Defensive Computing: Protecting Your Data Against Ransomware

Ransomeware is a type of malicious software (computer virus) that encrypts all of the data on a computer. In order to decrypt the data, the user is required to pay a ransom within a given period of time, usually one to two weeks. If not paid in time, the decryption keys are destroyed and the data becomes permanently inaccessible.

The most infamous ransomware is Cryptowall and its latest variant is particularly pernicious. Not only has the already uncrackable encryption scheme been strengthened, but also attackers now have powerful new ways to deliver this horrifying bug to computers and extort a ransom for the decryption keys. Worst of all, someone has created a simple service that makes it easy for criminals to use and profit from Cryptowall. This article from Ars Technica has the details:

Researchers uncover JavaScript-based ransomware-as-service

What can be done to protect against ransomware?

Step 1: Do not open suspicious email!

By far the most common method of ransomware infection is through infected email attachments. The best defense is making sure each user on the network understands the risk and exercises good judgment. Always use caution when opening an attachment. Whenever there is doubt about an email or its attachment, check with the sender prior to opening. Using good antivirus software is highly recommended; such software can detect ransomware but is not 100% reliable and should not be depended upon as the first line of defense.

Step 2: Turn off computers if an infection is suspected.

Ransomware not only destroys data files on your computer; it goes after all the files it can find in networked folders and USB attached hard drives and flash drives. If you suspect that your computer is infected with ransomware, power it off completely and immediately. Powering off the computer will help prevent further destruction of your data files and those stored in networked or attached devices. It’s best to shut down all computers and NAS drives connected to the network until each device can be isolated, checked and, if necessary, cleaned before reconnecting to the network.

Step 3: Backup, backup, backup!

When ransomware infects a machine, it runs silently in the background encrypting files one by one. It intentionally tries to defeat backups by saving each file multiple times. Some backup systems will simply overwrite themselves, backing up the ruined version of data files, so that the backup files become just as useless as the primary files. .

Data should be backed up regularly and frequently. Backups should be moved to a machine or medium that is inaccessible from the source machine or that can only be accessed after logging in. Backups should be versioned so that it is possible to retrieve a version of the data files that has not been corrupted by ransomware.

A note about sharing services like Drop Box, One Drive, and Box… These services are great for collaboration and easy file sharing. They work by propagating the latest version of a file to each machine subscribed to that file. This synchronization mechanism means that a file ruined by ransomware on one machine will be pushed to all the other machines. In the end, everyone gets the ruined copy. Sharing services certainly have their place, but they are not a substitute for a proper backup.

Backing up is easy! For further information, see: Backups Made Easy.