Ransomware: protect yourself or pay

Ransomware has surged into the awareness of today’s security professional, threatening to encrypt your company’s files and shut down your business. Cyren offers ransomware protection from cyber attacks through powerful cloud-based web and email security services.

What is ransomware?

Ransomware is a cyber attack that encrypts your files until you pay.

CYBER ATTACK

Ransomware such as CryptoLocker, CryptoWall, and Locky targets your business with cyber attacks that leverage both email and the web to fool your employees and penetrate your defenses.

ENCRYPTION

These attacks encrypt all the files on a victim's computer and connected network drives.

RANSOM

Once infected, you can either pay the ransom to regain access to your files, or give up all your precious data.

Stay up to date with the latest resources from Cyren

Threat report

"Drowning In Ransomware: An In-depth Look at the Ransomware Phenomenon" – Gain insights on the rise of ransomware over the past 18 months with Cyren's special report, including an overview of how ransomware works and a detailed look at Locky, WannaCry, and more.

Download

On-demand webinar

"Best Practices to Combat Ransomware: Petya, WannaCry and Future Attacks" – Learn how ransomware such as Petya and WannaCry are targeting businesses with massive hybrid cyber attacks, and what you can do to protect your business.

Watch

Blog article

"Breaking Down Today’s Petya Ransomware Attack" – Cyren ransomware expert Magni Reynir Sigurðsson analyzes the Petya variant which crippled European transportation infrastructure and compromised business networks in 2017.

Read

How does ransomware work?

Malware delivery

You download malware from a spam email or a malicious URL.

Ransomware download

The malware downloads a ransomware executable to your computer.

Encryption

The ransomware encrypts your files.

Ransom notice

You are given a ransomware notice with a deadline.

Payment

You are required to pay with Bitcoin.

Decryption

The attacker provides a decryption key.

Ransomware can encrypt your files in less than 60 seconds. Decrypting the files without the key is virtually impossible.

The evolving ransomware threat

New families and variants of ransomware are emerging all the time.

How can you prepare for ransomware? Get insights from Cyren's cyber threat report.

What does ransomware look like?

An example of Locky ransomware

LOCKY EMAIL

Locky EmailSample email from invoice-themed Locky ransomware campaign. The goal is to get the victim to download and open the attachment.

LOCKY RANSOM MESSAGE

Locky Ransom MessageOnce executed, Locky encrypts the files on the victim's computer, renaming them with the extension ".locky". It then changes the victim's Windows wallpaper, posting a ransom note with instructions to pay and decrypt the victim's files.

Ransomware case study: Hollywood Presbyterian Medical Center

Hollywood Presbyterian Medical Center (HPMC) is a general medical and surgical hospital in Los Angeles. On February 5, 2016, the hospital was hit by a Locky ransomware attack that locked access to certain computer systems and patient files. Although patient care was not compromised, patients were diverted to other hospitals and the hospital's network was down for over a week. Ultimately, the hospital paid 40 Bitcoin (about $17,000) to get the decryption keys and regain access to their files.

Hollywood Presbyterian Medical Center exterior

Ransomware case study: The cost of CryptoLocker ransomware

Here's what happened at one company when it was hit with a CryptoLocker attack.

FIRST 6 HOURS

  • 1,487 CryptoLocker attack emails received
  • 125 CryptoLocker emails evade security, received by employees
  • 10 Employees open email and download CryptoLocker

THROUGH DAY 5

  • 10 Employee accounts locked, computers re-imaged
  • 7,446 Files restored from backup
  • 22 IT staff engaged (252 hours)
  • 4 Executive briefings (50 management hours)

TOTAL COST

$41,990

Nine tips to avoid being a ransomware victim

By the time you receive an alert that a ransomware infection has occurred, it is already too late. The only way to stop a potential ransomware infection is to prevent it from ever happening in the first place.

IMPROVE YOUR SECURITY

  • #1 Email security gateway >
    • Majority of cyber attacks start in email
    • Stop malware before it reaches your users
  • #2 Web security gateway >
    • Stop malware downloads, malicious URLs
    • Stop C&C communications, data exfiltration
  • #3 Cloud sandboxing >
    • Identify and stop never-before-seen malware
  • #4 Endpoint security with active/behavioral monitoring
    • Ransomware evolves quickly
    • Augment traditional AV with next-generation detection

IMPROVE YOUR HYGIENE

  • #5 Backup regularly and keep a copy off-site
    • Test that your backups can be restored
  • #6 Train your users
    • Social engineering training - don't click that suspicious link!
  • #7 Turn off network shares
    • Avoid mapping network drives with large file repositories.
  • #8 Patch early, patch often
    • Outdated operating systems, browsers, and plugins are major vectors for malware infections
  • #9 Turn off admin rights for your users
    • Some ransomware leverages admin privileges

What to do with a ransomware infection and no data backup

If your data is backed up, simply reimage your computer from your backup data. But if you don't have a backup...

Remove the ransomware

Make sure you remove the malware from your system first; otherwise, it will repeatedly lock your system or re-encrypt your files even after you've paid the ransom. Check out well-known endpoint security solutions for removal tools.

Try to decrypt

Cracking ransomware file encryption is a long shot. The most sophisticated ransomware uses state-of-the-art RSA-2048 bit keys to encrypt your files, which are virtually uncrackable. However, older ransomware variants may not have the same bulletproof protection and researches have cracked a number of these - google "ransomware decryption".

Pay the ransom

If you can't decrypt your files, the only way to get your data back is to pay the ransom. And even if you pay, there's no guarantee that you'll get your data back. Follow the directions provided by the ransom note directing you how to pay. Some hackers even provide technical support for this step.

Say goodbye to your data

If you have not been able to retrieve your data by decryption or paying the ransom, then your data is permanently gone. You should re-image your computer so that you can use it going forward.

And make sure to backup your computer regularly once you start to use it again.