Ransomware removal and protection guide

Businesses are being held to ransom. 

Cyber criminals are attacking with increasing frequency and effectiveness, and your business is on a target list.  Are you prepared?

With instances of malware attacks and cyber ransom demands increasing at a frightening pace, it’s important to know the risks you face and how you’re best to prepare for and deal with such an attack.

What exactly are ransomware and cryptolocker?

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key.  Others may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, which is disguised as a seemingly legitimate file.

Ransomware scams are growing at an alarming rate.  In the first quarter of 2016, Kaspersky Lab security solutions saved 372,602 users from ransomware attacks.  The number of attacked users increased by 30 percent compared to Q4, 2015 (1).  Additionally, figures from CNN report that $209 million was paid to ransomware criminals in Q1 2016 (2).

CryptoLocker is a ransomware Trojan which targets computers running Microsoft Windows. CryptoLocker propagated via infected email attachments and via an existing botnet. When activated, the malware encrypts certain types of files, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data (via an online service provided by the malware’s operators) increases to a significantly higher price in bitcoin.

How do I know if I’ve been affected by a ransomware virus?

It’s usually quite easy to tell – the symptoms include:

  • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension
  • An alarming message has been set to your desktop background with instructions on how to pay to unlock your files
  • The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files
  • A window has opened to a ransomware program and you cannot close it
  • You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML

How did this happen? 

By far the most common scenario involves an email attachment disguised as an innocuous file.  If you receive an email with an attachment or even a link to a software download, and install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection.

Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third party application can infect a machine.

Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavours such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall.

I’m infected, now what?

It’s imperative that you take action immediately.  At a high level, you need to follow these four steps to minimise your exposure:

  • Disconnect immediately: disconnect from any network, turn off wireless capabilities and unplug any storage devices
  • Determine the scope: determine exactly how much of your file infrastructure is compromised or encrypted
  • Determine the strain: so you know exactly which ransomware you’re dealing with
  • Evaluate your response: essentially you have four options, including restoring from a recent back up, decrypting your files using a third party decryptor, do nothing or negotiate/pay the ransom.

Have a plan in place to deal with an outbreak of ransomware

A Disaster Recovery Plan (DRP) is a documented process or set of procedures to recover and protect a business’ IT infrastructure in the event of a disaster.  Given organisations’ increasing dependency on information technology to run their operations, a DRP is essential and should be developed and tested in advance to best facilitate the recovery of information technology data, assets and facilities.

OneNet can provide an availability assessment to review your availability requirements and assess your preparedness to deal with an unforeseen issue or outage. OneNet’s consultants can discuss this with you in confidence so that you can make an informed decision. As a NZ-based technology solution provider we are on the ground and here to help.

(1) Source: Securelist.com
(2) Source: CNN

To download, please fill in the form below.




Have some questions? Please let us know how we can help.