How to get rid of Ransomware attack?


Have you ever witnessed Ransomware attack on your PC? Did you faced a situation that your files are locked or encrypted and somebody asked you to pay them money (ransom) to decrypt or unlock it? Did you pay them to get back access on your files? Do you want to get rid of these ransomware attacks without paying money? Here you can find what ransom ware attack is and how to protect your PC or Server infrastructure from Ransomware attack such as WannaCry or .locky etc...

Table of Contents



The recent major attack that startled the Information Technology World (IT World) is a ransomware attack specifically caused by a bug named Wannacryptor 2.0 or Wanna Cry. This massive ransomware infection spread across the globe recently and affected more than 100 countries worldwide. As per researchers, the attackers exploited the weakness in Microsoft system identified by NSA named as Eternal Blue. NSA utilized this loophole for their secret intelligence activity instead of informing Microsoft about the same which was later used by the WannaCry attackers as well.

In last two, three days online and offline worlds are discussing the word ransomware extensively and are scared about its effects. But what is it actually? Do you want to know what Ransomware attack is and how it affects you? From the time that computer systems came into being, many people were aware of its weakness and tried to exploit it. Such attacks are also growing along with evolution in the IT industry. As we are here discussing ransomware, first we need to understand what Ransom is? Ransom means holding something to extort money. The first known ransomware attack was AIDS Trojan written by Joseph Popp in 1989. He had given a floppy disk to people who attended a seminar of WHO (World health organization) and the program penetrated into the PCs of the users who used it. After a certain period of booting, data was encrypted and displayed a message to pay ransomware to the address in the message. This is the first time such opportunities were opened to the world. Now, with the revolution of IT industry such programs are spreading over through the internet to penetrate the user PCs in order to take control and ask ransomware to release it. Now, the latest such incident is "WannaCry" ransomware which has affected more than 100 countries.

What is Ransomware attack?


Ransomware is a kind of cyber attack that involves hackers or cyber attackers taking control of your computer system and blocking you from accessing it usually until you pay ransom to them. Ransomware malware or trojan stops you from accessing your computer normally by holding your PC files for ransom by means of digital blackmailing. There are different types of ransomware and malware that exist, however, all of it works as to stop you from using your computer normally. This kind of malware/ spyware can target any computer, whether it's a home computer or servers in an enterprise network. Ransomware programs can prevent you from accessing your operating system such as Windows by locking your screen, or by means of encrypting your files so you can't open and use them or stop certain applications from running (like your web browser). They will demand money to give back access to your PC or files, but there is no guarantee that you will get back access once you pay them the "Ransom".

What is Wanna Cry ?


Wanna Cry is a specific type of ransomware program that locks all the data on your computer system. You will get two files with instructions to what to do next and Wanna Decryptor program itself. When you open the software it will demand you to pay them ransom as bitcoin to get the key to decrypt the files.

Ransomware works by sending you an unsolicited email typically designed to trick the victim to click on an attachment or visit the web page. Once the victim does either of these actions, the attacker leverages your operating system to run the ransomware code. Then this ransomware program encrypts data and demands you to pay them. Here, Wanna cry exploits a weakness in Microsoft SMB and replicates itself and spread around the network. Microsoft has already announced the patches (MS17-010) for it. But these patches will not be available for the PCs running Windows XP and older and Servers running Windows Server 2003 and older as Microsoft has already stopped support for these operating systems. So, it's a mandatory time for updating these Operating system to a newer version as you are less vulnerable from these kinds of ransomware attack. Also, organizations which use an unlicensed version of OS are also vulnerable from these kinds of Ransomware attacks.

How Ransomware programs works?


Encryption is a technique which allows you to keep your files safely or prohibit others from accessing your secret files by putting an encryption key to open a file. If you are encrypting a file, you are the responsible person who knows the key to open it. It's a good technology to save our data and it's quite safe as you know the key to open it. But suppose, if your computer is locking your file without your awareness. Suppose these files are encrypted by a program which has been sent to your computer by a hacker and the encryption key is automatically sent to the attacker through the network. Then your information is inaccessible to you as the decryption key is with the attacker and difficult to get back. Here the attackers demand money or ransom to give back access to your files. So, it compels users to pay them money.

In past, these kinds of virus or malware were spreading through a floppy disk, CD, or through USB, but now with the easy access to the internet across the globe, it makes you more vulnerable to these attacks. You may get these ransomware programs as an attachment to your mail. Once you open the attachment in your PC, it spreads not only in your PC but also to entire network. Likewise, the virus/ malware can spread to your PC by being downloaded from infected websites as well.

What to do when you are a victim of Ransomware attack?


What to do when you are a victim of ransomware attack? Now, it is has become a sensational news and people around the globe wants to hear the solutions for this attack. Is it wise to give them money to get back access to our file? My answer is absolute no because paying money to them will not guarantee that they will give you access to your file but will encourage them to demand more from you. Purely speaking it's much difficult to get back the data that are encrypted unless we get the key to decrypt it. There are a lot of paid applications that are there to decrypt data for you. But as I don't have personal experience with those I can't guarantee that they will decrypt your files. But you can remove the ransomware programs which cause the files to become encrypted. There are enormous enterprise antivirus solution companies available for to help us in this regards like Trendmicro, McAfee, Kaspersky, F Secure, Avast, Symantec, Nod 32, etc… These enterprise antivirus solutions teams are updating their patches regularly to find and block the major Trojans, viruses, malware, spyware from the affected systems.

Once you are a victim of ransomware attack, the first thing you need to do is terminating the systems which are affected by the virus immediately from the network. Because if it's connected to a network there is more possibility of it spreading over your network. I have faced a ransomware attack in 2016 and the file named with .locky extension caused all our files in the file server to get locked. As we were analyzing the root cause, we came to know that the file with .lockey extension came to our network through an email attachment and the email was sent from our own domain. The user had opened the file and he was connected to the file server. All the files in the folders he had access to were encrypted and we were asked to give them money as bitcoin. But luckily we overcome the situation as we had all the files backed up. First, we removed the file server from the network and shut down the file server in order to stop the spread of this malware over the network. Then we used trend micro anti ransomware tool to remove the virus programs from the all affected PCs. But to ensure we are more secure, we have formatted the PCs affected and run the anti ransomware utility in all PCs in our office. You can use other antivirus solution as well for this practice.

How to protect your data from Ransomware attack?


We will not able to stop the attacker from creating the Ransomware or Trojans. They always try to penetrate system of others to make money out of it. Most of the operating system or software makers are keen to develop well maintained secured applications for end users. However, as they are created by humans there is a possibility for some loophole. The application programmers are always there to figure it out and update the patches to resolve the weakness. But here the hackers or cyber attackers try to exploit this weakness to extort money. But for a user data is more important and we need to take precautionary action before something happens to our IT infrastructure.

  1. Backup: Always take backup of all your important data and files. Enterprise users can utilize enterprise backup application such as Veritas Backup, Symantec Backup, Commvault backup, Netapp backup, CA Arc Serve backup, HP Data Protector etc. One more thing to do additionally is to keep a copy of the backup outside your network. You can use either through tape backup or external hard disk. If you store the backup in a network location, once the virus spreads through the network, there are chances it will affect your backup as well.
  2. Antivirus Solution: Use licensed enterprise antivirus application in order to scan and block any virus or malware to run on your system. There are lots of enterprise class antivirus solutions available now such as Mcafee, Kaspersky, TrendMicro, Nod 32, and Symantec, Avast etc…You can use an anti-spam filter as well for email scan. All these antivirus applications provide latest products with spyware, malware, ransomware and Trojans protection. Schedule a scan daily in your entire organization.
  3. Update the Operating System and Software with latest patches: Microsoft and all other operating system vendors are trying to give the best and secured operating system for their customers. But sometimes, there is a possibility to have some flaw in their design. They always test and experiment to detect such flow and resolve these by providing patches. Always updates the OS and software patches, in order to ensure all the security related flaws are overcome. You can use WSUS server or SCCM for updating these Microsoft OS Patches to your entire organization altogether. Always updates the patches in antivirus solution as well and update these packages in client PC as well. Always ensure Software and OS in your IT infrastructure are up to date with latest patches and distribute these to the entire client PCs in your network.
  4. Use Licensed Operating System and application: Always use the licensed applications. As most of the operating system and software vendors will provide their updates to the licensed version only. Also, keep in mind that try to avoid operating systems such as Windows XP and older Server 2003 and older as Microsoft has stopped support to these OS. So, it's time for all the customers to update their old OS to new operating systems.
  5. Give awareness to users about security policy: Create and maintain well IT security policy in an organization. Ask your users to not to open any suspicious email and attachment in it. Do not open any email from unknown centers. Do not download any file from unknown sources. Avoid browsing unknown and suspicious websites.
  6. Use IOC scanners and search or block IOCs with available network and endpoint security solutions. Use the application whitelisting feature to allow known files only run on the critical system such as operational technology devices.



Comments



  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: