Ransomware: Anatomy of an Attack

MOREnet logo with school building graphic

Ransomware is on the rise. This malicious software is designed to block access to a computer system and it’s files unless a ransom is paid to the criminals. Ransomware is most commonly spread through phishing emails with malicious attachments or links but can also be delivered through a drive-by download on a compromised website. The impact of ransomware can lead to temporary or permanent destruction of data, release of sensitive information, a general disruption of business, financial loss and can harm an organizations reputation.

Understanding how ransomware works can assist with taking measures to safeguard against the possibility of attack.

Level 1

  • The attacker sends out a phishing email
  • Bypassing the email spam filter it lands in the user’s inbox

Level 2

  • Anti-virus does not detect any problems with this email
  • The user interacts with the malicious link or attachment
  • A copy of the malware is installed to the root drive, AppData or StartUp folders
  • Changes are made to the registry to run the executable
  • The malware connects with the Command and Control server
  • The executable runs and begins to encrypt data on the user’s drive and shared drives

Level 3

  • A ransom note is now delivered to the victim
  • The malware continues to spread across the network

How can you prevent it?

Taking preventive measures to protect your network should include the following:

  • Install and maintain antivirus software on all endpoints
  • Educate users on phishing and other security best practices while using the Internet
  • Employ a backup plan. Perform regular backups of critical information and regularly test the restore process.
  • Keep operating systems and software patched with the latest updates.
  • Disable automatic opening of macros or executables
  • Restrict permissions for installing and running applications

 What to do if you have become infected with ransomware.

  • Unplug the infected system(s) from the network.
  • Run antivirus software to detect and remove the infection.
  • The best recommendation to ensure that a system is clean is to reinstall the operating system and software (reimage)
  • Restore affected files from backups

Paying the ransom does not guarantee the files will be released or decrypted. There may be a free decryption tools for certain ransomware variants at No More Ransom!

Resources

Ransomware on the Rise: The Evolution of a Cyberattack

27 Terrifying Ransomware Statistics & Facts You Need to Read