Picture this.

It’s late in the evening. Maybe you opened your laptop to check your email “one last time.” Only this time, something is wrong.

It’s slow. Files won’t open. You’re getting error messages like “unknown file type” on your Windows machine or, if you’re a Mac user, “no associated application.” Or maybe you’re already completely locked out.

Then, the phone rings. It’s your IT team, and you hear the words you were hoping and praying to not to hear, “We’ve been breached.”

You look back down at your laptop, and there it is in black and white (and usually red).

You’ve been infected with ransomware. You have lots of company.

In 2020, the FBI’s Internet Crime Complaint Center received 2,474 ransomware complaints, and those are just the ones that got reported. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.

Ransomware attacks are on the rise and have been getting more dangerous in recent years. An attack on corporate networks that encrypts sensitive information can cost businesses hundreds of thousands or even millions of dollars. In 2020, the total number of global ransomware reports increased by 485% year-over-year according to the latest Threat Landscape Report 2020 by Bitdefender.

Compounding the trend, more people are working remotely as the global pandemic continues to change business environments, and cybercriminals capitalize on the opportunity to attack users working outside the corporate firewall. An uptick in scams and phishing attempts across all platforms indicated that attackers leveraged issues related to COVID-19 to exploit fear and misinformation. Bitdefender noted attacks focused on COVID-19 related messaging in the first half of 2020 before shifting to impersonations of banking, delivery, and travel services in the second half.

Ransom amounts are also reaching new heights. Attempts have gone as high as $50 million—the largest attempted ransom ever. The astronomical demands had many companies saying “enough is enough” and refusing to make payments toward the end of 2020. Coveware’s Q4 2020 Quarterly Ransomware Report noted that average payments decreased 34% to $154,108 from $233,817 in Q3 of 2020. They attribute the decrease to eroding trust that hackers will actually delete sensitive data, with many reports of data being released to the public after payments are made.

Ransomware affects all industries, from tech to healthcare, and oil and gas to higher education. Even during a global pandemic, in Q4 of 2020, according to Coveware, the healthcare sector was the most common industry targeted by ransomware followed by professional services and the public sector. So if there’s any expectation that a business’ mission or service to the world might deter malicious actors, that’s an assumption to leave in the past.

Ransomware continues to be a major threat to businesses in all sectors, with some areas getting hit particularly hard, especially education and healthcare. In 2020, 1,681 schools were affected by ransomware as well as 560 healthcare facilities according to a report from Emsisoft, a security solutions provider.

In March of 2021, attackers demanded an astronomical $40 million from Broward County Public Schools, the nation’s sixth largest school district. In August and September of 2020, 57% of ransomware attacks reported to the federal Multi-State Information Sharing and Analysis Center involved schools, compared to 28% of all reported ransomware incidents from January through July.

The education sector makes an easy mark for hackers, especially this past year—schools with strapped budgets and aging IT equipment entered an unprecedented year of IT-reliant remote teaching. Schools also store sensitive student information they’re vested in protecting, making them more likely to pay ransoms rather than have their data published.

In healthcare, since 2016, 270 ransomware attacks targeted 2,100 clinics, hospitals, and other health-related businesses, with an estimated overall cost of $31 million.

Attacks on healthcare and the public sector cause life-threatening challenges. “The fact that there were no ransomware-related deaths in the U.S. last year was simply due to good luck,” Emsisoft CTO, Fabian Wosar said in the report. “Security needs to be bolstered across the public sector before that luck runs out and lives are lost.”

The first step in bolstering security is understanding how ransomware works and how you can protect your business or organization from an attack. Read on to learn how to protect yourself from ransomware.

Who Gets Attacked?

Ransomware attacks target firms of all sizes—5% or more of businesses in the top 10 industry sectors have been attacked—and no size business, from small and medium-sized businesses to enterprises, is immune. Attacks are on the rise in every sector and in every size of business.

Also, the phishing attempt that targeted the World Health Organization (WHO), though unsuccessful, proves that attackers show no sense of “out of bounds” targets when it comes to choosing their victims. These attempts indicate that organizations which often have weaker controls and out-of-date or unsophisticated IT systems should take extra caution to protect themselves and their data.

The U.S. ranks the highest in the number of ransomware attacks, followed by Germany and then France. Windows computers are the main targets, but ransomware strains exist for Macintosh and Linux, as well.

The unfortunate truth is that ransomware has become so widespread that for most companies it is a certainty that they will be exposed to some degree to a ransomware or malware attack. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.

“Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.”—James Scott, Institute for Critical Infrastructure Technology

Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about phishing in “Top 10 Ways to Protect Yourself Against Phishing Attacks”), but other methods have become more common recently. Weaknesses in Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP) have allowed cryptoworms to spread. Desktop applications—in one case an accounting package—and even Microsoft Office (Microsoft’s Dynamic Data Exchange (DDE)) have also been the agents of infection.

Recent ransomware strains such as Petya, CryptoLocker, and WannaCry have incorporated worms to spread themselves across networks, earning the nickname, “cryptoworms.”

How to Prevent a Ransomware Attack

“Ransomware is at an unprecedented level and requires international investigation.”—European police agency EuroPol

A ransomware attack can be devastating for a home or a business. Valuable and irreplaceable files can be lost and tens or even hundreds of hours of effort can be required to get rid of the infection and get systems working again.

Ransomware attacks continue to evolve and attack methods get more sophisticated all the time. You don’t have to be part of the statistics. With good planning and smart practices, you can prevent ransomware from affecting your systems.

Know How Viruses Enter Your Workplace and Computer

To be prepared, you need to know how ransomware can enter your system. These methods of gaining access to your systems are known as attack vectors.

Attack vectors can be divided into two types: human attack vectors and machine attack vectors.

Human Attack Vectors

Often, viruses need the help of humans to enter computers so they employ what’s known as social engineering. In the context of information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, people can be fooled into giving up information that they otherwise would not divulge.

Common human attack vectors include:

1. Phishing

Phishing uses fake emails to trick people into clicking on a link or opening an attachment that carries a malware payload. The email might be sent to one person or many within an organization. Sometimes the emails are targeted to make them seem more credible. The attackers take the time to research the individual targets and businesses so their email appears legitimate. The sender might be faked to be someone known to the recipient or the subject matter relevant to the recipient’s job. When personalized in this manner, the technique is known as spear phishing. Read more about this type of attack vector in our post, “Top 10 Ways to Protect Yourself Against Phishing Attacks.”

2. SMSishing

SMSishing uses text messages to get recipients to navigate to a site or enter personal information on their device. Common approaches use authentication messages or messages that appear to be from a financial or other service provider. Some SMSishing ransomware attempt to propagate themselves by sending themselves to all contacts in the device’s contacts list.

3. Vishing

In a similar manner to email and SMS, vishing uses voicemail to deceive the victim. The voicemail recipient is instructed to call a number that is often spoofed to appear legitimate. If the victim calls the number, they are taken through a series of actions to correct some made-up problem. The instructions include having the victim install malware on their computer. Cybercriminals can appear professional and employ sound effects and other means to appear legitimate. Like spear phishing, vishing can be targeted to an individual or company using information that the cybercriminals have collected.

4. Social Media

Social media can be a powerful vehicle to convince a victim to open a downloaded image from a social media site or take some other compromising action. The carrier might be music, video, or other active content that once opened infects the user’s system.

5. Instant Messaging

Instant messaging clients can be hacked by cybercriminals and used to distribute malware to the victim’s contact list. This technique was one of the methods used to distribute the Locky ransomware to unsuspecting recipients.

How to Defeat Ransomware

So, you’ve been attacked by ransomware. What should you do next?

    1. 1. Isolate the Infection: Prevent the infection from spreading by separating all infected computers from each other, shared storage, and the network.
    1. 2. Identify the Infection: From messages, evidence on the computer, and identification tools, determine which malware strain you are dealing with.
    1. 3. Report: Report to the authorities to support and coordinate measures to counter attack.
    1. 4. Determine Your Options: You have a number of ways to deal with the infection. Determine which approach is best for you.
    1. 5. Restore and Refresh: Use safe backups and program and software sources to restore your computer or outfit a new platform.
    1. 6. Plan to Prevent Recurrence: Make an assessment of how the infection occurred and what you can do to put measures into place that will prevent it from happening again.

1. Isolate the Infection

The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data.

The first thing to do when a computer is suspected of being infected is to isolate it from other computers and storage devices. Disconnect it from the network (both wired and Wi-Fi) and from any external storage devices. Cryptoworms actively seek out connections and other computers, so you want to prevent that happening. You also don’t want the ransomware communicating across the network with its command and control center.

Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.

2. Identify the Infection

Most often the ransomware will identify itself when it asks for ransom. There are numerous sites that help you identify ransomware, including ID Ransomware. The No More Ransom! Project provides the Crypto Sheriff to help identify ransomware.

Identifying the ransomware will help you understand what type of ransomware you have, how it propagates, what types of files it encrypts, and maybe what your options are for removal and disinfection. It also will enable you to report the attack to the authorities, which is recommended.

3. Report to the Authorities

You’ll be doing everyone a favor by reporting all ransomware attacks to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.

You can file a report with the FBI at the Internet Crime Complaint Center.

There are other ways to report ransomware, as well.

4. Determine Your Options

Your options when infected with ransomware are:

  • To pay the ransom.
  • To try to remove the malware.
  • To wipe the system(s) and reinstall from scratch.

It’s generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and in many cases the unlocking of the encrypted files is not successful.

In a recent survey, more than three-quarters of respondents said their organization is not at all likely to pay the ransom in order to recover their data (77%). Only a small minority said they were willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation).

Even if you decide to pay, it’s very possible you won’t get back your data.

That leaves two other options: removing the malware and selectively restoring your system, or wiping everything and installing from scratch.

5. Restore or Start Fresh

You have the choice of trying to remove the malware from your systems or wiping your systems and reinstalling from safe backups and clean OS and application sources.

Get Rid of the Infection

There are internet sites and software packages that claim to be able to remove ransomware from systems. The No More Ransom! Project is one. Other options can be found, as well.

Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn’t exist for every known ransomware, and unfortunately it’s true that the newer the ransomware, the more sophisticated it’s likely to be and the less time the good guys have had to develop a decryptor.

It’s Best to Wipe All Systems Completely

The surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain.

If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.

Be sure to determine the date of infection as well as you can from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.

Select a backup or backups that were made prior to the date of the initial ransomware infection. With Extended Version History, you can go back in time and specify the date prior to which you wish to restore files.

If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you are sure were not connected to your network after the time of attack and hence protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.

System Restores Are Not the Best Strategy for Dealing With Ransomware and Malware

You might be tempted to use a System Restore point to get your system back up and running. System Restore is not a good solution for removing viruses or other malware. Since malicious software is typically buried within all kinds of places on a system, you can’t rely on System Restore being able to root out all parts of the malware. Also, System Restore does not save old copies of your personal files as part of its snapshot. It also will not delete or replace any of your personal files when you perform a restoration, so don’t count on System Restore as working like a backup. You should always have a good backup procedure in place for all your personal files.

Local backups can also be encrypted by ransomware. If your backup solution is local and connected to a computer that gets hit with ransomware, the chances are good your backups will be encrypted along with the rest of your data.

With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. You have the flexibility to determine which files to restore, from which date you want to restore, and how to obtain the files you need to restore your system.

You’ll need to reinstall your OS and software applications from the source media or the internet. If you’ve been managing your account and software credentials in a sound manner, you should be able to reactivate accounts for applications that require it. If you use a password manager to store your account numbers, usernames, passwords, and other essential information, you can access that information through their web interface or mobile applications. You just need to be sure that you still know your master username and password to obtain access to these programs.

Read more on Back Blaze: Ransomware: How to Prevent or Recover From an Attack