• United States




Ransomware: 7 tips for recovery and prevention

Jan 21, 20166 mins
Internet SecurityMalwareRansomware

ransom note
Credit: Jamie Eckle/IDG

I had arrived home from visiting my family last Saturday around 10 p.m., and noticed a couple of email messages arriving from a CPA customer, just before I went to bed. I took a quick glance, immediately spotting the phrases “none of our programs work” and “all the file names on our server have changed.” Those phrases were all of the symptoms I needed. As I would confirm later, the customer had been struck by ransomware. 

For the uninitiated, ransomware is a rather insidious form of malware that attempts to render all of your important files unreadable, until you pay the perpetrator a ransom to restore them. This malware was first seen in Russia in 2011, and by 2013, it was well entrenched in the United States.

Most forms of ransomware work by using strong cryptography with a unique key to encrypt files on drives available to the infected PC. The software normally places a note in various folders, telling the user what to do to recover the files. This usually involves a payment, often in the $300-$500 range in bitcoins, for which the bad actor may or may not actually supply the encryption key, allowing the victim to recover the files. The methods of infection include accessing an infected website, and malware attached to email messages. 

This malware genus has grown in occurrence and sophistication in recent months. One of the best known forms, called CryptoWall, has just entered Version 4, with a greatly improved ability to hide from antivirus software and firewalls. The distributors of CryptoWall are believed to have made more than $25 million in 2015 alone. There have been recent indications that the bad actors are concerned about maintaining the belief that paying the ransom will really allow for file recovery. As such, in some instances, they have been found on PC help forums, assisting victims with file recovery and payment issues. How big of them! 

In my customer’s case, the files were stored via a mapped drive on a server. The malware seemed to ignore the local drive, and went immediately to the server drive, encrypting the customer’s tax and accounting databases. I requested that the customer run Malwarebytes, my go-to removal tool, to eradicate the actual infection from any PCs, which it did. In the interim, I confirmed that no infection existed on the PC, and began to plan for file recovery.

Thankfully, this customer understood the importance of mitigating risks. As such, even though they already had regular cloud-based backups of their server, they had asked me to configure a local backup to a removable drive, early in the week of their infection. Since that drive was not mapped to a PC, it was unaffected. By midmorning Sunday, the files were restored, and their applications operational. 

This customer had a happy ending, but many do not. Some pay the ransom and never get their files back. At a minimum, most ransomware victims suffer a major disruption of their businesses. Even worse, with the growing sophistication of this malware, there is no guarantee that a victim will not be hit again. 

So, how can you avoid being a victim, and be prepared if the worst happens? 

1. Plan

The time to figure out how you would respond to such an incident is NOT the minute it happens. Figure out in advance who to call for help, how to reach them quickly, and where your passwords, install disks and other important items are. File them where they can be easily found, but NOT on a PC whose infection can prevent you from accessing the details needed to fix it.

2. Back up and test

The salvation of my customer was in its ability to restore from a backup. To protect yourself from various risks, including ransomware, you need a good backup strategy, which must include monitoring backup status and testing of the restore process to ensure that restored files are usable. A backup process without testing may not be worth much.

3. Use antivirus software and firewalls

Much has been written of late about the growing obsolescence of antivirus software, and to some extent firewalls. This is claimed because these products are signature-based, and active malware signatures change rapidly. The fallacy of this argument, however, is that for every malware item with newer signatures in the wild, there are hundreds still making the rounds that have older signatures, and can thus be blocked. I suggest that you ignore the theorists, and implement a good firewall and antivirus package. Keep them up to date and monitor them.

4. Perform software updates

Ransomware, like many malware programs, makes use of vulnerabilities in Windows, OS X and other software to infect your systems. You must faithfully ensure that updates get applied. I encounter many customer PCs that have not had an update in months. These are sitting ducks. Also, don’t forgot firmware updates for your network and IoT devices, which can also help prevent attacks.

5. Restrict mapped drives

Make sure that server drives are only mapped to the user PCs where they are actually needed. Use read-only folders where possible. If an infected PC cannot access the server drive, it cannot infect it. Note that cloud drives can be susceptible as well, as a recent report by Krebs on Security confirms.

6. Know who uses your PCs

Restrict the use of each PC to only authorized people. In an office environment, keep them locked down, so that maintenance personnel or other passers-by cannot use them for a quick Web search. At home, avoid letting your kids use any PC with work-related data.

7. Respond if the worst happens

If you find yourself encrypted and without a backup, you may be forced to pay the ransom. I find it distasteful to even suggest this approach, but if the value of your data is sufficient, you may be forced to make that decision. Even the FBI has stated that this may be the best course of action in some cases. As I said above, malware authors, out of concern that people will not “trust” them and stop paying, are doing a better job of making sure the victims can get their files back. There are, however, no guarantees with this approach. 

Bottom line: The best cure for ransomware is diligent prevention. Once you are infected, your options may be limited, expensive and unpleasant.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author