NAKIVO Blog > Data Protection > Ransomware Protection > What Is Ransomware: A Full Overview

What Is Ransomware: A Full Overview

Ransomware is one of the most dangerous types of computer viruses today. Across the globe, organizations and individual users have lost millions of dollars and petabytes of data as a result of ransomware in recent years. No one is safe from a ransomware attack targeting their computer and valuable data. However, it is possible to reduce the risks of data loss, minimize the negative impact of ransomware and be prepared for possible ransomware attacks. This blog post explains what is ransomware, how ransomware works, how to avoid ransomware and how to prevent ransomware attacks and recover.

This article is written for educational and data protection purposes. At NAKIVO, we do not take any responsibility for any malicious acts carried out by anyone reading this information.

What Is Ransomware?

Ransomware is a type of malware that infects computers and blocks access to files. Once a user’s access to files has been blocked, the victim receives a notification that their files are inaccessible and that they need to pay money to regain access to their files. Instructions are usually attached to the message notifying about the blocked files. The ransom price ranges from hundreds to thousands of US dollars, and there’s no guarantee that the encrypted files will be restored even after paying the fee. Attackers use anonymous payment systems and cryptocurrencies such as Bitcoin. And it is hard, even impossible, to trace a payment and identify the attacker.

Note: The term malware is used for all types of malicious software regardless of the working principle, distribution method and attacker intentions. The malware category also includes viruses and spyware. A virus is a type of malware that can self-replicate, insert its code into other programs and infect other computers. Viruses can corrupt files, MBR (Master Boot Record), MFT (Master File Table), format partitions, initiate DDoS attacks (distributed denial of service attacks) and so on. Malware can infect a computer even without corrupting files, but the result can be just as bad as annoying advertising, data theft, unauthorized access and so on.

Examples of viruses:

• Infected executable files. After running these files, a virus spreads to all disk drives, network shares and so on. Unpatched vulnerabilities in operating systems and protocols can be used for spreading to other machines and infecting them. Viruses that use software vulnerabilities for spreading in networks are called worms (for example, Conficker.AA in 2009).
• Macro viruses are a category of viruses that usually arrive in Word and Excel documents with enabled macros. If the victim opens the infected document and enables macros, their computer gets infected. Despite the fact that macro viruses are an old type of malware, they are still used by hackers.
• Polymorphic viruses are viruses that replicate and encrypt themselves so they can’t be detected by antivirus software.

Other types of malware can:

• Steal credit card data or other personal data to be used to steal money.
• Get access to computers for control and further organization of botnet (for example, to launch a brute force attack to steal user accounts from other devices connected to networks), launch DDoS attacks on other networks and so on.
• Infect computers to use their hardware to mine cryptocurrencies.
• Infiltrate a computer, stealing a user or company’s private data. A portion of data is published on the internet. Then the attacker asks the victim to pay a ransom to avoid having all the other sensitive data published online.
• Trick an unsuspecting user into installing the malware on a computer as a tool to check for issues. The tool emulates finding viruses and system errors and asks the user to pay money to kill the viruses and fix the errors.

History of Ransomware

Today’s ransomware is dangerous. It’s not the ransomware of the late 2000s that blocked Windows and displayed funny screens with a message that you were using illegal software, watching adult videos or performing illegal activities online. Early forms of ransomware spoofed messages from the FBI, Interpol or other legal or government structures. It asked users to pay money or send an SMS to a specified number or they would be arrested. Alternative notification messages of such types of ransomware demanded users to pay money, otherwise the information about “law violation” would be sent to law enforcement. This kind of ransomware is easy to get around. It usually takes about 15 minutes for a system administrator to fix the parameters in a registry blocking a Windows login screen and resolve the issue caused by this type of blocking ransomware.

Now let’s briefly look at the history of ransomware.

The first ransomware was created in 1989 and was known as PC Cyborg or AIDS Trojan. PC Cyborg was simple. It was distributed on floppy disks during a World Health Organization event and was activated after a computer was rebooted 90 times. After activation, PC Cyborg encrypted file names and hid directories on the computers of victims. After that, users were asked to pay $189 for a license update. That version of ransomware was simple and didn’t cause significant damage.

In 2004, ransomware reminded us about itself after a long hiatus. GPCode ransomware became known in 2004 and used RSA encryption.

In 2004-2006, ransomware creators began to use RSA encryption widely. In 2006, the Archiveus Trojan encrypted files in the My Documents folder and demanded that victims purchase items in an online pharmacy to get a 30-digit unlock code to get files back.

In 2007, WinLock was the ransomware that didn’t encrypt files and only restricted management access to the operating system. Users were asked to send a paid SMS to unlock the desktop and regain full access to the operating system.

From 2012 and on, ransomware became more sophisticated and devastating. The amount of developed ransomware significantly increased and ransomware harmed hundreds of thousands of computers.

In September 2013, the first version of CryptoLocker written on C++ was released. Attackers demanded to send money to Perfect Money or QIWI Visa Virtual Card. CryptoLocker 2.0 was the improved version written on C# released in December. 2048-bit encryption was used for this version to encrypt files and attackers demanded that the ransom be paid using bitcoins.

In April 2014, CryptoWall was released. This ransomware exploited a Java vulnerability to infect victims and encrypt files. More than 600,000 computers were infected. All Windows versions were attacked. Once a computer became infected, CryptoWall connected to the attacker control center and sent information about the victim, including the external (WAN) IP address. Depending on the IP address, a price associated with the country where the infected computer was located was defined for a victim.

CryptoWall 2.0 emerged in January 2015. The second version of CryptoWall performed anti-VM and anti-emulation checks to make it difficult to identify this ransomware by using sandboxes. Multiple infection methods were used.

TeslaCrypt, a new modification of CryptoWall, was released in February 2015. This ransomware was distributed by using popular computer games.

Cryptowall 3.0 emerged in 2015. This version of ransomware used I2P network communication.

Cerber emerged in 2016. The Cerber ransomware was propagated with email spam. The ransomware-as-a-service (RaaS) model was used to distribute Cerber. It was a worldwide attack and the ransom note was written in multiple languages.

In March 2016, Petya was among the pioneers to use the RaaS model. Petya infected the MBR (Master Boot Record) to execute a payload and start the encryption of data.

In May 2017, WannaCry (WannaCrypt0r) hit more than 230,000 machines in over 140 countries across the globe. Its scope was very broad affecting different categories of users and organizations. The CVE-2017-0144 vulnerability for SMB v.1 (Windows implementation) that allows remote code execution, the Eternal Blue exploit and a backdoor called Double Pulsar were used to spread the ransomware (behavior of a network worm that replicates itself). The WannaCry attack started two months after the security update fixing the CVE-2017-0144 vulnerability was released by Microsoft for all supported Windows versions. This attack was one of the most devastating ransomware attacks in history. The attack was initiated on a Friday before the weekend to cause more data corruption as technical staff were away over the weekend. The situation was so serious that Microsoft released a security update for Windows XP, which it had stopped supporting in 2014, and Windows Server 2003.

NotPetya emerged in 2017 and used the same vulnerability as WannaCry. There are differences in encryption methods compared with the original version of Petya. The attack of NotPetya was started by using the update of an accounting software and progressed by using email. The email address mentioned by attackers for communication was hardcoded and blocked after notification about the attack. We can presume that the attackers intended it this way and didn’t plan on sending the encryption keys to restore data. The only wanted to destroy the data.

September 2017. Bad Rabbit masqueraded as an update patch for Adobe Flash Player to be installed on computers and infect them. A message that a user needs to update Adobe Flash Player was displayed on infected websites.

Netwalker emerged in September 2019 for massive ransomware attacks. The RaaS concept was used. Netwalker was distributed primarily via spam emails with phishing links.

A new wave of Netwalker attacks started in 2020 in parallel with the COVID-19 epidemic. Attackers have been using phishing emails introduced as emails with important information updates about the new coronavirus (SARS-CoV-2) in attachments. Since most users are interested in any information about COVID-19, the probability of users opening the malicious attachments is quite high. Then a VBScript is used to activate the Netwalker ransomware.

Types of Ransomware

There are different types of ransomware, and each type behaves differently. Let’s look at the most common types of ransomware.

Lockers. This malware type locks a computer after a computer has been infected. Symptoms: A user cannot log into Windows by using any existing user account, or, after a successful login, graphical user interface elements are not available and only a notification message of a locker is displayed with a demand to pay money to unlock access to an operating system and files. Lockers usually don’t encrypt files and just modify a user interface.

Crypto malware (cryptoware). This is the most dangerous type of ransomware. After a computer has been infected, ransomware can start encrypting files immediately or start after a delay to do the most damage to a victim. WannaCry, which damaged a large number of files in 2017, is one of the best known and most harmful examples of crypto malware.

Scareware is a type of malware that is installed by a user as a tool to check issues or viruses. This tool emulates scanning a computer to find threats and then notifies a user that the computer has issues such as viruses or missing drivers. Then the tool asks a user to pay money to fix found issues.

Doxware steals files from computers and then demands that victims pay money to retrieve stolen data to avoid leaks. A portion of the stolen data may be published to demonstrate that the threat is not a joke. Personal photos, secret business information and other sensitive data makes users panic when they are notified that this information has been stolen.

Mac ransomware is aimed at macOS users. One of the first well-known cases of a ransomware attack on macOS users was in 2017 when KeRanger infected macOS by using the Transmission app. After launching Transmission, the process of file encryption started.

Ransomware for mobile devices. Modern smartphones allow users to install diverse applications, use mobile internet, connect to Wi-Fi networks and so on. Due to this wide functionality, smartphones can be a target for ransomware. Ransomware for mobile devices began to spread in 2014. After being infected, a smartphone is locked and a message about illegal activity is usually displayed with a demand to pay a ransom.

Ransomware as a service (RaaS) is a new approach to developing and distributing ransomware. There are resources on the dark web that make it possible to develop, sell and buy ransomware that is ready for use to carry out cyberattacks. New versions of customizable ransomware kits are provided, and marketing campaigns on the dark web are used to promote ransomware and attract “clients”. It is possible to buy ransomware on a subscription basis or for a flat fee or use a profit-sharing model and pay a percentage of the profits. Similar to SaaS (software as a service), the appeal of RaaS is ease of use.

Who Is the Target of Ransomware Attacks?

Today everyone can be a target for a ransomware attack. Some ransomware is distributed to everyone without selecting the appropriate categories of potential victims, and other ransomware attacks are initiated against specified categories of users and businesses.

Enterprise users. Some attackers think that large companies can pay more money. As a result, they select large companies in developed countries as targets.

Healthcare organizations. Attacks on healthcare organizations are the most unethical. They result in interruption of computers running software for medical equipment and containing data needed for patient care and treatment. Such ransomware attacks can result in casualties, thereby resulting in the most damage.

Strategic/industrial/competitive organizations. Some companies use hackers to initiate attacks on competitors. The objective is to paralyze a victim and gain a better position on the market.

Educational organizations. Schools and universities have a lot of shared resources and small IT teams. The level of security is not always strong enough to prevent a ransomware attack. That’s why educational organizations are an attractive target for ransomware attackers.

Government organizations. Government agencies must always react quickly and have access to all the needed data. In addition, they are entrusted with citizen data and are under obligation to maintain this data confidential. Attackers hope that this aspect will pressure these organizations to pay the ransom.

As you can see, everyone can fall victim to a ransomware attack. Whether it’s a lost database in a company or 10 years of photos of an individual, everyone’s data is valuable for one reason or another. And this is why ransomware protection must be in place.

How Does Ransomware Work?

Let’s explore the working principle of ransomware to understand how to provide successful protection against ransomware attacks and to mitigate the consequences. We will focus on crypto malware because it is the most dangerous type of malware. However, the logic of infecting and spreading may be shared by other types of ransomware and should be known by system administrators and users.

Infecting computers

The first step is infecting computers. Attackers use sophisticated techniques to infect a victim’s computer. The most popular infection vectors are email, messengers, software vulnerabilities and advertising.

Email and messengers

Phishing emails are one of the most popular tactics to infect users and launch a ransomware attack. Opening an infected attachment or a link in an email message will infect the computer. The sender’s email address can be spoofed so the victim trusts the sender and opens the malicious links or attachments. For example, an attacker can use email addresses that are similar to legitimate addresses but with some characters changed:

[email protected]

[email protected]

[email protected]

[email protected]

The same approach can be used for links used to make a victim download malware. Addresses and names of popular persons and companies usually increase the probability of such messages being opened.

Example 1

From: [email protected]

To: [email protected]

Subject: Critical security updates

Body: Hello! You need to install some Windows updates to fix critical vulnerabilities. Updates are available here:

http://windowsudate.com/download/update/software/windows6.1-kb4012512-x86_6da65f3e56286c628a637f90a7361a.exe

An inattentive user may not notice that some characters have been substituted or are missing in the sender name and in the link. Hackers can hack existing websites to host malware on hacked resources and send links to malicious files in email messages.

Before starting a ransomware attack, hackers can gather information about a victim by using social engineering, information in social networks and so on. As a result, email messages sent to a victim may seem legitimate. In the following example, an attacker knows that a user is buying a laptop and sends a message as an employee of the online shop with a request to check configuration and payment documents in the attached file. An attacker masquerades the attached file as a file that a user should trust.

Example 2

From: [email protected]

To: you

Subject: Urgent! Payment information.

Body: Hello! Your order cannot be processed due to inconsistency of information. Please check attached configuration of your laptop, and confirm it before you can pay the bill.

Attachment: hws20200922-0021.xlsx

There can be diverse modifications of this message with a request to check an attached document and pay the bill as soon as possible.

Example 3

From: [email protected]

To: you

Subject: Account is blocked

Your DropBox account is blocked due to suspicious activity. Follow the link to unblock your account, otherwise it will be blocked permanently within 24 hours.

Curiosity or greed is another aspect used by attackers to push a victim to open a malicious link or attached file.

Example 4

From: [email protected]

To: you

Subject: Summer photos

Body: Hello Mike! As promised, get my photos from summer vacation: link

See you soon!

Even if your name is not Mike, you may think that the wrong recipient was mentioned when the email was sent. The curiosity to see the photos may lead many users to opening the link. Services to shorten a link can be used to hide the real link that looks suspicious.

Example 5

From: [email protected]

To: You

Subject: You are the winner

Body: You have been selected to win 10000 $. Fill the form by going to this link and win the super prize.

Hacking an email account of a user in an organization and sending email messages by using a hacked account that is real and trusted for colleagues is another approach to infect computers with ransomware.

Once a harmful attachment has been opened or a harmful link has been visited, installation of ransomware begins.

Scenarios include:

• A user executes an exe file
• A user opens a file with active content (such as Java Script, ActiveX, Windows Script Host) or a document with macros and ransomware is installed (a loader can be used in this case).
• A user opens a harmful link to the loader of malware. A loader is running and loads all needed content to run malware on a computer of a victim.

Vulnerabilities

Exploit kits are used to exploit software vulnerabilities by using opened ports and related services. Vulnerabilities of an operating system, web browsers (iframe, XSS, and so on), Adobe Flash Player, game servers and other applications are used. Legitimate websites can be hacked and infected.

Advertising

Malicious advertising is used to infect users who visit prepared websites that contain online advertising. This method is also called “malwertising” and uses invisible elements, infected iframes that redirect to a landing page with exploit, then malicious code uses an exploit kit to attack the system of a victim. These actions usually go unnoticed by the user. Banners or splash screens on websites that attract users to click them can be used to infect with ransomware. For example, a fake message that Adobe Flash Player must be updated. Malicious banners may not require user interaction or clicking the banners.

Activating ransomware

Ransomware can be activated immediately or with a delay. In the case of a delay, network connection with an attacker must be established to activate the ransomware or a timer/scheduler is used. Once ransomware is activated and running on the victim’s computer, the following actions may be performed:

• Disabling firewall in an operating system to allow spreading over the network.
• Disabling the anti-virus (at least trying to disable the anti-virus).
• Killing processes that may have opened files to disable prevention of writing changes to opened files.
• Deleting volume shadow copies (in Windows).
• Changing registry settings (in Windows) to make it difficult to detect that ransomware is running. Symptoms can be inability to run a task manager, manage services and so on. Another objective of changing the registry settings is to display the ransomware GUI instead of Explorer.
• Scanning a network to find running hosts.
• If there are unpatched vulnerabilities, trying to infect the vulnerable hosts.
• Running a brute-force attack to compromise user accounts on other hosts for getting access and further infection. A tiny dictionary that contains popular passwords and standard user names may be included in a ransomware package.
• If shared resources such as SMB file shares have been found, replicating ransomware files to shared resources (for example, to root directories of file shares).
• Trying to take control of an Active Directory Server.

Why do anti-viruses fail to detect many ransomware modifications?

Before launching attacks, attackers test malware, and they check how anti-viruses perform. Malware is packed by custom packers and uses protectors. Packers are used to pack files into a single file and reduce their size. Protectors are used to make it difficult to try reverse engineering methods to research a program – they can prevent taking a dump, use anti-debug techniques, mechanism of recognizing running in virtual environments, etc. Packers and protectors are used not only for malware but also for licensed software.

File Encryption

Possible scenarios and aspects of file encryption are explained below.

Connecting to the control center of an attacker for key exchange. Some versions of ransomware may not perform this step and will use predefined encryption keys. Absence of functionality to exchange keys with attackers is a common case. This means that the attacker never intended to decrypt the files, even after the victim pays the ransom. The Tor network can be used to make it difficult to trace the attacker.

Using symmetric-key encryption. Ransomware can use different encryption keys and encryption algorithms. There are symmetric encryption algorithms and asymmetric ones. When a symmetric-key encryption algorithm is used, it is possible to encrypt files by using the same key (the encryption key). AES, DES, Blowfish, Twofish, IDEA are symmetric encryption algorithms.

Ransomware using asymmetric-key encryption algorithms is much more dangerous. Asymmetric algorithms use two keys – an encryption key (private) and decryption key (public). RSA and RC4 are asymmetric encryption algorithms.

If the RSA-2048-bit key pair is used, it would require some 300 trillion years to crack the key by using the brute-force method based on the performance of modern supercomputers.

If AES-128 bit is used, it would require some 1 billion billion years (1 × 1018) to crack the key. This is greater than the age of our universe.

Thus, we can safely say that nowadays there’s no way to crack the key by using brute force and decrypt files encrypted by ransomware. Quantum computers are yet to take a crack at it.

A combination of encryption algorithms is often used (for example, server and client asymmetric encryption + symmetric encryption). A generated encryption key is often encrypted to make it difficult to extract the key. Once file encryption has been completed, a key is usually deleted from memory to make decryption impossible without the key provided by the attacker. Some ransomware versions use own encryption algorithms that are difficult to research.

Note: During the attacks of WannaCry in 2017, security researchers found that a key needed for file decryption can be extracted from the RAM (Random Access Memory) of an infected computer if Windows XP is running on that computer. Probably it was an unknown bug of Windows XP that was not fixed and was not known by WannaCry creators. The public key is usually encrypted and unencrypted public key (that is needed to decrypt files) is deleted after encryption. In the case of WannaCry and Windows XP, some conditions must be met to encrypt files – a computer must not be rebooted or powered off after files have been encrypted (because data in RAM is flushed after power loss) and a public key stored in memory must not be overwritten by other processes running in the operating system.

WannaCry also had a kill switch that was a hard-coded URL. If this URL was not reachable, the encryption process was started. Security researchers found this issue, registered the needed domain, and created the appropriate URL to defeat WannaCry ransomware attacks worldwide.

Selecting file types to encrypt. Ransomware may be developed to encrypt custom file types (jpg, jpeg, doc, xls, mov, mp4, mpg, avi, and other popular file extensions) or all file types except system files of an operating system (because attackers want ransomware to display a notification message with a demand to pay money on an infected machine). If ransomware targets custom file extensions, it takes less time to finish encryption.

Some types of malware (for example, Petya) encrypt MBR or MFT.

Flushing all remaining (free) disk space with zeroes or random bits to make undelete recovery impossible.

Blocking network access once file encryption is finished is possible for some versions of ransomware.

Ransomware Recovery

How to detect ransomware? What to do if you get ransomware? In this section, we explain how to perform ransomware recovery when a computer has been already infected.

You have detected suspicious activity on your computer

If you detect suspicious activity on a computer, such as abnormal activity of your disk drives (disks are highly loaded) or changing file names without your interference, file encryption by ransomware may have started. Consider performing the actions listed below in this situation.

• Check running processes and applications.
• If you cannot see suspicious processes, running applications or files, it means that ransomware is well-hidden or high disk activity is not caused by ransomware.
• Power off your computer. Power off other computers in your network.
• Boot from a live DVD medium or SD flash card (set the switcher on the card to the read-only mode). Using mediums that are read-only helps you avoid being infected by ransomware and other viruses when you plug the medium into an infected computer.
• Run anti-virus with an updated anti-virus signature database, and scan all drives.
• If ransomware is detected by the anti-virus, delete the infected files. Before deleting infected files, you can pack infected files into an archive protected by a password and then send them for analysis and security research.
• If you have detected that some files have been encrypted, see the next section.

Files are encrypted and the computer is locked

If you see the splash (lock) screen with a notification that files have been encrypted and a demand to pay a ransom, follow these recommendations:

• Never pay a ransom! If you pay a ransom, you incentivize hackers to launch more ransomware attacks. Paying a ransom reinforces using this type of attack and modifications of this attack in future. There is no guarantee that you will get unencrypted files back after paying. There are a lot of cases when nothing happened after paying money to attackers. Attackers use psychological tricks to make a victim panic and inspire fear. A message that files will be deleted irreversibly is usually displayed with a countdown to rush victims and push them to make mistakes (such as paying a ransom).
• Unplug all network cables from a computer infected by ransomware. If a computer was connected to Wi-Fi, power off the access point. If multiple computers are infected, do these actions for all infected computers.
• Take a photo of the monitor with the lock screen displayed. This image may be needed for ransomware identification and searching for a tool to cure an infected computer and recover files.
• Don’t delete the encrypted files. Maybe you will find the recovery tool later. Create a sector-by-sector image of each disk and store this image on external media. This may be needed for further analysis.
• If any external drives such as USB HDDs, USB flash drives, flash cards, etc. are connected to the infected computer, don’t connect them to healthy computers. This way you avoid infecting other computers.
• Prepare a live DVD with anti-virus that has fresh antivirus databases. An SD flash card can be used and must be in the read-only mode after a bootable image has been written to the SD card. Using read-only media prevents writing viruses to them and spreading them further.
• Boot from the prepared rescue medium; scan all disks to find malware/viruses, and remove them.
• Once viruses have been removed, connect disks that contain encrypted files to a healthy machine where software to recover deleted files is installed. You can use a Linux machine if you have a Linux version of the appropriate file recovery software. The alternative approach is to use another isolated computer and attach disks with encrypted files to this computer.

You can also prepare a hard disk with working operating system, anti-virus and recovery software. Connect this hard disk to the isolated computer that was infected (after deleting viruses). Boot from this hard disk and launch recovery software to find deleted files by signatures (or select to find all possible files). Some versions of ransomware encrypt a copy of an original file and then delete the original file, leaving only an encrypted file on the disk. If you have a version of ransomware that doesn’t wipe out all free disk space after finishing file encryption, you can restore some lost files by using the recovery software.

• Try to find decryption tools on the internet. It could be that a version of ransomware that encrypted your files has been researched by security experts, and a remedy has been found for it.
• Send samples of ransomware, encrypted files and a screenshot of the locked screen to special resources for analysis.
• If the previous method didn’t help, try to recover lost files from a backup (if you have a backup). Format disk drives of infected computers before starting recovery from a backup to avoid infecting again if some malicious files are left on disks containing encrypted files.
• Report the ransomware attack to authorities.
• Whatever the result of data recovery, you have to install all available security patches for operating systems and other software on all machines. Check whether anti-viruses are up to date.

How to Protect Against Ransomware

Now that we’ve covered what ransomware is and how it works, let’s get down to business. So what do you do about it? What’s important now is to understand how to prevent ransomware attacks. Here are some tips and recommendations from system administrators and experts.

• Don’t open suspicious email messages, attachments to these email messages and any other links. Distributing ransomware via email is one of the most common methods of infecting computers.
• Configure filters on email servers to reject suspicious email messages that can turn out to be malicious. The best way to ensure that users won’t open malicious email messages is by rejecting these email messages on email servers. Leading SaaS (software as a service) providers such as Google and Microsoft provide email filters for their email services to protect users. You can read more here on Exchange Online Protection.
• Train users to detect suspicious messages and ensure they’re familiar with social engineering methods. The more skilled users are the less likely it is that their computers will be infected with ransomware.
• Don’t provide any personal information to unknown users even if they introduce themselves as partners, bank workers, social agencies, etc. via email, messengers, phone calls, social media or other communication tools.
• Install antivirus/antimalware software on all computers. Antivirus must always be up to date.
• Install all available updates and security patches on operating systems and other software installed on all computers.
• Configure a router and firewall in your network properly. Close unused ports, allow access from trusted networks and IP addresses if possible. You can change standard port numbers to custom port numbers for some protocols (SIP, RDP, SSH etc.). Often attackers scan standard ports to detect which of them are open. Consider configuring a firewall on user computers.
• If you find a USB flash drive, flash card or other medium near your office or home, don’t rush to plug it into a computer. An attacker can drop an infected flash drive near your home or office to distribute ransomware. Notify users about this threat and tell them that they should report such cases to the system administrator. If you need to check the content on the found device, use an isolated computer, boot Linux and check it. You can use a VMware Workstation VM or VirtualBox VM with disabled networking and attach the medium to the virtual machine (the USB pass-through feature is used in this case).
• Configure an operating system on each computer to show hidden files, system files and extensions for all file types. Use strong and unique passwords for different accounts.

• Choose a wired network over Wi-Fi. When using wired networks, physical access is required for connecting to a network. Attackers can crack the password to your wireless network. If you opt for a wireless network, make sure to set a strong password. Keep in mind that attackers can steal a saved password from computers or mobile devices. If any user loses a computer or any other mobile device that was used for connecting to a Wi-Fi network, the user must notify the system administrator. It is highly recommended to change the Wi-Fi password in this case.
• When on a business trip, try not to connect to public and untrusted Wi-Fi networks.
• Restrict permissions for users on their work computers if it is possible and doesn’t prevent users from doing their work.
• Create regular backups of important data. Creating a backup is the most effective method of protection against ransomware attacks. However, backing up files from internal disk drives to USB drives that are always plugged into the computer is not effective. If the computer is infected after a ransomware attack, ransomware encrypts files on all the attached disks, including USB drives. Burning backed up data to DVD discs, Blue-ray discs or tape drives is a reliable solution because ransomware cannot re-write data on these types of media. Follow the 3-2-1 backup rule and keep at least three copies of data, store copies on different media, and keep at least one copy offsite.

A backup repository should not be shared with users to prevent encryption of backups by ransomware in a case of a ransomware attack. Consider performing a backup to cloud by using cloud services such as Google Drive, Google Cloud Platform, Google Cloud Storage, Amazon S3, Amazon EBS for EC2, Microsoft OneDrive, and others. If an object storage in the cloud is used to store backups, versioning is a useful feature that helps restore previous versions of files even if the latest versions are encrypted by ransomware.

NAKIVO Backup & Replication is a universal data protection solution that can back up VMware VMs, Hyper-V VMs, Amazon EC2 instances, Oracle databases, physical machines running Linux, Windows Server 2016, 2019, and Windows 10.

NAKIVO Backup & Replication can be installed on Linux, Windows Server, supported NAS devices, and can be deployed as a virtual appliance on a VMware ESXi host. The backup destination can be a local directory on a machine running the Transporter of NAKIVO Backup & Replication, an SMB (CIFS) share on a remote host, Amazon S3, tape cartridges (by using tape drives and tape libraries).

NAKIVO Backup & Replication supports incremental backup (forever incremental backup and incremental with full backups) and multiple recovery points. Flexible retention settings and the GFS retention policy allows to recover data if you notice that data is corrupted not immediately after the event of data corruption.

NAKIVO Backup & Replication can be installed on Raspberry Pi to build a ransomware-proof backup appliance.

Conclusion

This blog post has explained what ransomware is, how ransomware works, protection against ransomware, and ransomware recovery. Ransomware is the most devastating type of malware nowadays. A ransomware attack can infect multiple computers in the network and irreversibly corrupt terabytes of files. Cybercriminals are coming up with new and more dangerous versions of ransomware, and attacks are becoming more sophisticated. A set of protection measures must be implemented for ransomware protection – proper configuration of firewall, installing security patches, educating users, using an up-to-date antivirus, and regular data backup. Regularly backing up of data is one of the most effective methods to prevent data loss after a ransomware attack.