Where IT teams were once concerned with attacks from viruses and trojans, the focus today has shifted to ransomware. Ransomware is defined by TechTarget as:
“...a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access returned to the victim.”
Ransomware has existed in various forms over the years, but really exploded into the mainstream with WannaCry: a ransomware attack that affected more than 230 000 computers and caused up to $4 billion in damage. This attack worked by exploiting a flaw in the way Windows handled the Server Message Block (SMB) protocol, which allowed attackers to run code on the affected computer and install the WannaCry ransomware. Once installed, your computer would be locked down and your data encrypted. The attackers demanded a ransom in bitcoin to restore the files affected by WannaCry.
[Insert image of WannaCry ransomware lock screen here]
As a private individual, you would undoubtedly mourn the loss of your holiday snaps if you could not afford the ransom; but as a business or organisation, the damage could be catastrophic. Here’s how you can identify if you have fallen victim to a ransomware attack.
How to recognise a ransomware attack
The two main types of ransomware work by locking you out of Windows or encrypting your data. Screen locking ransomware will prevent you from accessing your system, instead displaying the ransom note on your screen and preventing you from doing anything else. This type of ransomware will be easily identifiable by the lock screen that prevents you from accessing your operating system.
[Image of a ransomware screen lock]
The second type of ransomware is data encryption ransomware. Data encryption ransomware lets you navigate your operating system normally, but prevents you from opening specific file types, such as documents, images or spreadsheets. This type of ransomware can be identified by navigating through your file system and attempting to open any of these file types. Usually these files will have changed to a generic file icon with a new filename, or a new file extension.
[Image of ransomware encrypted files]
Included in the folder with the encrypted files is the “ransom note”. This will provide the victim with instructions on how to pay the ransom, after which they will provided with the information and tools they need to remove the encryption. This ransom note will be included in the same folders as the encrypted files, usually in the form of a HTML, text or image file.
A third type of ransomware attempts to lock your screen and encrypt your files, but this is far less common. Look for a combination of the traits above to identify if you’ve been hit by one of these attacks.
There are also some more subtle signs that your computer could be infected with ransomware. For example, if the performance of your PC is slow, the ransomware could be encrypting your files, or possible connected it to a botnet. Another less obvious clue that your computer might be infected by ransomware is if another computer (or computers) on your network have become infected by ransomware, since many of these attacks can spread via a network.
Prevention is better than cure, but there are times when you need both
This advice begins the process of managing the consequences of a ransomware attack, but what if you lack the expertise to deal with the fallout or prevent an attack in the future?
To achieve this, we advise Disaster Recovery as a Service (DRaaS). DRaaS duplicates your entire IT system in the cloud, ensuring that you experience minimal downtime should you fall victim to ransomware or some other crippling cyberattack. Click here to find out if your business is disaster ready.