If you run a startup or small business and are unfortunate enough to be the victim of an online attack, there is a very good chance that it will take the form of ransomware. This type of attack has rapidly grown in popularity over the past couple years, because it is simple to execute, cost effective, and the tools for performing it are widely available online (if you are the sort of person who knows where to go look). Unlike many more sophisticated attacks, it takes little time to set up and requires no advanced hacking skills. This makes it one of the most likely attacks an entrepreneur or solopreneur will encounter.
In a ransomware attack, the process begins with a phishing campaign – malicious links are sent out via email, social media, even text message. Clicking the enclosed link will download the actual malware payload, a small program that will quickly start encrypting your files. Actual ransomware varies in complexity – the simplest variants will only encrypt local files, while more advanced ones may attempt to spread themselves to other connected computers and can affect an entire network. Regardless of how extensive the attack is, once the encryption process is complete you will effectively be locked out of your computer and presented with a page informing you that in order to restore access, you must pay for the encryption password so you can decrypt your files. The price can vary, but frequently will be less than $100 – and that is the secret to ransomware’s effectiveness. Faced with the prospect of losing critical files, and with a reasonably affordable solution at hand, a lot of people will just pay and get on with their lives. And since the malware can be used over and over, it becomes a numbers game – instead of some big score with thousands of dollars or a huge database or saleable information (often taking years and advanced skills to set up), ransomware generates income for the attacker a few dollars at a time, over and over.
Unfortunately, paying may not get you out of trouble. In a number of recent attacks, victims paid the ransom, but were not given a functioning key with which to decrypt their files, which remained locked. And it should be noted here that even though the malware used is simple, the encryption is typically pretty strong, enough so that without the password the files are effectively lost forever. And even if you get your files back, many more sophisticated ransomware programs will leave small, hard-to-detect residual processes behind: say for instance a keylogger, which scoops up all your keystrokes and sends them to a remote server so an attacker can look for login information, or software which creates a back door, allowing the attacker to use your computer as a foothold in a larger, protected network, like your big new client that just gave you access to their systems.
Protection from malware is a matter of preparation – if you click the link, you are likely infected, and it is too late. Consider that an infosec professional writing here was himself the victim of ransomware (although he had planned ahead and did not pay), despite having configured advanced malware scanning tools in an attempt to stop this sort of attack. Luckily preparation is simple – back up your files. Keep a current copy of anything you are afraid to lose somewhere not connected to your computer, like an external hard drive or USB (yes those still exist). Something ‘airgapped’ – not physically connected to your machine except during the backup process. Backup weekly at least, more often if you cannot afford to lose daily work. Don’t image the entire hard drive – if so you may also copy over ransomware that has been downloaded but has not deployed yet (see why below). Just copy your documents, pictures, etc.
If it happens to you – you clicked on that link even though you knew better, and now you are looking at a ransomware lockout screen, here’s the steps to follow:
- Don’t try to connect to anything – in fact turn off wifi (even if you have to shut down your router), unplug your Ethernet cable, do whatever you can to deny the malware a chance to spread and infect other machines.
- Don’t pay – remember, there are no guarantees you will get your files back, and you will need to wipe all of them anyway because of the risk of persistent threats being left behind. Assume all the data is corrupted and lost forever.
- Completely re-image the computer – you need to wipe the hard drive clean, then reinstall the O/S, then you can restore your backed-up files. If you have a restore disk or copy of the O/S, now is the time. If not you may need help to completely clean the hard drive – but where would you rather spend your money, with a computer tech or with a criminal?
- Change all your passwords – some ransomware does not immediately encrypt everything, instead it lingers for a few hours or days trying to gather passwords secretly before it locks everything down. Assume that the attacker knows all your passwords, and start changing them now that your computer is clean.
- Report it – take 5 minutes and fill out a complaint at the FBI’s Internet Crime Complaint Center (www.ic3.gov). It is highly unlikely that your attacker can or will be caught, but reporting helps develop accurate information about the types of attacks, the malware used, points of origin, and other useful data.
Ransomware, like all online attacks, is nerve-wracking – we truly realize how much we rely on our computers when someone takes them away from us. It also costs time and money (even if you don’t pay). But recognize the potential threat and plan now, and take the time to keep that backup current. Even if you become a target one day, you do not have to become a victim.
Image Credit: Christiaan Colen