure they are opening successfully and confirm successful recovery. Your ticket will be updated to advise of the recovery completion.
Note1: We highly recommend a complete backup of your files to an external drive (and have it disconnected from the infected system before we commence recovery)
Note2: Please ensure your network has been scanned and cleaned properly before any data recovery.
If you don’t have an IT technician, please let us know and we are happy to perform the service at an additional cost.
Step 7: Prevention
A basic recommendation will be made to identify the risk of
How to Avoid Ransomware Attacks
Defend your email against Ransomware. Email phishing and spam are the main way that ransomware is distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
Defend your mobile devices against Ransomware. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools, can analyze applications on users’ devices and immediately alert users and IT to any applications that might compromise the environment.
Defend your web surfing against Ransomware. Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
Monitor your server, network and back up key systems. Monitoring tools can detect unusual file access activities, viruses, network C&C traffic and CPU loads, possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
How to Remove Ransomware
Call federal and local law enforcement. Just as someone would call a federal agency for a kidnapping, organizations need to call the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward and try to find the attackers.
Learn about anti-ransomware resources. No More Ransom portal and Bleeping Computer have tips, suggestions and even some decryptors for selected ransomware attacks.
Restore data. If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.
A new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021. (Source: Cyber Security Ventures)
1.5 million new phishing sites are created every month. (Source: webroot.com)
Ransomware attacks have increased by over 97% in the past two years. (Source: Phishme)
A total of 850.97 million ransomware infections were detected by the institute in 2018.
In 2019 ransomware from phishing emails increased 109% over 2017. (Source: PhishMe)
Ransomware generates over $25 million in revenue for hackers each year. (Source: Business Insider)
Fewer than 10% of organizations who pay the ransom received their data back. (Source: TrendMicro)
30% of customers infected by Ransomware had a second attack within 60 days
Global cybercrime damages predicted to cost $6 trillion by 2021,(Source: Kaspersky)
Other Ransomware Statistics:
63% of confirmed data breaches involved leveraging weak, stolen or default passwords and usernames
22% of small business breached by ransomware attacks in 2017 were so badly affected, they could not continue operating
30% phishing emails were opened and 12% clicked on infected links or attachments.
Most ransomware infections occur due to weak security, target attacked or fraudulent emails trap leading victims into opening an attachment.
Ransomware Data Recovery by Experts
Our goal as one of the first companies to become involved with Ransomware recovery is to restore business functionality as soon as possible while preventing future ransomware occurrences. Whether it’s reverse engineering the malware, restoring from backups, or as a last resort option paying the ransom, we’re standing by to get you up and running as soon as possible.
We pride ourselves on staying up to date with the latest ransomware variants as new threat intelligence becomes available by our security researchers.
Here are just some of the reasons to give us a try:
Free Ransomware Recovery Evaluation
24/7 Emergency Ransomware Recovery Services – If you have an emergency, we are here to help 24 hours a day 7 days a week including holidays.
Find & Destroy the ransomware on your server
Full protection against all current know types of ransomware attacks.
Protect your server from other common attacks used by hackers
Check Registry for changes made by hackers
Server Deep level time bomb scan
Complete network and security audit to minimise risk – A full list of any recommendation will be sent in a detailed report to further prevent future attacks from other computers/devices on your network
Best practices and solutions for protecting businesses from ransomware downtime
Check your current backups and advise on best backup practices
Check if your antivirus has adequate ransomware protection. Most antivirus’ fall short in protecting against Ransomware.
Group Policy and Passwords audit and recommendations
General IT recommendations if we feel it will improve your overall system / processes.
(Optional but highly recommended) Full scan and prevention on your computers/laptops
No Data. No Charge – If we cannot recover your data from Ransomware, we will not charge you for our efforts. We provide an agreement to each of our clients to further confirm this.
Pay after the Ransomware Recovery Service – We provide you with the peace of mind that we aren’t going to just take your money before getting any data back. We do not bill you until after you’ve verified your data was successfully recovered.
Avoid Attacks with Improved Defenses
Future-proofing information systems and the application infrastructure against ransom attacks is now essential whether or not you have suffered such an attack.
Industrial control and IT infrastructure providers, like Schneider Electric, Aveva, and GHD, have partnered with security industry leaders. Their goal is to define a capable zero-trust infrastructure for high-valued information systems. The aim is to stop attacker efforts immediately as soon as the network, servers, and systems are compromised. Researchers at these companies found existing security solutions profoundly lacking capabilities to defend critical services against evolving ransomware properly and in real-time.
These solution providers establish partnerships with emerging security technology companies to better equip themselves and their customers with proactive defenses. At the top of the list, they need advanced application controls that are designed on the assumption that attackers will ultimately reach critical systems. Advanced solutions enable visibility into essentially every application function at runtime, and with insight into workload components as systems are executing. Organizations gain confidence in real-time attack detection, and responsive actions before attackers seize any files – a win in the battle against ever-changing means of malicious system seizures.
If you have not already, upgrade your security infrastructure to guardrail your applications and counter any thought of a ransom attack. TechFusion recommends making sure the following are implemented and kept up-to-date…
Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date are critical. It’s important to use antivirus software from a reputable company because of all the fake software out there.
Employ Content Scanning. On your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
Keep Systems Up-To-Date. Do make sure that all systems and software are up-to-date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
Utilize a VPN. If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi like Norton Secure VPN.
Disconnect your backup from the network. A solid weapon against ransomware is to use a backup media you can air gap, meaning it’s completely disconnected from your computer and the internet. For example, if you back up to an external hard drive, only connect it during the regularly scheduled back up, and then disconnect it again immediately afterward. “It’s crucial that the local storage drive is not kept attached to the network,” said Congionti. “This will prevent the backups from being encrypted if the ransomware executable is loaded onto the network, and the storage device is offline outside of the encryption process. If the drive is attached, the ransomware can now have access to these backups which will render them useless, as they’ve become encrypted along with other files.” Yes, this is inconvenient, and it takes discipline to connect a drive manually and trigger a backup. But it’s a particularly secure strategy.
Rely on versioning. Even if you disconnect your external drive, there’s no guarantee it will remain protected. This is because your system might already be infected with malware when you run a backup. “Versioning is a key strategy to ensure recovery from a ransomware attack,” said Dror Liwer, founder of security company Coronet. Use a backup tool that saves multiple timestamped versions of your files. Then, when you restore your computer, you should have the option of going back far enough that your backup predates the infection.
Implement a Practical Backup Strategy: Obviously, common backup solutions simply aren’t robust enough to protect you from a ransomware attack. Cloud storage is not the same as cloud backup and, consequently, anything that syncs or mirrors your data is toast. If you want to reclaim any files, you can’t rely on the free versions of Dropbox, OneDrive, or Google Drive, for example. But if you pay for storage, the story might be a little different. Dropbox includes the Dropbox Rewind feature in paid tiers. Dropbox Plus (2 TB of storage) gives you a 30-day history of your files, which you can roll back to at any time. Dropbox Professional (3 TB) has a 180-day version history.