About Ransomware

Programs that take control of a user’s device or data, then demand payment to restore normal access to the ransomed content or system.

Ransomware is a form of crimeware – malicious programs that are used, either by an individual or by organized criminal groups, to extort money from an affected user.

There are two main types of ransomware: cryptoransomware, and police-themed. The types differ mainly in the kind of fear they use to motivate the user into paying the ransom: police-themed ransomware tries to scare the user into believing they need to pay a ‘fine’ for committing a crime of some sort, while crypto-ransomware exploits the user’s fear of never recovering their content or device.

There are many different ransomware families, or sets of individual programs (variants) that are similar enough to be grouped together. Each family has unique characteristics, such as how they infect the device, what kind of files they target, how they demand payment and so on. Knowing which specific family is involved in an incident can be critical in figuring out what should be done next in order to contain any damage and remove the threat from an affected device.

Cyber Security Versus Ransomware

The malicious programs known as ransomware have attracted a significant amount of coverage in the mainstream media over the last few years, as major companies and organizations announced that their operations had been affected by the threat. Examples of affected businesses include hospitals, universities and major international corporations [2, 3]. Despite the alarming nature of the threat, the way ransomware gains entry onto a user’s device is actually no different from the methods used by other threats. Ransomware is most commonly spread by two methods: y Email messages that trick users into opening a malicious file attachment, and y Exploit kits that silently download the threat onto the user’s device while they are visiting a website These pathways onto the user’s device are relatively predictable, and can be successfully identified and defended. This requires identifying potential weaknesses in the device and setting the appropriate safeguards in place, both to block any potential intrusion attempts and to raise the alarm if any penetration does occur. The four-phase approach also means that even in the event that a threat does manage to bypass protective measures, all is not lost. The affected device can still be identified and isolated, so that the damage can be contained. The findings from a forensic investigation of the device can then be used to further improve the organization’s infrastructure, hardening it against future incidents.

Predict

Identify software with vulnerabilities that may serve as entry points to devices, data or local network. Identify program settings that can be configured for optimal security. Evaluate user behavior patterns and security awareness For more on evaluating an attack surface.

Prevent

Take regular backups and ensure they are clean. Regularly patch any installed software. Use robust, multilayered security software. Educate users in best security practices and threat awareness For more preventative measures.

Detect

Use security software with behavioral analysis capabilities to identify suspicious behavior on a device in the local network. Identify the resources (devices, network shares) connected to an affected device to estimate potential exposure. Identify changes done on the affected device by the threat For more investigative steps.

Respond

Immediately disconnect the affected machine from the local network and the Internet. Scan all connected devices, network shares and cloud storage for evidence of the threat. Examine the affected device for information on how the threat was able to install and run For more on incident response.