What To Do If You Fall Victim to Ransomware
As lockdown restrictions ease, few offices are choosing to have their employees return full time. Others, having overcome the initial challenges of working remotely, have discovered its benefits and are having their employees WFH at least part time for the foreseeable future.
With remote work comes risk, and one of the most common (and concerning) types of cybercrime targeting remote workers is ransomware.
What Is Ransomware?
Ransomware is a malicious type of software, or malware, that prevents access to a user’s systems or files and demands payment to get access back. It tends to work in three main ways - either encrypting files so you can’t access them, locking the screen so it seems like you can’t get past the ransom note, or it’s a scare tactic (aka “scareware”) pretending to be ransomware so you’ll pay. The type most commonly seen in the news due to its severity is the encrypting type of ransomware.
Should You Ever Pay the Ransom?
No, you should not pay the ransom, especially if you are a single user who has been impacted rather than the entire organization. From a single user perspective, while it may be embarrassing to have to call IT and let them know what happened, they will be able to take the necessary steps to recover your data (if possible).
If the ransomware made its way into more sensitive areas, such as the organization’s servers, databases, or operational systems, many companies end up running a cost/benefit analysis to determine if the ransom is worth paying over the cost of recovery. While in some cases, it may seem less expensive to just pay, there’s no guarantee you’ll actually regain access, and paying them will only enable them to continue their work. They also may demand additional payments after the first, or leave behind other malware to reinfect your systems once they’ve decrypted your files.
Where to Start: What Type Do You Have?
The first thing to do when you’re potentially infected with ransomware is determine which of the main types you have.
How many exact types there are varies depending on how you want to describe them, but the three biggest types are encrypting, screen locking, or “scareware”.
To figure out which you have, see if you can navigate away from the ransom note popup. Can you access your files and folders? Navigate to your general systems? See if you can open your photos, files, or documents (but don’t try to log in to any software or websites!). If you can’t get past the popup, it’s probably the screen locking type, which is less severe than the encrypting variety.
If you’re able to browse through your computer or server directories, but can’t actually open anything, you have the encryption type of ransomware. This is the most severe type, and the most alarming.
If you’re just experiencing a popup, but can navigate to all your files and folders as well as access them, it’s likely you’re just dealing with scareware. Scareware is the least severe, and the mildest types can be mitigated by just closing the browser window you’ve seen it in. If you have a popup or a notification in your system tray, you may need to take some extra steps to remove the source.
The Least Serious: Scareware
As the name suggests, scareware is simply trying to scare you into paying the ransom, rather than actually executing any malicious actions.
Scareware can be as mild as a banner ad on a website, or even a popup on a page. When you see scammy banner ads, that is often a sign the website you’re on is risky, and you should be extra cautious when clicking on elements of the page.
If you’re seeing popups in your system tray or on your desktop when you’re not actively navigating any websites, that’s a sign you should reach out to IT to check your machine for malware. Scareware can sometimes be included with other types of malware to try and maximize a hacker’s revenue.
Screen Locker Ransomware
If you’re unable to get away from the ransom note popup, you’re probably dealing with a screen locking type of ransomware.
If you’ve encountered this, disconnect from the network you’re connected to - you want to be sure it doesn’t spread to other machines. IT’s highly recommended for both screen locker and encryption ransomware to take a picture of the ransom note to provide when filing a police report. For all ransomware that’s more serious than scareware, you should file a police report.
For people with ready access to their IT teams, this is the part where you get them involved. They will reboot your computer in safe mode, and use antivirus software to remove the malware. You can try this as well, but it’s generally best to let IT handle it.
Alternatively, you can try using System Restore to go back to a point before the screen locker infected your computer. If you’re running Windows 10, the instructions for that can be found here. For older versions, you can search for those directions on the Windows website.
This is the most nefarious type of ransomware, of which one strain brought the City of Baltimore to its knees in 2019.
How you handle this type of ransomware varies from bug to bug, and there’s really no easy solution. The best case scenario is that your organization backs up regularly, even daily, and if there is a ransomware situation on either a single machine or a business system, the IT team can restore from a backup. There’s some guidance to try recovering on your own here, but it’s recommended to consult a specialist if you’re at all unsure.
Preventing Ransomware in the First Place
Prevention is the best cure, and this is especially true for ransomware. Backing up all files and systems regularly is excellent insurance against the risk of this happening, especially with remote staff. On company devices, a routine backup schedule should be set up as soon as an employee is onboarded. Servers and business systems should have redundancies and backups built in from day one as well. If your organization didn’t do this to start, it should be a priority to develop now.
Prevent ransomware being installed on user machines by practicing good access management controls. This means significantly limiting admin privileges on user machines, and only granting the ability to install software or apps on company owned devices as absolutely necessary. This type of access hygiene means that even if a user purposefully clicks on malicious links, the malware can’t install itself on the end user’s machine.
Administrative credentials can be stolen, however, and while you’d hope your IT admins would never fall victim to ransomware, they may end up the target of an attack in spite of themselves.
Where it’s necessary for users to have administrative privileges on their work machines (or to guard against credential theft), you can add in a layer of security by requiring an extra layer of authentication before anything can be installed. Using GoVerifyID, for example, would mean that when a user wants to install a new piece of software and would normally enter the admin username/password, a more precise authentication is enabled. Instead, the admin would get a push notification that an install has been requested. The admin can then accept and verify, or reject - preventing unauthorized software installations on company machines, as the system knows precisely who had access.
Or, simply go passwordless for access to company systems, such as servers or integral software. The most serious types of ransomware are often the human-operated efforts, which are targeted at specific organizations. These human-operated ransomware attacks target an organization and the bad actor gains access through credential stealing, lateral movements, and knowledge of the infrastructure to eventually gain access to key systems without altering the security operations center.
These attacks became particularly prevalent in recent months, with COVID-19 driving poor security choices to adapt to working remotely. Anywhere you have a risky end point that may grant overly privileged access to systems, guard with a second factor of authentication at least, or leverage biometrics to log in.
Easily increase your security, while also drastically reducing your risk of ransomware crippling your organization. Deploy passwordless biometric MFA in your organization in a day using GoVerifyID - learn more about the solution here.