Ransomware: Anatomy of an Attack
- Published: Wednesday, Sept. 11, 2019
Ransomware is on the rise. This malicious software is designed to block access to a computer system and it’s files unless a ransom is paid to the criminals. Ransomware is most commonly spread through phishing emails with malicious attachments or links but can also be delivered through a drive-by download on a compromised website. The impact of ransomware can lead to temporary or permanent destruction of data, release of sensitive information, a general disruption of business, financial loss and can harm an organizations reputation.
Understanding how ransomware works can assist with taking measures to safeguard against the possibility of attack.
- The attacker sends out a phishing email
- Bypassing the email spam filter it lands in the user’s inbox
- Anti-virus does not detect any problems with this email
- The user interacts with the malicious link or attachment
- A copy of the malware is installed to the root drive, AppData or StartUp folders
- Changes are made to the registry to run the executable
- The malware connects with the Command and Control server
- The executable runs and begins to encrypt data on the user’s drive and shared drives
- A ransom note is now delivered to the victim
- The malware continues to spread across the network
How can you prevent it?
Taking preventive measures to protect your network should include the following:
- Install and maintain antivirus software on all endpoints
- Educate users on phishing and other security best practices while using the Internet
- Employ a backup plan. Perform regular backups of critical information and regularly test the restore process.
- Keep operating systems and software patched with the latest updates.
- Disable automatic opening of macros or executables
- Restrict permissions for installing and running applications
What to do if you have become infected with ransomware.
- Unplug the infected system(s) from the network.
- Run antivirus software to detect and remove the infection.
- The best recommendation to ensure that a system is clean is to reinstall the operating system and software (reimage)
- Restore affected files from backups
Paying the ransom does not guarantee the files will be released or decrypted. There may be a free decryption tools for certain ransomware variants at No More Ransom!