Ransomware 101: What your business needs to know about ransomware attacks
This blog post is part of Intermedia’s 2016 Crypto-Ransomware Report.
It’s a typical work day. You’re going to meetings, getting things done, feeling productive. Then you notice something weird. A pop-up appears. It’s a ransom note. It says that your files have been encrypted and that the “kidnapper” wants $500 in bitcoins to free them up.
Ransomware is one of the fastest-growing trends in cybercrime. A clicked URL here, an opened file there, and suddenly your computer is infected with malware that either prevents you from accessing your machine or, worse, encrypts your work documents so you can’t access them. By the time you recognize something is wrong, it’s too late. Cybercriminals have kidnapped your data and want you to pay up to get it back.
How a ransomware infection happens
How does a laptop get infected with ransomware? Typically, it starts with a malicious email that contains an infected attachment or tricks you into downloading the virus from the web.
One example, picture below, is a Word document that tricks you into executing the malware when you open it.
Fig 1: Example of a document with instructions that cause you to inadvertently install malware
There are many other ways you might get tricked into installing ransomware, including opening an infected file on a thumb drive or downloading one from a malicious website. These files might look like innocent documents, but are, in reality, carriers of embedded malware.
How crypto-ransomware encrypts your files
Once a laptop is infected, crypto-ransomware acts quietly in the background. It searches for documents, spreadsheets, presentations, images, text files, video, music and other kinds of files that contain information you might be willing to pay to retrieve. It searches My Documents, your desktop, the shared files you sync with cloud- or network-based file servers, and so on. Then it individually encrypts each file.
Once it has completed encrypting your files, a ransom note appears on your screen:
Fig 2: Ransom note with instructions for using a TOR browser to make the payment
You may not believe it. You may try to open your files anyway. At that time, you may notice that some of them now have weird extensions; others may have weird icons. Wen you try to open them, you’ll get an error message, or a bunch of gobbledygook. No matter what you try to do, you won’t be able to get the file to open.
If it’s a shared file, the problem is even worse: anyone else who needs access to that file won’t be able to get their work done, either.
Should you pay the ransom?
The ransom amount varies. These days, it’s a few hundred dollars per user. The FBI reports that it’s seen ransoms as high as $5,000 per user. However, as criminals get more savvy in targeting business users, you can expect the ransom amounts to go much higher.
Unfortunately, you’re extremely unlikely to be able to crack the encryption. So the decision to pay often comes down to whether or not you have another option.
- No backup? Pay the ransom. If you lack any form of file backup, you have no choice but to pay the ransom and hope you get your files back. (According to our survey of 300 experts, 19% of victims that paid the ransom still didn’t get their files back.)
- Try restoring from backup. If you have a backup, you can try restoring clean versions. though, your users will be down during the hours and days it takes to restore their files.
The third option: business continuity for ransowmare attacks
“Business continuity” is the ability for the business to continue operations even while a disaster is ongoing.
Many businesses have plans in place for natural disasters, power outages or other disruptions. Fewer have “e-crisis” response plans for cyber threats such as ransomware. That’s one of the reasons ransomware has been so disruptive to businesses and so profitable for criminals: business continuity solutions have not previously existed.
(Learn more about how SecuriSync from Intermedia enables business continuity in the event of a ransomware attack.)