Sunday, August 24, 2014

How to prevent and recover from Ransomware Attacks

The desktop freezes with a warning message from the local police that the user has violated the law by visits to pornographic sites and has been fined 300 dollars or local equivalent. Until the fine is paid, either all critical files on the desktop have been encrypted or access to the system barred via a locked screen. Victims promptly pay up, running scared of the threat of legal action and the resulting public humiliation of having being caught viewing porn. The victim does not realize that he was set-up by a small group of cyber criminals who specialize in setting up malicious sites that  when visited, infect desktops, with a malicious piece of malware known as Ransomware.  Faced with no option but to pay, as it is very hard to crack encryption or to avoid the embarrassment that could follow, victims pay – thereby making the crime profitable.
Ransomware as the name suggests is a piece of malicious software that either encrypts files on or locks screens to shut access to a desktop, tablet or mobile phone until a ransom is paid to obtain a secret key used to decrypt files or to unlock the device.
In case of desktops the malicious software is usually surreptitiously downloaded and installed from malicious or legitimate website infected with malicious code. The user is unaware that the system has been infected until the files have been encrypted and the malware popped-up messages demanding ransom.  Surreptitious download and installation without a user’s acceptance is possible due to vulnerabilities in browsers and made easier if the user possessed administrative rights to install applications. Due to the design of the operating system used in mobiles and tablets, malware once downloaded requires user intervention to install the application. Cybercriminals disguise these applications as system updates or fake versions of popular applications, which users believe are genuine and allow their installation.

How to prevent Ransomware infections
Recovering from a ransomware attack is very difficult, due to the hard to crack encryption. Prevention and regular offline back-ups remain the best defense. Antivirus software alone will not be effective due to the fast emerging variations of ransomware programs and attack methods. A few useful tips to help prevention are:

1.    Restrict administrative rights

2.    Restrict use of Java, flash and other such programs to trusted sites. This can be done through browser settings

3.    Check to see if the pop-ups are genuine. Updates should come from vendor sites

4.    Download apps from genuine app stores

5.    Keep an offline back-up of your data ( online backup can be encrypted by the malware, particularly if automated)

6.    Keep your system patch levels updated

7.    Use antivirus software which will help control access to malicious sites and delete known instances of ransomware.

How to Recover from Ransomware infections
A typical ransom requested is usually below 500$, in the form of vouchers that can be used to buy goods and services online and even if paid there is a good chance that system is not unlocked. It is therefore best to be prepared to lose the data on the device. The two articles (links below) are excellent resources to recover from Ransomware Attacks

Decrypting the Crypto Locker  – a tool from FireEye and Fox-IT to decrypt files encrypted by Cryptolocker, a dangerous strain of ransomware

One of the frequent methods used to recover is by paying the ransom, and if through this the users files were successfully decrypted, it is best to save critical data, wipe the disk clean and reinstall a fresh copy of the operating system and other application executables, as there could be further residual malware of a different type. And then there obviously remains the task of preventing further infections.

No comments:

Post a Comment