Ransomware protection includes technologies, strategies, and tools that can prevent cybercriminals from performing successful ransomware attacks. Ransomware attackers encrypt sensitive data and require organizations to pay a fee to regain access to their information assets.
Modern approaches to ransomware protection are very effective and straightforward to deploy. Sufficient ransomware protection starts with implementing basic security best practices such as strong authentication, malware protection, and network security measures. Organizations can build on this strong security posture by adding dedicated solutions to deter, prevent, and recover from ransomware attacks.
There are three types of solutions that can help protect against ransomware:
In this article:
Image source: Wikimedia Commons
A ransomware infection usually occurs in two phases:
As long as the device is infected with ransomware, attempts to open the encrypted files might result in an error message informing you that the files are invalid, corrupt, or cannot be located.
Related content: Read our guide to ransomware detection.
Ransomware is a global menace, threatening organizations of all sizes, and growing in scope and severity. Here are a few statistics that show the magnitude of the threat:
A dedicated security tool can provide holistic protection against ransomware, both at the network, file system, and application layer. One such solution is Cynet 360, an advanced threat detection and response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:
Cynet 360 provides all these anti-ransomware capabilities and more.
The Windows operating system now has built-in ransomware protection, as part of Windows Security. This was introduced by Microsoft in Windows 10.
Windows 10 ransomware protection works by only allowing approved applications to make changes to the file system. This can prevent ransomware from encrypting files, but can also interfere with the operation of legitimate applications.
This is why ransomware protection is not enabled by default. To use it, you’ll need to enable it and configure it properly so that existing applications can continue functioning.
To enable Windows 10 ransomware protection:
If a computing system is already infected by ransomware, files have been encrypted, and there are no backups, a last resort is to use decryptors.
There are a range of free decryption tools that are able to reverse the encryption by some types of ransomware. Be sure to use a legitimate descriptor from a source like the No More Ransom Project.
If there is a working decryptor for your ransomware, run it, obtain the key, and use it to decrypt the files. Note that depending on the type of ransomware and available system resources, this can take several hours.
A few important notes about using decryptors:
Ryuk ransomware targets large, public-entity Windows systems. It works by encrypting data on an infected system and demanding ransom in Bitcoin. This ransomware appeared in 2018, initially believed to be of North Korean origin, but it is now suspected to be used by Russian criminal groups targeting organizations.
REvil/Sodinokibi ransomware encrypts files upon deployment and deletes the ransom request message after infection. The message demands bitcoin, notifying the victim that the demand will double if they do not pay the ransom on time.
REvil is delivered as Ransomware as a Service (RaaS), a model in which code authors develop the ransomware and affiliates spread it to collect the ransom. It was discovered in 2019 and has since become the 4th most distributed ransomware globally, targeting mostly European and American companies.
Netwalker ransomware holds its victim’s data hostage and leaks a sample of the stolen data online, threatening to release all the data to the dark web if the victim does not pay the ransom on time. It was created in 2019 by Circus Spider, a cybercrime group, and later shifted to a RaaS model to operate on a larger scale. It often spreads through phishing emails.
Maze is a Windows ransomware developed as a variant of ChaCha ransomware. It targets organizations worldwide, demanding a cryptocurrency payment in exchange for the encrypted data, threatening to leak the victim’s confidential data if they refuse to pay.
Maze was discovered in 2019. It is usually distributed through:
CryptoWall ransomware encrypts files and their names and demands a ransom for a decryption key. It typically spreads by phishing and spam emails, hacked websites, malicious ads, or other malware. Cryptowall uses a Trojan horse to deliver malicious payloads. By encrypting file names, CryptoWall increases the pressure on victims, who consequently pay the ransom to get their data back.
Locky ransomware encrypts important files on an infected computer, holding them hostage, delivering a ransom note that demands payment in exchange for the encrypted files. It typically arrived as an email including a Word doc attachment containing the code. Locky was discovered in 2016 and became a significant threat. While Locky is currently out of commission, other variants have emerged.
Cerber is delivered as RaaS providing attacker licenses that split the ransom between the developer and affiliates. Cerber affiliates can deliver Cerber ransomware to various targets in return for providing the author with 40% of the ransom. The author creates the ransomware in this exchange, and affiliates find targets to distribute it.
Here are several ways you can prevent ransomware from striking your organization.
Ransomware Removal: Recovering Your Files and Cleaning Up Infected Systems
Ransomware is malware that encrypts user data and makes it inaccessible to the victim. The attacker demands a ransom in exchange for decrypting the data. Payment is typically demanded in cryptocurrency and the costs can range between hundreds and thousands of dollars. Even if the ransom is paid, there is no guarantee that the data will be restored.
Discover targets and types of ransomware attacks and some steps you can take if you are a victim of an attack. Learn about ransomware protection and prevention.
Ransomware Prevention: 4-Step Plan to Stop Ransomware Attacks in their Tracks
Ransomware is a severe, growing threat facing organizations of all sizes. More so than in other attacks, preparing for ransomware attacks in advance can dramatically reduce the damage done. Read on to understand the ransomware threat, and discover a four-step plan to comprehensively protect your organization against ransomware.
Understand the ransomware threat and learn simple steps that can help you prevent ransomware in your organization
FTCode Ransomware: Distribution, Anatomy and Protection
FTCode is a type of ransomware that spreads itself via spam emails, and is able to execute its PowerShell-based malicious payload in memory only, without downloading any files to disk. It was first seen in the wild in 2013, but is now a much more serious network threat because most current Windows workstations have PowerShell installed by default.
Learn about FTCode, a pure PowerShell-based ransomware that executes without downloading any files, encrypts files and demands a ransom.
Ransomware Detection: Common Signs and 3 Detection Techniques
Ransomware is malware that infects a computer, encrypts files and blocks access to them until the user makes a digital payment. Ransomware detection is the process of notifying users when ransomware is present on their system, or their files are already being encrypted, blocking ransomware if possible, and guiding users through recovery steps.
Learn about the importance of early ransomware detection and the common ways to detect ransomware before it can do massive damage.