[Ransomware] 7 Points to Keep in Mind to Know Correctly

 In this blog as well, I will keep you posted on ransomware-related information.

This time, I will describe the basics of ransomware.

1. What is ransomware?

Ransomware is a cyberattack that takes data and devices as "hostages" and demands a ransom.

Since 2015, it has become very active all over the world, especially in the United States.

2. How do you get infected?

There are two main infection routes:

• Email attachment
• Access to malicious websites

The method of hiding a virus in an email attachment has been around for a long time, but the method is becoming more sophisticated day by day.

Try to win the trust by tricking well-known services, brands, or government agencies.

Also, in the case of websites, you cannot be relieved just because you are always visiting the site.

Cyber ​​attackers immerse themselves in advertisements displayed on their sites and vulnerabilities such as old WordPress.

Unknowingly, your usual site may be the source of ransomware and other disparities.

3. What does it mean to be taken, hostage?

When infected with ransomware, one of the following two events occurs.

(Some ransomware causes both of these)

• The contents, name, and extension of files in the device are encrypted.
• The device does not startup

Once the file is encrypted, it is almost impossible to decrypt it on your own.

Depending on the type and version of ransomware, researchers and security companies may develop decryption keys.

However, since phishing acts that pretend to be "decryption keys" occur frequently, careful judgment is required.

At the end of last month, a ransomware key called Chimera was leaked by the creators of other ransomware (Petya and Mischa).

This is a very rare case, but it seems that this also happens.

4. Will the data be returned if I pay the ransom?

Paying the ransom is not recommended for the following reasons:

• There is no guarantee that the data will come back
• Leads to "helping" ransomware performers and induces further criminal activity
• The ransomware market revitalizes and invites new entrants

In the case of ransomware called Ranscam, 100% of data will not be returned even if you pay the ransom.

This ransomware pretends to have encrypted the files and actually deletes them altogether.

There is no guarantee that similar ransomware will not appear in the future.

5. What can I do to prevent ransomware infection?

At least the following three measures are indispensable.

• Thorough employee education
• Prevent ransomware intrusion with UTM etc.
• Keep your OS and total security software up to date

Thorough employee education is essential.

Even if UTM or security software detects suspicious behavior, it is meaningless if the user allows the execution of attached files.

However, the larger the company, the more difficult it is to educate all employees.

In addition, there is a fact that small and medium-sized enterprises cannot avoid such resources.

Ransomware may try to sneak in, even if it's hardened with UTM or security software.

Ransomware is a very profitable "business", so entrants are endless. New ransomware is appearing every day.

Some have the ability to evade the sandbox.

It is important to think that ransomware cannot be prevented 100%, and also consider measures after infection.

6. What are the measures after infection?

If you back up the files that are essential to your business, encrypting or erasing all the files will not affect your business.

You can resume normal business without paying the ransom.

7. Should I back up for the time being?

In order to overcome ransomware, the following elements are indispensable.

• External HDD, USB, etc. are not directly connected to the PC
• Not on the same network as a potentially infected device (such as a PC)
• Saving multiple generations
• Allows for quick restoration

Ransomware steals user privileges and encrypts files.

In other words, all files that the user can access are "encrypted" by the ransomware.

Physically connected terminals such as HDDs and file servers in the same network may be encrypted.

Also, if you have only saved one generation, you will not be able to recover your business if you back up the encrypted files to ransomware.

In addition, the ransomware executable may be hidden in the backed-up data.

In that case, if you restore the data to a new device, all the data in that device will be encrypted again. You must always leave multiple generations.

In addition, if data restoration is not realistic, such as taking dozens of hours to restore, you may decide that you should pay the ransom.

However, if you pay the ransom, you may think that "this company will pay" and you may be exposed to further attacks.

It is desirable to be able to restore quickly and easily.

8. In other words, what kind of backup is good?

• Back up to the cloud or backup appliance server
• Save multiple generations
• Easy to restore

A backup with the above elements is desirable.

In particular, the third "restoration" is an important factor, although it is often overlooked.