Ransomware is a type of malicious software that allows cyber criminals to take control of your business data or computer systems. It locks or encrypts your files, making them inaccessible, and typically requires you to pay a ransom to regain access to your system.
Ransomware is potentially a serious threat to business. Attacks are largely indiscriminate, usually very disruptive and recovery can be slow and costly. As well as financial losses, your business may suffer:
- loss of data
- loss of productivity
- reputational damage
- potential legal penalties for breach of data security or data theft
Read more about the impact of cyber attack on your business.
How does ransomware get on your computer
Most commonly, ransomware enters machines or networks through:
- Spam email (phishing) - where the email is designed to look 'legitimate' but typically contains a malicious link or an attachment. Once you access this link or download the file, the ransomware installs on your device.
- Drive-by download - where the malware is installed onto your device without your knowledge and permission. You don't have to click anything to initiate the download. It automatically activates when you visit an infected website or a malicious advertisement.
Drive-by downloads rely on using exploit kits, ie pieces of malicious code embedded in a website. This can be a legitimate website that has been compromised or a malicious site designed to look authentic and genuine.
When you visit a website that hosts an exploit kit, it looks for software vulnerabilities in your device or web browser. If it finds a weak spot, it injects malware into it.
Types of ransomware and examples
Two main forms of ransomware are:
- Screen lockers - these freeze you out of your device by locking your screen and denying you access until you pay a fee. They don't typically interfere with the underlying system and files. Often, they come disguised as an official-looking warning message from law enforcement imposing a fine for supposed online indiscretions or activities.
- Crypto ransomware- these infect your devices and, when installed, begin hijacking your files, turning your data unreadable. When this process concludes, the malware brings up a message demanding payment, often in BitCoin, for a private decryption key that would allow you to regain access to your data. If you refuse to pay the ransom, the criminals threaten to destroy the key and keep your data encrypted.
Cryptolocker and WannaCry are two notorious examples of crypto malware. Hybrids like Petya combine features of both screen lockers and encryptors.
More recently, ransomware-as-a-service tools such as Shark have become prevalent. The code of such tools is distributed free of charge, but its creators get a percentage of every successful ransom collected.
How to respond to a ransomware infection
If ransomware infects your device, you should follow these steps:
- Turn off your computer as soon as possible and disconnect it from the network. This can help prevent the infection from spreading to other devices on the network.
- If you can, reboot your device to safe mode and try to identify the specific strain or type of ransomware. This information may help you find the right decryptor or find out what damage the malware has done to your systems.
- Use anti-malware software to try to remove the ransomware from your device. This may not always be possible. Even if you can remove the malware, you may not be able to recover your data without the key to decrypt it.
- If necessary, decide if you wish to pay the ransom. Security and law enforcement agencies recommend that you do not pay the ransomware demand. There is no guarantee that the criminals will give you a key upon payment, or that the key will even unlock your files. Instead, criminals may release files that contain further malware, simply prolonging or diversifying the attack.
- If you decide not to pay the ransom, restoring your backed up data (provided that you have it) will allow you to make a fresh start. Make sure that you recover your device back to a previous, clean state before reconnecting to your network.
See how to develop a cyber security incident response plan for your business.
If you experience a ransomware attack, you should report it to the Police Service of Northern Ireland (PSNI).
How to prevent ransomware attacks
Criminals often use email, social posts and even texts to infiltrate computer networks. To protect your business from ransomware, you should:
- use integral email security, such as spam filters, that catch phishing emails and malicious attachments
- advise staff not to open suspicious links or attachments, even if emails appear legitimate
- regularly change passwords to strong, unique combinations
- apply updates and security patches regularly to keep the software, browsers and operating systems current on all your devices
Most importantly, you should back up your key business data. The backup will allow you to:
- recover your key data if your system is compromised
- rollback or rebuild your system to a previous, safe version
- resume business operations with minimal disruption and costs
It's important to realise that ransomware can affect connected USB and network storage devices holding data backups, as well as the original data on-disk. It can also compromise connected cloud storage locations containing backups. With that in mind, offline backups are probably the best safety net against ransomware.
Read more about backing up your data.
Two-factor authentication for your core accounts, such as email or financial services, can boost your defences further. It requires a second step, such as a text message to a phone or the swipe of a finger, to be used in addition to a password to log on to an account.
Find detail guidance on mitigating malware and ransomware attacks.
For advice on protecting your business’ IT systems, contact Invest Northern Ireland's ICT advisers on Tel 0800 181 4422.