Held at Ransom–Can You Get Your Data Back?

You didn’t mean to click that link or open that attachment. It happened so fast. You were distracted. You’re not a morning person. Whatever the case may be, ransomware has taken over your PC or files. Your screen is either locked or your files are now encrypted. The attacker is now demanding a ransom in bitcoin funds to unlock your files.

This is generally what you will experience when hit by ransomware. This is becoming the fastest growing cyber crime and attackers are setting larger targets, not just home PCs but networks. In February, an LA hospital paid $17,000 in bitcoin to an attacker to release files they desperately needed.

Microsoft’s Windows operating systems have been the primary target of ransomware but the first attack against Apple’s Mac users was logged March 4^th with the KeRanger malware. Attacks on mobile phones (mostly Android) do occasionally occur but the main target has been Windows.

Baring Its Teeth

Ransomware is getting more vicious and tougher to crack. Attackers are learning from their mistakes and patching their code. Is it realistic to think that you can get your data back? It depends. Some ransomware just displays a fake message in your browser where all you need to do is close the warning message from Task Manager.

Some ransomware locks your files using tools like TeslaCrypt which is impossible to decrypt. After the victim’s data is locked, the private key is transferred to the attacker’s server, and then the key is deleted from the victim’s machine. Every victim has a different key to unlock their files.

Beating Ransomware

The best defense is to have your files backed up but where? USB stick? DVD? external hard drive? cloud? Using a USB stick, DVD or external hard drive can make scheduling and managing backups difficult. In addition, an external backup device is vulnerable to files getting encrypted and locked.

Cloud backup services can be an option but you can’t assume vendors like Dropbox or Google Drive will save you. Small businesses often rely on these cloud services to meet their needs.  These backup systems synchronize to your files. What will happen is that the encrypted files on your computer will get copied to the clouds services.

Another issue to address and think about are shared documents. If one user is infected, then the shared document is locked inhibiting other users from accessing the file. Work is disrupted not just for one team member but potentially for the entire team.

There are full backup cloud services available used by larger organizations that will quickly restore all your files.

It’s important to ensure that your network follows best practices to protect against security threats and an up-to-date anti-virus program runs in real-time on all users’ PCs.

What to do?

The general recommendation is not to pay the ransom. There are no guarantees that paying it will ensure you get your files back. In addition, paying the pirates may only serve to  mark you as a target for further attacks.

Before removing ransomware, record the Bitcoin wallet and file list of the encrypted data. It can be used If the private key to your files is ever retrieved by researchers in the future.

1. Isolate any infected machines: The first thing to do is to remove the infected computer from the network to prevent the spread of ransomware.
2. Contact your security vendor: Refer the issue to your security vendor for detailed instructions. As there are many variations of ransomware in the wild, it’s important to make sure any removal attempts don’t wreak further havoc. Most likely the recommendation will be to re-image your PC to ensure you have a clean system.
3. Restore your backup files: Once your machine is disinfected, run a full restore from your backup to get yourself up and running as quickly as possible.

Summary

Prevention is always your first and best defense against ransomware. Ensure that your network is protected and secured and an anti-virus is installed and running on all PCs. If you are suspicious that a PC is infected, remove it immediately from the network to prevent infecting other files. If possible, follow a security provider’s instructions to unlock the PC.

Don’t count on getting your files back. Have a backup offline and offsite. You are better off reinstalling your backup files on a re-imaged PC to ensure that any remnants of the ransomware are gone.