Ransomware is a type of malicious software that allows cyber criminals to take control of your business data or computer systems. It locks or encrypts your files, making them inaccessible, and typically requires you to pay a ransom to regain access to your system.
The National Cyber Security Centre is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. Read their advisory note on how to mitigate the threat posed by this particular type of ransomware.
How does ransomware get on your computer
Ransomware can enter your machine or network in many ways. Most commonly, this happens through:
- Spam email (phishing) - where the email is designed to look 'legitimate' but typically contains a malicious link or an attachment. Once you access this link or download the file, the ransomware installs on your device.
- Drive-by download - where the malware is installed onto your device without your knowledge and permission. You don't have to click anything to initiate the download. It automatically activates when you visit an infected website or a malicious advertisement.
Drive-by downloads rely on using exploit kits, ie pieces of malicious code embedded in a website. This can be a legitimate website that has been compromised or a malicious site designed to look authentic and genuine.
When you visit a website that hosts an exploit kit, it looks for software vulnerabilities in your device or web browser. If it finds a weak spot, it injects malware into it.
Types of ransomware and examples
Two main forms of ransomware currently in circulation are:
- Screen lockers - these freeze you out of your device by locking your screen and denying you access until you pay a fee. They don't typically interfere with the underlying system and files. Often, they come disguised as an official-looking warning message from law enforcement imposing a fine for supposed online indiscretions or activities.
- Crypto ransomware- these infect your devices and, when installed, begin hijacking your files, turning your data unreadable. When this process concludes, the malware brings up a message demanding payment, often in BitCoin, for a private decryption key that would allow you to regain access to your data. If you refuse to pay the ransom, the criminals threaten to destroy the key and keep your data encrypted.
Cryptolocker and WannaCry are two notorious examples of crypto malware. Hybrids like Petya have cropped up in recent times, combining features of both screen lockers and encryptors.
More recently, ransomware-as-a-service tools such as Shark have become prevalent. The code of such tools is distributed free of charge, but its creators get a percentage of every successful ransom collected.
How to respond to a ransomware infection
If ransomware infects your device, you should follow these steps:
- Turn off your computer as soon as possible and disconnect it from the network. This can help prevent the infection from spreading to other devices on the network.
- If you can, reboot your device to safe mode and try to identify the specific strain or type of ransomware. This information may help you find the right decryptor or find out what damage the malware has done to your systems.
- Use anti-malware software to try to remove the ransomware from your device. This may not always be possible. Even if you can remove the malware, you may not be able to recover your data without the key to decrypt it.
- You may have to decide if you wish to pay the ransom. Security and law enforcement agencies recommend that you do not pay the ransomware demand. There is no guarantee that the criminals will provide you with a key upon payment, or that the key will even give you access to your files. Instead, criminals may release files that contain further malware, simply prolonging or diversifying the attack.
- If you decide not to pay the ransom, restoring your backed up data (provided that you have it) will allow you to make a fresh start. Make sure that you recover your device back to a previous, clean state before reconnecting to your network.
See how to develop a cyber security incident response plan for your business.
If you experience a ransomware attack, you should report it to the Police Service of Northern Ireland (PSNI).
How to prevent ransomware attacks
Criminals often use email, social posts and even texts to infiltrate computer networks. To protect your business from ransomware, you should:
- use integral email security, such as spam filters, that catch phishing emails and malicious attachments
- advise staff not to open suspicious links or attachments, even if emails appear legitimate
- regularly change passwords to strong, unique combinations
- apply updates and security patches regularly to keep the software, browsers and operating systems current on all your devices
Most importantly, you should back up your key business data. The backup will allow you to:
- recover your key data if your system is compromised
- rollback or rebuild your system to a previous, safe version
- resume business operations with minimal disruption and costs
Two-factor authentication for your core accounts, such as email or financial services, can boost your defences further. It requires a second step, such as a text message to a phone or the swipe of a finger, to be used in addition to a password to log on to an account.
How does ransomware affect businesses
Ransomware is potentially a serious threat to business. Attacks are largely indiscriminate, usually very disruptive and recovery can be slow and costly. As well as financial losses, your business may suffer:
- loss of data
- loss of productivity
- reputational damage
- potential legal penalties for breach of data security or data theft
Read more about the impact of cyber attack on your business.
If you are affected by ransomware, or unsure how to protect your business’ IT systems, you can contact Invest Northern Ireland's ICT advisers on Tel 0800 181 4422.