What is ransomware?
Ransomware is a cyber attack that encrypts your files until you pay.
Ransomware such as CryptoLocker, CryptoWall, and Locky targets your business with cyber attacks that leverage both email and the web to fool your employees and penetrate your defenses.
These attacks encrypt all the files on a victim's computer and connected network drives.
Once infected, you can either pay the ransom to regain access to your files, or give up all your precious data.
How does ransomware work?
Ransomware can encrypt your files in less than 60 seconds. Decrypting the files without the key is virtually impossible.
The evolving ransomware threat
New families and variants of ransomware are emerging all the time.
Cyren on Locky
Learn more about the evolution of Locky ransomware on Cyren's blog
- April 1 - Locky's explosive start >
- May 12 - Protect yourself or pay >
- June 16 - Locky shuts down business >
- June 27 - Locky returns with sandbox evasion >
- July 4 - Locky enhanced with new decryption >
- July 14 - Locky switches attachment type >
- August 25 - Locky morphs again >
- September 1 - Locky attacks the UK >
The criminal syndicate behind Locky is evidently quite busy, and quite resourceful.Lior Kohavi, CSO, Cyren
What does ransomware look like?
An example of Locky ransomware
LOCKY EMAILSample email from invoice-themed Locky ransomware campaign. The goal is to get the victim to download and open the attachment.
LOCKY RANSOM MESSAGEOnce executed, Locky encrypts the files on the victim's computer, renaming them with the extension ".locky". It then changes the victim's Windows wallpaper, posting a ransom note with instructions to pay and decrypt the victim's files.
Ransomware case study: Hollywood Presbyterian Medical Center
Hollywood Presbyterian Medical Center (HPMC) is a general medical and surgical hospital in Los Angeles. On February 5, 2016, the hospital was hit by a Locky ransomware attack that locked access to certain computer systems and patient files. Although patient care was not compromised, patients were diverted to other hospitals and the hospital's network was down for over a week. Ultimately, the hospital paid 40 Bitcoin (about $17,000) to get the decryption keys and regain access to their files.
Ransomware case study: The cost of CryptoLocker ransomware
Here's what happened at one company when it was hit with a CryptoLocker attack.
FIRST 6 HOURS
- 1,487 CryptoLocker attack emails received
- 125 CryptoLocker emails evade security, received by employees
- 10 Employees open email and download CryptoLocker
THROUGH DAY 5
- 10 Employee accounts locked, computers re-imaged
- 7,446 Files restored from backup
- 22 IT staff engaged (252 hours)
- 4 Executive briefings (50 management hours)
Nine tips to avoid being a ransomware victim
By the time you receive an alert that a ransomware infection has occurred, it is already too late. The only way to stop a potential ransomware infection is to prevent it from ever happening in the first place.
IMPROVE YOUR SECURITY
- #1 Email security gateway
- Majority of cyber attacks start in email
- Stop malware before it reaches your users
- #2 Web security gateway
- Stop malware downloads, malicious URLs
- Stop C&C communications, data exfiltration
- #3 Cloud sandboxing
- Identify and stop never-before-seen malware
- #4 Endpoint security with active/behavioral monitoring
- Ransomware evolves quickly
- Augment traditional AV with next-generation detection
IMPROVE YOUR HYGIENE
- #5 Backup regularly and keep a copy off-site
- Test that your backups can be restored
- #6 Train your users
- Social engineering training - don't click that suspicious link!
- #7 Turn off network shares
- Avoid mapping network drives with large file repositories.
- #8 Patch early, patch often
- Outdated operating systems, browsers, and plugins are major vectors for malware infections
- #9 Turn off admin rights for your users
- Some ransomware leverages admin privileges
What to do with a ransomware infection and no data backup
If your data is backed up, simply reimage your computer from your backup data. But if you don't have a backup...
Remove the ransomware
Make sure you remove the malware from your system first; otherwise, it will repeatedly lock your system or re-encrypt your files even after you've paid the ransom. Check out well-known endpoint security solutions for removal tools.
Try to decrypt
Cracking ransomware file encryption is a long shot. The most sophisticated ransomware uses state-of-the-art RSA-2048 bit keys to encrypt your files, which are virtually uncrackable. However, older ransomware variants may not have the same bulletproof protection and researches have cracked a number of these - google "ransomware decryption".
Pay the ransom
If you can't decrypt your files, the only way to get your data back is to pay the ransom. And even if you pay, there's no guarantee that you'll get your data back. Follow the directions provided by the ransom note directing you how to pay. Some hackers even provide technical support for this step.
Say goodbye to your data
If you have not been able to retrieve your data by decryption or paying the ransom, then your data is permanently gone. You should re-image your computer so that you can use it going forward.
And make sure to backup your computer regularly once you start to use it again.