Advanced Threat Protection

Ransomware Removal, Protection, and Prevention

Ransomware is malware that encrypts the data of a user. The data is rendered unusable and the victim is ordered to pay a ransom fee to decrypt the data. Ransomware has increased in sophistication in recent years.

In this article, we’ll cover targets and types of ransomware attacks and some immediate steps you can take if you have been a victim of a ransomware attack. Read on to learn about ransomware threat protection and prevention, including pre-execution, pre-damage, and post-damage.

In this article you will learn about:

• The concept of ransomware
• Targets of ransomware attacks
• Types of ransomware
• How ransomware can be removed
• Ransomware removal: immediate steps
• Ransomware protection and prevention
• All-in-one ransomware protection with Cynet

What is Ransomware?

Ransomware is malware that encrypts user data, making it useless to the victim. The attacker demands a ransom free in exchange for decrypting the data. Payment is typically demanded in cryptocurrency, and the costs can range between hundreds and thousands of dollars. Even if the ransom is paid, there is no guarantee that the data will be restored.

In 2018 there were an estimated 204 million ransomware attacks—a staggering number, but down significantly from 638 million in 2016, when the threat was still new and most organizations were unprepared.

Ransomware has become more sophisticated over time. While the original ransomware was limited to encrypting a single endpoint, current variants have advanced distribution mechanisms allowing them to spread to multiple endpoints and evade detection. Modern ransomware encrypts its own code to make reverse engineering difficult and can use offline encryption methods such as the Windows CryptoAPI, eliminating the need for communication with a command and control center.

Targets of Ransomware Attacks

Organizations of all sizes, as well as smaller businesses and home users, can be the target of a ransomware attack. The following are especially attractive targets for ransomware attackers:

• Academic organizations— typically have smaller IT teams, a high rate of network file sharing, and sensitive data including research, financial and HR data
• Government agencies— may hold a vast amount of private citizen data, and attackers know they need to respond quickly, making agencies more likely to pay a ransom
• Healthcare institutions— have an urgent need for patient data, and lack of access to data may be life threatening
• HR departments— hold personal data and financial information that is critical for organizations, and also maintain contact with external parties (job applicants), making it easier for attackers to penetrate

Types of Ransomware

There are several variations on the ransomware model. The classic type is encrypting ransomware that locks access to files on an endpoint.

Other types include screen-locking ransomware that locks users out of a computer, sometimes claiming that the computer was locked by the authorities and doxware which threatens to share a user’s public information publicly if a ransom is not paid.

The following are common malware kits used to conduct ransomware attacks:

• Cerber— a “ransomware as a service” platform, which attackers can use to carry out attacks, splitting the ransom with the creator. It is relatively new but has already affected millions of users. It targets cloud-based Office 365 users through phishing techniques.
• Locky— a ransomware that spreads via email messages, typically disguised as an invoice. The user is instructed to enable macros, and if they comply, the ransomware starts encrypting files.
• WannaCry— the first ransomware to come with a propagation mechanism based on EternalBlue, an exploit of a Windows file protocol. It infected over 230,000 computers in one day, including major organizations such as the UK National Health Service, FedEx and Deutsche Bahn.
• CryptoLocker— distributed as an attachment to an email, supposedly sent by a reputable company, containing an executable disguised as a PDF file. CryptoLocker was also spread using the Gameover ZeuS Trojan.

There are many more ransomware kits including CryptoWall, the FBI Virus and TeslaCrypt. Each of these has spun off thousands of variants.

Can You Remove Ransomware?

Whether you can remove ransomware depends on the type you are infected with. Most ransomware can be defeated with one of the three following approaches:

• Wipe and restore—the most effective way to remove ransomware from your system is to simply replace your data with a clean backup. This requires formatting your hard drives or deleting your storage instances if you’re in the cloud. Once you have ensured that all data, and traces of ransomware are gone, you can restore your systems from backup.
• Decrypt your data—decryption does not remove ransomware but it does negate its effects. Decryption tools restore access and useability to your data and systems and eliminate the leverage that ransomware requires to be successful. Unfortunately, not all ransomware encryption algorithms can be decrypted with available tools. These tools also don’t prevent ransomware from activating secondary malware or from deleting data.
• Negotiate—negotiation is typically a last option for businesses who have no other way of restoring lost access. Negotiation generally involves paying a fee to ransomware attackers in exchange for an encryption key. After a fee is paid, there is no guarantee that a provided key will work or that attackers will not re-encrypt your data using another algorithm.

Ransomware Removal: Immediate Steps

If you’ve been infected by malware, here are some quick steps you can take to remove the malware and prevent further damage:

• Isolate affected systems — immediately disconnect any machines showing signs of infection from wifi and wired networks, to prevent malware from spreading on the network or communicating with command and control systems.
• Identify the infection — you can use a free tool like Cyber Sheriff, provided by Europol and McAfee, to identify the type of malware you are infected with.
• Report to the authorities — it is important to report your ransomware attack to the authorities, to provide law enforcement agencies with more information about attacks and to help them act against attackers. In the USA you can report via the FBI Internet Crime Complaint Center.
• Determine your options — depending on the strain of malware you are infected with, there may be decryptors or tools available to remove the infection. Determine if you have a working backup of your data and how recent it is. The last resort is to pay the ransom – this is not recommended by most security experts, as it encourages future attacks and in many cases, the data will not actually be restored.
• Restore systems — consider whether to remove the ransomware, if this is possible, or wipe systems and restore from backup, safe images, or completely reinstall operating systems and applications. Newer strains of ransomware are good at evading antivirus and other security measures, so the safest route will be to wipe and restart.

Ransomware Protection and Prevention

The best way to deal with ransomware is to prevent it from infecting your systems and preparing measures to prevent damage if you are infected. Here are preventive measures you can take to help at each stage of a ransomware attack: pre-execution, post-execution but pre-damage, damage, and post-damage.

Pre Execution – How to Prevent Ransomware

To prevent ransomware completely, follow these best practices:

• Deploy gateway defenses — firewall or Web Application Firewall (WAF), email protection and spam filtering, and Intrusion Prevention / Intrusion Detection Systems (IPS/IDS).
• Employee education and anti-phishing tests — train employees on the dangers of phishing and conduct regular drills to test if employees are alert and able to identify and avoid phishing attacks.
• Use next-generation antivirus (NGAV) — legacy antivirus software is a bare minimum. Leverage next-generation antivirus, which are capable of detecting and blocking malware even if it does not match a known signature.

Pre Damage – Stopping Attacks at Runtime

To isolate a ransomware attack once it has already begun, prevent it from spreading and encrypting additional files, follow these best practices:

• Segment network access — ensure that your entire network is not compromised in a single attack.
• Use Endpoint Detection and Response (EDR) — EDR tools can detect anomalous behavior on an endpoint indicating a ransomware attack, quarantine the endpoint and lock down network access, and automatically stop malicious processes.
• Create an incident response plan — prepare an incident response plan specific to a ransomware attack scenario. Define who is responsible and what needs to be done in the first few minutes, hours and days after an attack. Train staff on the plan and ensure everyone knows what to do to minimize damage from an attack.

Post Damage – Recover Quickly Without Paying Ransom

To enable speedy recovery from future ransomware attacks, do the following:

• Ensure backup is working and operational — every organization should have a backup system, test yours and ensure it is working and backing up essential data at regular intervals.
• Set up a robust disaster recovery system — beyond backup, it is highly recommended to have a complete replica of your production environment in the cloud or in a geographically remote data center. This will allow you to fully recover production systems by discarding infected machines and switching operations to the replica.
• Decryptor and malware removal tools — prepare tools in advance that will help you remove ransomware from affected computers. There are decryptors available for many ransomware strains. Select a ransomware removal solution and practice, to ensure you can use it quickly and effectively if an attack strikes.

All-in-One Ransomware Protection with Cynet

Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:

• Pre-download—applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
• Pre-execution prevention—applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
• In runtime—employs behavioral analysis to identify ransomware-like behavior, and kill a process if it exhibits such behavior.
• Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
• Fuzzy detection—employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
• Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behavior.
• Decoy files—plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in a case of ransomware. Once Cynet detects that these files are going through encryption it kills the ransomware process.
• Propagation blocking—identifies the networking activity signature generated by hosts when ransomware is auto-propagating, and isolates the hosts from the network.

Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.