Home Cybersecurity Cybersecurity What is Ransomware? Ransomware allows hackers to commit cyber blackmail and is currently one of the most sabotaging forms of malware around Table of ContentsWhat is Ransomware? Ransomware DefinitionSee How Perimeter 81 can protect you from RansomwareHow Ransomware WorksHow Do Ransomware Attacks Happen?How Does Ransomware Spread?History of Ransomware AttacksAIDS Trojan & Cyborg Virus (1989)Trojan Crysis (2005)Reveton (2012)CryptoLocker (2013)CryptoWall (2015)Jigsaw, Petya and Mischa (2016)Ryuk (2020)Ryuk, SamSam, and Cerber (2021)See How Perimeter 81 can protect you from RansomwareRansomware Facts and FiguresRansomware StatisticsMalvertising StatisticsMobile Ransomware StatisticsRansomware Legal IssuesWhat To Do If You Get a Ransomware EmailHow to Stop Ransomware EmailsRansomware Email ExamplesList of Known Ransomware File ExtensionsSee How Perimeter 81 can protect you from RansomwareDoes Ransomware Infect External Drives?What Process Does a Ransomware Perform on a User’s System?Ransomware ExamplesExample of a Ransomware AttackSee How Perimeter 81 can protect you from RansomwareAIDS TrojanWannaCry RansomwareThe WannaCry Ransom NoteHow does WannaCry Encrypt Files?How to Fix WannaCry, Clean WannaCry & Decrypt Wannacry Encrypted FilesWannaCry Ransomware SymptomsWannaCry Ransomware Windows 10See How Perimeter 81 can protect you from RansomwareCryptoLockerWhere Does CryptoLocker Come From?How Does CryptoLocker Spread?CryptoLocker Infection StatisticsHow to Stop CryptoLocker RansomwareHow to Find and Detect CryptoLocker on a NetworkThe Best Ways to Stop CryptoLocker from EncryptingBlackMamba RansomwareLocky SpywarePetyaRyukFilecoder RyukEvil LockerGrandCrab (2018)SamSam (2016)Bad Rabbit (2017)TeslaCrypt (2015)FBI Ransomware – How It WorksFBI Ransomware iPhoneHow to Remove FBI Ransomware VirusSee How Perimeter 81 can protect you from RansomwareWhat is Crypto Malware?Bitcoin RansomwareCryptoWall Ransomware – What Does CryptoWall Do?How Do You Get Ransomware?Signs of a Ransomware AttackHow to Recover Files Attacked by RansomwareHow to Remove Ransomware Virus and Restore the FilesSee How Perimeter 81 can protect you from RansomwareHow to Prevent Ransomware AttacksHow to Protect Against Ransomware Windows 10 AttacksHow to Respond to a Ransomware AttackResponse 1 – Disconnect the Infected Device ImmediatelyResponse 2 – Stop It from SpreadingResponse 3 – Analyze All DamagesResponse 4 – Find Patient Zero Response 5 – Know What Ransomware You’re Dealing WithRansomware Payment – Should You Do It?The Future of Ransomware – New Ransomware Groups Appearing Each DayWho is Behind Sodinokibi?BlackMatter and HaronHow Using Perimeter 81’s Zero Trust Framework Can Prevent Ransomware AttacksHighlighting The Benefits of a Perimeter 81 to Combat RansomwareRansomware FAQsSee How Perimeter 81 can protect you from RansomwareRelated Articles Ransomware Definition Ransomware is a type of malicious software (malware) that prevents access to your device or encrypts data/threatens to expose it, until or unless a ransom is paid. Ransomware allows hackers to commit cyber blackmail and is currently one of the most sabotaging forms of malware around. Ransomware delivery methods are constantly evolving and spreading rapidly all over the world. The difference between phishing and ransomware is quite evident. Phishing uses certain techniques to extract sensitive and personal information, while the purpose of ransomware is to extract money out of a victim by denying access to their computers and devices. What’s even more troubling is that an organization will fall victim to a ransomware attack within the next 11 seconds. See How Perimeter 81 can protect you from Ransomware Start Now Request Demo How Ransomware Works Ransomware is a type of social engineering attack in which cybercriminals target unsuspecting victims via malicious file downloads. Once the user clicks on the malicious link, they have unknowingly introduced the malware into their computer system. That is how ransomware works. How Do Ransomware Attacks Happen? Ransomware attacks occur once a malicious file has been downloaded. Once a file has been infected, personal information such as passwords and credit card details can be easily accessible to entrepreneurial cybercriminals. By the way, a stolen credit card can be purchased for as little as $1 on the black market. How Does Ransomware Spread? Malware spreads through spam emails, fake software updates, misleading links, as well as through exploiting vulnerabilities in both web browsers and common software. Certain ransomware can spread through a network of computers causing serious financial consequences. History of Ransomware Attacks Certain ransomware can spread through a network of computers causing serious financial consequences. AIDS Trojan & Cyborg Virus (1989) The Ransomware origin lies close to the dawn of the internet, as it has been around since the ‘80s. The world became aware of ransomware via the AIDS Trojan, the PC Cyborg Virus that spread onto computers through floppy disks. Back then, those whose systems were infected with it and had to pay a $189 ransom fee (very cheap compared to today’s fees, a jaw-dropping amount of $570,000 as of 2021) Trojan Crysis (2005) In 2005, black hat hackers from Russia, made the first ransomware that was detected as the Trojan Crysis. This parasite zipped and password-protected the victim’s personal documents. The victim would become aware of this ransomware when they found a ransom note on their desktop. Reveton (2012) In 2012, ransomware spread all across the continents of Europe and North America. It posed as law enforcement alerts which accused victims of piracy, terrorism, as well as child pornography. These victims were asked to pay a $200 “fine,” otherwise face criminal charges. CryptoLocker (2013) In 2013, hackers who specialized in ransomware were extracting over $3 million per year from the innocent victims they targeted. In September 2013, CryptoLocker was released, which was a new form of malware that encrypts the victim’s photographs, personal documents, and other personal files with a uniquely customized secret key. Victims had to pay the ransom to gain access to the secret key. CryptoWall (2015) On January 10th, 2015, the FBI made the public aware that ransomware was spreading fast, and that a new variant called CryptoWall was encrypting victims’ files and demanding $200-$5000 in Bitcoins to restore them. Jigsaw, Petya and Mischa (2016) In 2016, over $15 million was extorted from victims that were targeted. Infamous ransomware attacks included Jigsaw, Petya and Mischa. Ryuk (2020) On September 28th, 2020, Universal Health Services’ computer systems were attacked with Ryuk ransomware which bypassed their systems via phishing emails, costing them over $67 million in damages. Ryuk, SamSam, and Cerber (2021) Ransomware attacks reached 304.7 million cases worldwide during 2021, and have increased by 93% YOY. Of the attacks, those that stood out were Ryuk, SamSam, and Cerber, and the top 5 countries most affected were the United States, Germany, the UK, Brazil, and South Africa. The US state hit hardest was Florida with 111.1 million attacks. See How Perimeter 81 can protect you from Ransomware Start Now Request Demo Ransomware Facts and Figures Ransomware Statistics Emails that are malicious are on the rise. In fact, they have increased by 600% due to COVID-19. The typical ransom fee has increased by $195,000, from $5000 (2018) to $200,000 (2020). Cybercrime experts predict that ransomware attacks will happen every 11 seconds in 2021. 65% of employers give their employees access to company apps from unmanaged, personal devices. That is why cloud security is so important, especially since WFH and remote workers became the norm.29% of respondents admitted their businesses were forced to remove people from their jobs after being attacked by ransomware. Malvertising Statistics The biggest surge in malvertising attacks are around holidays such as Labor Day and The 4th of July. More SSPs (Supply Side Platforms) dominate threats on desktop as opposed to mobile. The biggest attack vectors are redirects or clickjacking.Client-side injections occur more on desktops than mobile devices.Attack types vary vastly between desktop and mobile web. Mobile Ransomware Statistics More than 4.2 million U.S. mobile users have fallen to ransomware attacks.Almost 1 million android mobile phones were attacked by ScarePackage ransomware in just a period of a month. Less than 20% of malware is delivered through a browser. McAfee’s sample database has over 4,000 mobile threat variants as well as families.In 2018, 60.176 ransomware Trojans for mobile devices were picked up by 80,638 users spread over 150 countries. Ransomware Legal Issues Certain legal issues accompany ransomware: Payment does not always guarantee full data recovery.Cyber-insurance coverage can be complicated.Double extortion is occurring – not only do you pay a ransom for locked data, but you are often threatened with online “shaming” as well.In certain instances, it is unlawful to pay the ransom (especially in respect to the OFAC’s – Office of Foreign Assets Control – Specially Designated Nationals (SDN) and Blocked Persons List)American Law Enforcement is joining forces with other bodies and sharing information to capture cybercriminalsFederal agencies and government contractors may need to share threat intelligence and inform the CISA (Cybersecurity and Infrastructure Security Agency) of any data breaches. This is all due to the Executive Order released by the Biden Administration on the 12th of May, 2021. There is an increase in guidance with regards to ransomware attacks from the U.S Secret Service and R-SAT (Ransomware Self-Assessment Tool) and more authoritative bodies in the cybercriminal world. What To Do If You Get a Ransomware Email How to Stop Ransomware Emails The best way to prevent ransomware from attacking your device and PC is by not clicking on unfamiliar links or opening attachments which are a direct result brought on by the infected email. Be aware of a ransomware warning email which promises protection from an attack, but is actually malware in disguise. Ransomware Email Examples Here are several ransomware email examples that should trigger red flags: Where the sender’s address looks odd or out of placeWhere the email promises monetary rewardsWhere you’re required to verify personal account detailsWhere the email includes fake financial attachments in the form of documentsWhere the email “appears” to be sent from one of your colleaguesWhere the email requires confirmation of payment All of the above emails contain links and/or attachments that once clicked will download ransomware onto your device. List of Known Ransomware File Extensions The following is a list of common ransomware file extensions: ExtensionFile Type DescriptionFile extension cryptolockerCryptoLocker encrypted fileFile extension thorLocky ransomware affected fileFile extension aaaTeslaCrypt 3.0 ransomware encrypted dataFile extension RMCM1Merry X-Mas ransomware affected fileFile extension crypteJigsaw (variant) ransomware affected fileFile extension covid19Phishing/ransomware fileFile extension SecureCryptedApocalypse ransomware affected fileFile extension edgelEdgeLocker ransomware affected fileFile extension infoPizzaCrypts Ransomware affected dataFile extension braincryptBraincrypt ransomware affected fileFile extension alcatrazAlcatraz Locker ransomware affected fileFile extension funJigsaw Ransomware affected fileFile extension encryptedDonald Trump ransomware affected fileFile extension stnSatan ransomware affected fileFile extension lesliCryptoMix ransomware affected fileFile extension venusfVenus Locker ransomware affected fileFile extension mp3TeslaCrypt 3.0 ransomware encrypted dataFile extension potatoPotato ransomware affected fileFile extension windows10Shade ransomware affected dataFile extension angelamerkelAngela Merkel ransomware affected file See How Perimeter 81 can protect you from Ransomware Start Now Request Demo Does Ransomware Infect External Drives? Ransomware can infect external drives. That’s why it’s so important to disconnect all drives if you see any signs of ransomware on your device. If you have ransomware, format hard drives, as this will perform a clean install. What Process Does a Ransomware Perform on a User’s System? Once ransomware is downloaded onto the user’s system, the malware that it is made of will encrypt the user’s files. The user will then get a note from the hacker performing the attack demanding a ransom to gain access to their data. The victims are given instructions on how to pay in order to retrieve the decryption key. Ransomware Examples Example of a Ransomware Attack CryptoLocker is one of the types of ransomware that will be discussed below. It encrypts the files of the victim and demands payment in order to open them. The following describes many different ransomware examples: See How Perimeter 81 can protect you from Ransomware Start Now Request Demo AIDS Trojan The AIDS Trojan is thought to be the first ransomware introduced in 1989 via a floppy disk, created by Dr. Joseph Popp, a biologist who studied at Harvard. This ransomware hid directories and encrypted all the file names on the C drive (C:) after the boot count reached 90. The victim would be sent a note asking to renew their license by sending $189 to a P.O. Box in Panama. WannaCry Ransomware WannaCry ransomware encrypts data on an infected device and indicates to the user that their files are locked and displays the information the user needs to know regarding the amount to be paid and the date that payment is taken via Bitcoin. The WannaCry Ransom Note As you can see from the above image, the WannaCry ransom note indicates what has happened to your computer, when payment must occur (and the fact that the ransom is doubled if not paid in time), how to pay, the time left to pay, and the time when payment will be raised. How does WannaCry Encrypt Files? Once WannaCry is loaded on your computer, it extracts files from a ZIP archive. The information and data of this ZIP start to encrypt data. How to Fix WannaCry, Clean WannaCry & Decrypt Wannacry Encrypted Files There is a decryptor called Wanakiwi, made specifically for WannaCry, WannaCrypt, and WCrypt that works on the following OS: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7. However this only works without restarting the infected system or killing the ransomware process. WannaCry Ransomware Symptoms Can’t open files that have been stored on your PCFiles suddenly have different extensionsRansom note appearsPayment of ransom via Bitcoins is indicated WannaCry Ransomware Windows 10 Microsoft released a patch for the Server Message Block (SMB) vulnerability that is exploited by WannaCry before this specific ransomware attack began. Unpatched Windows 10 systems lay vulnerable, however, those with the automatically updated feature that was integrated into the operating system meant that most Windows 10 systems were safe as of May 2017. See How Perimeter 81 can protect you from Ransomware Start Now Request Demo CryptoLocker Where Does CryptoLocker Come From? CryptoLocker first appeared in September of 2013 and kept attacking until May of the following year. This particular type of ransomware tricked its victims into enticing them to download malicious attachments sent through emails. Once these were opened, these Trojan horse attachments would release the hidden malware. How Does CryptoLocker Spread? CryptoLocker cannot duplicate itself, therefore in order to spread, the hackers using it to attack victims use the Gameover Zeus botnet instead. This was an entire network of computers that were infected with malware, only to be controlled from a distance by the botnet’s operator, with no consent or knowledge from the owners. CryptoLocker Infection Statistics In December of 2013, hackers behind CryptoLocker had been paid around $27 million41% of victims paid the ransomGlobally, the biggest population that was hit by CryptoLocker was the United States at an infection rate of 70.2%, followed by Great Britain at 5.5%, India at 2.6%, Thailand at 2.2%, Peru at 2.2%, Canada at 2.1%, the Philippines at 2.0%, Indonesia at 1.3%, Iran at 1.0%, and Ecuador at 0.8% How to Stop CryptoLocker Ransomware Don’t open suspicious emails and attachments, or click on unknown links. Run Windows updates Only install software from sources you trust Use anti-malware to scan your computer, Make backups continually How to Find and Detect CryptoLocker on a Network If you identify CryptoLocker and need to remove it, all you need to do is use an anti-malware and/or antivirus program that will delete it from your device. However, you will not be able to gain access to your encrypted files. In order to remove CryptoLocker encryption, there is a free decryptor online, which decrypts CryptoLocker file types, however, it doesn’t work on all CryptoLocker variants. The Best Ways to Stop CryptoLocker from Encrypting Use a cloud cybersecurity tool with a secured VPN to not become a target in public areasBackup all dataDon’t download unknown senders’ attachmentsNever click on suspicious or unknown linksOnly download programs, content, and apps from verified sourcesConstantly update software for your OSDon’t release too much personal information online BlackMamba Ransomware BlackMamba ransomware is a crypto virus that encrypts all banking data, videos, backups, audios, backups, as well as additional personal user files. For Mamba ransomware removal, it’s best to use anti-malware software. Locky Spyware Locky spyware was released in 2016, in the form of an email as an invoice requiring payment. It came with an attached MS Word document containing malicious macros. The document has the phrase “Enable macro if data encoding is incorrect,” which if the user enables, the encryption Trojan is then downloaded encrypting all files in its path that patch specific extensions. Petya Petya ransomware came out in 2016 and falls under a family of encrypting malware. It targets MS Windows-based systems, which infects the master boot record which encrypts the file system table of a hard drive, and stops Windows from booting. It demands that the victim pay an amount through Bitcoin in order to gain access to their OS. This particular ransomware infected millions of devices during 2016 and variants were discovered years after. Ryuk Ryuk is an extremely sophisticated type of ransomware, almost exclusively distributed via malware known as TrickBot. It was first seen in the wild in 2018 and targets big, public-entity MS Windows cybersystems. It encrypts information and data, making it inaccessible for the user whose only choice is to pay a ransom via untraceable Bitcoin, typically between 15-50 Bitcoins depending on attack. Filecoder Ryuk Also referred to as Win32/Filecoder.Ryuk.L, the Ryuk ransomware virus has many other names such as “K7AntiVirus” and “MicroWorld-eScan.” There is a strong Ryuk attack vector as it is able to infect systems through many attack vectors. Evil Locker Once the Evil Locker virus enters the system, it encrypts most of the stored files and appends filenames with the “.[[email protected]].EVIL” extension. Once it encrypts data, it creates a text file (“!_HOW_RECOVERY_FILES_!.txt“) and puts a copy in all folders that exist on the OS. The text file has a message that the data has been encrypted and requires a specific ransomware decryption service tool to restore data. Users who have fallen prey to the attack must contact the developers behind Evil Locker via email (which is provided) to gain access to their files, through the decryption key provided, after payment (between $500-$1500) has occurred. A few helpful Evil Locker removal tips include; isolating the infected device, identifying the ransomware, searching for ransomware decryption tools, restoring files with data recovery tools, and creating data backups. GrandCrab (2018) GandCrab first appeared at the end of January, 2018, as part of RaaS (Ransomware-as-a-Service) and became the most popular ransomware of the year. There are currently 5 versions of this particular ransomware which is the first of its kind to demand payment in DASH cryptocurrency, using the “.bit” top-level domain (TLD). Version 4.2.1 gave a link to a Gandcrab source code. SamSam (2016) SamSam appeared in 2016 and targeted JBoss servers. It exploited vulnerabilities on weak servers. This ransomware attacks desktops remotely to guess passwords that are weak. It has caused in excess of $30 million in damages, attacking healthcare and government sectors, and breached Atlanta’s infrastructure security, among other targets. Bad Rabbit (2017) Bad Rabbit ransomware, or the Bad Rabbit virus, appeared in 2017, which was similar to Petya and WannaCry, as it encrypted the user’s file tables and demanded a Bad Rabbit ransom via Bitcoin to decrypt them. The attacks would give victims up to 40 hours to pay the initial ransom fee before the price would go up. Bad Rabbit spread and infiltrated systems through a fake Adobe Flash software update. It had infected several major Russian media outlets as well. TeslaCrypt (2015) TeslaCrypt appeared in 2015 as Trojan ransomware. Originally, it targeted game-play data for certain PC games. There were additional variants which affected other file types. It infected PCs through the Angler Adobe Flash exploit. It attacked the file extensions of very popular games such as World of Tanks, Minecraft, Call of Duty, and World of Warcraft. Newer variants encrypted PDF, JPEG, Word, as well as other files. The ransom was $500 in Bitcoins. FBI Ransomware – How It Works FBI ransomware, or FBI MoneyPak Ransomware, AKA Reveton Ransomware, is fake FBI ransomware that locks a PC or mobile device. It then sends an FBI ransomware warning to the victim stating that “illegal activities” have occurred on the device and due to this, the device is locked. It demands a ransom through GreenDot MoneyPak cards in exchange for the device’s release. FBI Ransomware iPhone The FBI MoneyPak virus is one of the most popular forms of malware and ransomware found on iPads and iPhones today, with people complaining that the “FBI locked my cell phone.” It can lock the device entirely or even block internet access. The following will discuss how to get the fake FBI virus off phones and other devices. How to Remove FBI Ransomware Virus The following are ways to remove the virus from your iPhone and iPad: Delete any trace of the malware from SafariUninstall the app that brought in the virusRestore back to factory settings The following covers FBI scareware removal from your Android device: Restart on Safe ModeUninstall the application that is maliciousDelete the virus using antivirus for Android The following ways cover FBI Ransomware removal from your PC: Reboot on Safe ModeBack up files and save them on a cloud service Use anti-malware FBI data recovery software See How Perimeter 81 can protect you from Ransomware Start Now Request Demo What is Crypto Malware? Crypto malware is a specific malicious crypto virus that locks down and takes full control over your PC or device, denying any access as a result. Crypto ransomware typically displays a message conveying that a payment in cryptocurrency (such as Bitcoin, Litecoin, Ethereum etc.) must be made in order to gain access to your PC or device. Bitcoin Ransomware Ransomware has become much more accessible to hackers out there deploying crypto malware tactics, as Bitcoin malware is mainly (but not entirely) anonymous and untraceable. Many different types of popular ransomware have demanded payment in Bitcoin such as the Bitcoin ransomware attack seen in WannaCry. CryptoWall Ransomware – What Does CryptoWall Do? CryptoWall is a crypto ransom that uses a vulnerability in Java to get into the users’ OS. Malvertisements featuring prominent and notable names such as Disney, The Guardian, and Facebook, lead victims to sites infected, which infects and encrypts hard drives. Files encrypted by CryptoWall require payment for release. How Do You Get Ransomware? Ransomware comes in the form of phishing emails containing malicious attachments or drive-by-downloading which occurs when you visit an infected website, and malware gets downloaded without your knowledge. Crypto ransomware has been known to spread via social media, web-based IM apps, as well as through vulnerable web servers. Ransomware also infiltrates devices through malvertising. Signs of a Ransomware Attack When you are under a computer ransomware attack your device will show a ransomware message requiring payment, often in cryptocurrency such as Bitcoin. The following are signs of attack: Lateral Phishing EmailsIllegitimate Network ScannersBackups Corruption or Security Software Disablement AttemptsLow Number of Devices’ EncryptionThe Indication of Common Hacker ToolsLogin Activities That Are Suspiciously RepeatedSpam and Phishing EmailsTest Attack SignsDisablement of Active Directory and Domain Controllers Attempts How to Recover Files Attacked by Ransomware Ransomware holds a user’s files for ransom by encrypting them, but these ransomware-locked files can be restored. How to Remove Ransomware Virus and Restore the Files First and foremost, should there be any signs of ransomware detection, you must disconnect from the internet, use your anti-malware to see what virus you have, use a ransomware removal tool, to decrypt and restore all files. If the screen is locked, start the PC in safe mode which may allow access to anti-malware on your system to combat the ransomware. See How Perimeter 81 can protect you from Ransomware Start Now Request Demo How to Prevent Ransomware Attacks It’s important to take precautions against ransomware and ensure attack protection. It’s vital to backup your data and have anti-malware software in place. Keep your data out of the hands of malicious actors with a secure cloud backup service that will use high end encryption and technology. Make sure your OS and apps are all up to date. How to Protect Against Ransomware Windows 10 Attacks indows 10 contains built-in Microsoft ransomware protection, and that is why a Windows 10 ransomware update download is so important. Go into Windows 10 on your device, and open up the Windows Security app. Then select Virus & Threat protection. You will see Ransomware protection, and you must then select Manage Ransomware Protection. Should the controlled folder access be turned off, you must turn it on. Go ahead and select Protected Folders, and then if you want to add a folder select +Add a protected folder, and to remove a folder, select it and click on Remove. How to Respond to a Ransomware Attack If you suspect you have been targeted in a ransomware attack there are steps you need to take: Response 1 – Disconnect the Infected Device Immediately The infected device needs to be removed from the network immediately. The moment you spot ransomware, disconnect your PC from the network, other devices, and the internet as fast as you can. This is the first step to take when under attack. Response 2 – Stop It from Spreading Ransomware moves quickly. Within the blink of an eye, your entire scope of networks and devices can be compromised. Disconnect any and every device acting suspiciously from the network, and that includes those that work off-premises. Switch off all wireless connections such as Wi-Fi and Bluetooth as well. Response 3 – Analyze All Damages Create a list of all affected systems: LaptopsSmartphonesNetwork Storage DevicesExternal Hard Drive Storage (USB thumb drives included)Cloud Storage Look for files that have been recently encrypted that have odd file extension names, as well as reports of strange file names or users struggling to open files. All devices not encrypted must be isolated and switched off. This way any damage and loss can be contained. Shares also need to be locked. All must be restricted, as this will stop any continuing encryption processes and will stop the infection of additional shares. By doing all of this, you can better analyze which device or PC has the most open files (more than usual) and find your Patient Zero. Response 4 – Find Patient Zero This answers the question of what the source of a ransomware infection is – your Patient Zero. Look for alerts sent by your anti-malware or antivirus, EDR (Endpoint Detection and Response), as well as any other monitoring platforms. Ransomware creeps into your system mainly through end-user movement with regards to malicious attachments, as well as email links. Therefore, it’s important to ask users if they have opened any suspicious emails or if they’ve noticed anything odd on their systems. It also helps to look at the files’ properties, as this can often indicate the person who is listed as the owner – and give a clue as to where the entry point resides. However, ransomware is sophisticated, and there can be multiple Patient Zeros. Response 5 – Know What Ransomware You’re Dealing With Ransomware is extremely sophisticated. There are families of different ransomware variants and new variants being discovered all the time. If you’re not sure which one you have, head over to No More Ransom, which offers tools that can help free data. This site also includes a tool called Crypto Sheriff which offers you the opportunity to upload an encrypted file which it will then scan in order to locate a match. Once you have pinpointed the ransomware and researched its behavior, you need to spread the news to all colleagues, so they know what to look out for and be aware. Response 6 – Don’t Let the Attackers Get Away Besides the financial incentives that hackers gain from their malicious ventures, they also feel a great sense of power over their victims. Their victims’ lives are often at a standstill until they pay up. For these two main reasons, it’s especially important to contact law enforcement upon containment of the ransomware. Firstly, ransomware is completely illegal, secondly, law enforcement has access to tools that normal citizens don’t have, as well as authoritative legal bodies. By partnering with international law enforcement, stolen and encrypted data can be found, and the hackers can be caught and be punished. Also, there are sometimes implications with compliance: Under GDPR Compliance terms, the ICO (Information Commissioner’s Office) must be notified within a period of 3 days (72 hours) if a breach that involves European citizen data has occurred, as you could be heavily fined. Response 7 – Use Your Backups As a practical and immediate response to an attack, a solution needs to be implemented with the utilization of backups. Start the process of restoring your systems directly from your backups, which hopefully will not be infected at all. You then need to utilize the best anti-malware tool to make sure all systems that have been infected are wiped clean of ransomware. If this vital step is not adhered to, your backup may be corrupted. The moment the malware has been wiped off, your systems can be restored from your backups and once confirmation is established regarding the restoration of data and apps, a business can continue as usual. Backups are vitally important to all organizations as they are responsible for handling sensitive data such as medical records which can be sold for as much as $1,000 on the black market. Response 8 – Look at Your Decryption Options In the event where you have not backed up your data, you might still be able to retrieve your data through decryption keys freely available at No More Ransom. Before using it, wipe all signs of malware off your system, then use the decryption key to unlock your data. Even with your decryptor, a fair amount of time can pass before you gain full access to your system. Response 9 – Start from Scratch Unfortunately, if you cannot locate a decryption key or do not have any backups, you may need to start from scratch. Always make sure your team remains connected to a secure Cloud VPN as sensitive transmitted data is encrypted, appearing as scrambled gibberish for would-be threat agents to read. Ransomware Payment – Should You Do It? Certain laws in certain countries forbid you to pay ransom as it feeds into criminal activity and continues the vicious cycle where hackers require a ransomware fee as we learned from the recent Kaseya malware attack back in July of 2021. Bottom line, do not pay ransomware and keep your data secured. It literally pays to have a backup plan in action. The Future of Ransomware – New Ransomware Groups Appearing Each Day New ransomware threats are growing by the day. In fact, there has been a 62% increase in attacks since 2019, and groups looking to capitalize on the attacks including Russian-based REvil/Sodinokibi are cashing in big time. Who is Behind Sodinokibi? It is believed that the masterminds behind Sodinokibi ransomware are affiliated with the hackers behind GandCrab ransomware. BlackMatter and Haron The latest ransomware attacks come in the form of BlackMatter and Haron, two new ransomware groups. The Haron malware was first described by the South Korean security firm S2W Lab just a few months ago. BlackMatter is focusing their attention on large-scale organizations but have ironically set a list of targets which are off-limit. These targets include the defense industry, hospitals, non-profits, critical infrastructure (i.e. power plants, water treatment facilities), oil and gas industries, and the government sector. How Using Perimeter 81’s Zero Trust Framework Can Prevent Ransomware Attacks Perimeter 81 helps prevent ransomware attacks with a Zero Trust framework which enforces least privilege access across the organization. Sensitive information is safely guarded from malicious threat actors as all files are encrypted using 256-bit bank level encryption, the highest and most-trusted in the industry. It takes only one simple mistake from a connected remote employee to have malware spread over the network which could severely damage your organization and reputation. Counter ransomware with Perimeter 81’s Zero Trust enterprise ransomware prevention framework. With the rise in the current WFH model, it is absolutely imperative to secure your remote workers as ransomware attacks are up a whopping 148% since the start of the pandemic. Learn how to keep your remote workers safe from ransomware attacks. Highlighting The Benefits of a Perimeter 81 to Combat Ransomware Secured Remote Access: IT and administration can grant employees least privilege access to an organization’s private network from multiple devices, from various locations through public networks and even share data remotely utilizing the Zero Trust framework . Create Custom Policies: Segment your network and narrow access rules to individual users and groups, with authentication enforced via identity providers.Encrypt Transmitted Data: Prevent ransomware attacks by securing your critical assets and valuable information with the highest level of encryption, making all data undecipherable to malicious attackers. Ransomware FAQs What is a Ransomware Cyber Attack?A Ransomware Cyber Attack is a form of malware that threatens to block access or data from a user, and/or publish private data, unless a ransom is paid. How do Ransomware Attacks work?Ransomware gets into your system through different means – phishing emails, malvertising, or simply exploiting vulnerabilities in your OS. It then starts to decrypt and add extensions to your files, holding them hostage, until payment is made. What happens if you pay ransomware?Usually (but not always), if you pay ransomware, you get an encryption key to decrypt your data, and your files are released. Can you remove Ransomware?There are certain methods of ransomware removal, starting with anti-malware, however, there are certain free decryption tools online. In some instances, certain types of ransomware are impossible to remove. Do you have more questions? Let’s Book a Demo Demo Start See How Perimeter 81 can protect you from Ransomware Simplify your network security today. Request Demo Start Now Related Articles Network SecurityBusiness VPNA Next-gen Business VPN simplifies the secure access to all your internal and cloud-based resources such as staging servers and company databases.Read more13 min readNetwork SecurityDevSecOpsDevSecOps addresses security issues early on in the development life cycle by adding the missing security and team collaboration components.Read more16 min readNetwork SecurityIT Infrastructure SecurityThe components of your organization’s IT infrastructure, including software, facilities and other network pieces, are more easily managed and secured with Perimeter 81.Read more9 min readNetwork SecurityCloud Network SecurityEasily integrate a cloud network security solution across your organization’s hybrid network, with the Perimeter 81 solution.Read more5 min readNetwork SecuritySoftware Defined NetworkingEasily integrate a software defined network security solution across your organization’s cloud-hybrid network, with the Perimeter 81 SDN.Read more8 min readNetwork SecuritySite-to-Site VPNEasily integrate a unified security solution across your organization’s cloud-hybrid network, with the Perimeter 81 Site-to-Site VPN.Read more7 min read
Network SecurityBusiness VPNA Next-gen Business VPN simplifies the secure access to all your internal and cloud-based resources such as staging servers and company databases.Read more13 min read
Network SecurityDevSecOpsDevSecOps addresses security issues early on in the development life cycle by adding the missing security and team collaboration components.Read more16 min read
Network SecurityIT Infrastructure SecurityThe components of your organization’s IT infrastructure, including software, facilities and other network pieces, are more easily managed and secured with Perimeter 81.Read more9 min read
Network SecurityCloud Network SecurityEasily integrate a cloud network security solution across your organization’s hybrid network, with the Perimeter 81 solution.Read more5 min read
Network SecuritySoftware Defined NetworkingEasily integrate a software defined network security solution across your organization’s cloud-hybrid network, with the Perimeter 81 SDN.Read more8 min read
Network SecuritySite-to-Site VPNEasily integrate a unified security solution across your organization’s cloud-hybrid network, with the Perimeter 81 Site-to-Site VPN.Read more7 min read