What is ransomware?
Ransomware is a type of malicious software that will encrypt all your important files and documents on your computer. Encrypting means that you will no longer be able to open them. The encryption methods used are usually very strong and difficult to reverse so the only way to get your files back is to restore them from a backup copy or pay the ransom.
How does it spread?
The threat of ransomware has been growing over the past few years and is very high today. The attackers often send the ransomware virus through a phishing e-mail attachment. The phishing e-mail tricks the user into opening the attachment.
Once the victim’s computer has been infected it is very common for the malware to spread further into the network and any USB memory sticks attached.
The recent devastating spread of WannaCry (also known as WannaCrypt or Wcrypt) was however not spread through e-mail, but instead used a vulnerability in Windows. It is simply searching the entire Internet after Windows machines running the old, vulnerable software.
I have been infected, help?!
If you or your company has been infected it is important to quickly limit the rate at which the virus may spread. Do this by having a proper incident response plan:
- Disconnect the computer from the network. Pull network cables and disable wireless network connections in order to stop malware from spreading over the network.
- If your computer has been infected by an unknown virus it can be a good idea to perform a forensic analysis in order to determine exactly what the virus was able to do. Leave the computer running after disconnecting it from the network and call us, we can do these technical analyses of the malware!
- The infected machine should be considered compromised and should be re-installed. This means the operating system as well as applying all the security patches from Windows Update.
- You can now restore your files from the most recent backup.
In order to decrease the risks of being infected by ransomware (and other types of malware) you can take the following actions:
- Backup. It is very important to always have a current backup of important files and server configurations. This should be performed on a daily basis in order to prevent loss of data in an incident. Keep in mind that backup should ideally be kept offline at a secondary physical location in case of a fire.
- Security awareness. Never click on attachments and links in suspicious e-mails! Always look at e-mail sender and link destination before opening files. Ignore suspicious e-mails.
- Spam filter. Your e-mail spam filter can be configured to block files such as EXE, MSI and JAR in order to stop phishing e-mails before they end up in the user’s Inbox.
- WannaCry. Since this recent ransomware uses a vulnerability in Windows it is important to minimize the amount of Internet exposure. A good tip is to always block ports 139, 455 and 3389 in the firewall. There is no reason for these ports and services to be exposed to the Internet. The Microsoft security update MS17-010 (released in March 2017) will patch the vulnerability used by WannaCry, so install it on all Windows machines in your organization.