Ransomware - and how to deal with it

The Police Service of Northern Ireland (PSNI) has warned that ransomware attacks are on the rise. Businesses are losing revenue and experiencing disruption as a result of attacks which target and hijack their critical data. According to the PSNI, nine out of 10 large organisations have reported suffering a cyber breach in the past year.

This factsheet explains what ransomware is, how it may affect your business and how to defend against it.

What is ransomware?

Ransomware is a type of malware that locks and encrypts your data and computer systems, and prevents you from accessing them. It requires you to pay a ransom in order to regain access to your files.

Ransomware can enter your machine or network via different routes, including via:

  • bogus emails
  • compromised web applications
  • drive-by downloads - when software is unintentionally downloaded to your computer from the internet, often without your permission or knowledge

The malware is downloaded to your system after you click on a compromised attachment or link. These usually appear quite legitimate, such as an invoice, electronic fax or, commonly, a shipping delivery notice.

Once downloaded, the file initiates ransomware code and encrypts all the files on your computer, as well as the attached external or network drives. The attackers hold the decryption key to your data and demand a payment, often in a digital currency such as BitCoin.

In return for the payment, they promise to decrypt your data. However, there are no guarantees that they will actually unlock and restore your files. On the contrary, they often provide files which contain further malware simply prolonging or diversifying the attack.

Types of ransomware

One of the better-known strains of ransomware is Cryptolocker, discovered in 2013. More recently, ransomware-as-a-service tools such as Shark have become prevalent. The code of such tools is distributed free of charge, but its creators get a percentage of every successful ransom collected.

The average ransom demand appears to be rising, with amounts requested ranging from a few hundred to a few thousand dollars. Research suggests that over half of UK businesses experiencing an attack eventually pay the ransom, in an attempt to resume operations and gain control of their data as quickly as possible.

What can your business do against ransomware threat?

Email, social posts and even texts are the most common ways ransomware criminals are infiltrating computer networks, so following basic online security practices should give you a certain level of protection. For example:

  • keeping an offsite backup of your key business data so if your computer systems are encrypted or infected you have the key data needed to rebuild your systems and become operational again quickly
  • using integral email security, such as spam filters that catch phishing emails and malicious attachments
  • not clicking on suspicious links or attachments that do come through into the inbox
  • looking after your passwords and changing regularly to strong, unique combinations
  • regularly checking and applying security updates for the software and operating systems on all your devices

Adding two-factor authentication to your core accounts, such as email or financial services, can boost your defences further. The two-factor authentication requires a second step, such as a text message to a phone or the swipe of a finger, to be used in addition to a password to log on to an account.

While there are no guarantees, keeping malware software up-to-date and ensuring that your browsers, operating systems and web publishing platforms have all the necessary patches should also help protect your systems against ransomware.

What can you do if you're experiencing a ransomware attack?

If you find that your computer has been infected by ransomware, the first thing you may want to do is alert the PSNI. They may not always be able to assist with the recovery of your files, but they can investigate the attack and attempt to identify and prosecute the offenders. You can report the incident via the PSNI portal.

Secondly, you will want to turn off your computer as soon as possible and disconnect it from the network. This is crucial to preventing the infection spreading to the other machines sharing the same network.

You can then try to identify and remove the ransomware from your computer. However, even if you are able to remove the software, recovering your data is rarely possible without the key to decrypt it – therefore you will most likely have to make a decision whether or not to pay the ransom. If you decide not to pay the ransom, restoring your backed up data (provided that you have it) will allow you to make a fresh start.

Back up your data

Best practice in case of any type of cyber attack, and this is especially the case with ransomware, is to ensure that you have a robust backup policy in place.

If created and stored securely, regular backups of your business' critical data will allow you to:

  • roll back to a version of your data prior to ransomware encryption
  • recover the majority of your data without the risk of further attacks
  • resume business operations with minimal disruption and costs

Ransomware continues to evolve and cause significant disruption to businesses around the world. If you are affected, or unsure how to protect your systems, you can contact Invest Northern Ireland's ICT advisers on Tel 0800 181 4422.