Ransomware: 7 tips for recovery and prevention

I had arrived home from visiting my family last Saturday around 10 p.m., and noticed a couple of email messages arriving from a CPA customer, just before I went to bed. I took a quick glance, immediately spotting the phrases “none of our programs work” and “all the file names on our server have changed.” Those phrases were all of the symptoms I needed. As I would confirm later, the customer had been struck by ransomware. 

For the uninitiated, ransomware is a rather insidious form of malware that attempts to render all of your important files unreadable, until you pay the perpetrator a ransom to restore them. This malware was first seen in Russia in 2011, and by 2013, it was well entrenched in the United States.

Most forms of ransomware work by using strong cryptography with a unique key to encrypt files on drives available to the infected PC. The software normally places a note in various folders, telling the user what to do to recover the files. This usually involves a payment, often in the $300-$500 range in bitcoins, for which the bad actor may or may not actually supply the encryption key, allowing the victim to recover the files. The methods of infection include accessing an infected website, and malware attached to email messages. 

This malware genus has grown in occurrence and sophistication in recent months. One of the best known forms, called CryptoWall, has just entered Version 4, with a greatly improved ability to hide from antivirus software and firewalls. The distributors of CryptoWall are believed to have made more than $25 million in 2015 alone. There have been recent indications that the bad actors are concerned about maintaining the belief that paying the ransom will really allow for file recovery. As such, in some instances, they have been found on PC help forums, assisting victims with file recovery and payment issues. How big of them! 

In my customer’s case, the files were stored via a mapped drive on a server. The malware seemed to ignore the local drive, and went immediately to the server drive, encrypting the customer’s tax and accounting databases. I requested that the customer run Malwarebytes, my go-to removal tool, to eradicate the actual infection from any PCs, which it did. In the interim, I confirmed that no infection existed on the PC, and began to plan for file recovery.

Thankfully, this customer understood the importance of mitigating risks. As such, even though they already had regular cloud-based backups of their server, they had asked me to configure a local backup to a removable drive, early in the week of their infection. Since that drive was not mapped to a PC, it was unaffected. By midmorning Sunday, the files were restored, and their applications operational. 

This customer had a happy ending, but many do not. Some pay the ransom and never get their files back. At a minimum, most ransomware victims suffer a major disruption of their businesses. Even worse, with the growing sophistication of this malware, there is no guarantee that a victim will not be hit again. 

So, how can you avoid being a victim, and be prepared if the worst happens? 

1. Plan

The time to figure out how you would respond to such an incident is NOT the minute it happens. Figure out in advance who to call for help, how to reach them quickly, and where your passwords, install disks and other important items are. File them where they can be easily found, but NOT on a PC whose infection can prevent you from accessing the details needed to fix it.

2. Back up and test

The salvation of my customer was in its ability to restore from a backup. To protect yourself from various risks, including ransomware, you need a good backup strategy, which must include monitoring backup status and testing of the restore process to ensure that restored files are usable. A backup process without testing may not be worth much.

3. Use antivirus software and firewalls

Much has been written of late about the growing obsolescence of antivirus software, and to some extent firewalls. This is claimed because these products are signature-based, and active malware signatures change rapidly. The fallacy of this argument, however, is that for every malware item with newer signatures in the wild, there are hundreds still making the rounds that have older signatures, and can thus be blocked. I suggest that you ignore the theorists, and implement a good firewall and antivirus package. Keep them up to date and monitor them.

4. Perform software updates

Ransomware, like many malware programs, makes use of vulnerabilities in Windows, OS X and other software to infect your systems. You must faithfully ensure that updates get applied. I encounter many customer PCs that have not had an update in months. These are sitting ducks. Also, don’t forgot firmware updates for your network and IoT devices, which can also help prevent attacks.

5. Restrict mapped drives

Make sure that server drives are only mapped to the user PCs where they are actually needed. Use read-only folders where possible. If an infected PC cannot access the server drive, it cannot infect it. Note that cloud drives can be susceptible as well, as a recent report by Krebs on Security confirms.

6. Know who uses your PCs

Restrict the use of each PC to only authorized people. In an office environment, keep them locked down, so that maintenance personnel or other passers-by cannot use them for a quick Web search. At home, avoid letting your kids use any PC with work-related data.

7. Respond if the worst happens

If you find yourself encrypted and without a backup, you may be forced to pay the ransom. I find it distasteful to even suggest this approach, but if the value of your data is sufficient, you may be forced to make that decision. Even the FBI has stated that this may be the best course of action in some cases. As I said above, malware authors, out of concern that people will not “trust” them and stop paying, are doing a better job of making sure the victims can get their files back. There are, however, no guarantees with this approach. 

Bottom line: The best cure for ransomware is diligent prevention. Once you are infected, your options may be limited, expensive and unpleasant.