Table of Contents
Ransomware Virus: What Do I Do If My Data Is Hijacked?
What is a ransomware virus?
These are malicious programs that are used to hijack computer information .
The means used are phishing campaigns (the emails that Endesa, Correos, Carrefour, etc. supposedly send us with the excuse of a false invoice or a discount voucher, to make us take the bait, are already famous) .
ransomware virus removal |
They encrypt our data to later ask us for a ransom.
Although there are many variants of these ransomware viruses, basically what they have in common is encode fileswithout the user noticing. Once the process has finished,they send the key to cybercriminals and these They ask for money to the user so that they can recover their data.
It is a hijacking of our digital information.
In the hyper-connected world in which we live, where new technologies are part of all our daily tasks, it is easy to imagine the damage that this type of program can cause to any user.
While before we had a couple of photographs of each event, today we save million hundreds of them. The attackers strive to achieve the greatest possible damage so that the user only sees the only way out to pay to recover all their things.
Let’s not say already, if this same situation occurs in a company, where by its nature, the loss of stored information can have greater consequences. Not only economic due to the loss of accounting, for example, but also judicial, as the loss of customer data can entail.
Ransomware malware sometimes doesn’t just render files unusable, but pre-sends any sensitive information to attackers. The problem is further aggravated, since they may have passwords, sensitive information, etc.
The possibility of later extorting victims increases exponentially.
It is true that the police sometimes make arrests and tools are published to decrypt files with the help of the malware creators themselves. Antivirus companies also create their own tools to recover files.
But in most cases, this process is irreversible and it is not possible to recover the data if you do not have the key to decrypt it.
The criminals ask for a ransom for providing us with that “key” and unfortunately the victims, in a very high percentage, pay to recover them.
This criminal activity has become one of the most profitable businesses in the world .
This is so much the case that the Ransomware-as-a-service model is even offered on the Deep Web: “SaaS ransomware”. Thinking to distribute this system among affiliates who want to earn a living from infected systems.
New versions in development are known daily, also numerous variants and revisions of old versions.
We are faced with one of the biggest computing problems in recent years . This threat is far from disappearing, therefore, it is necessary to adopt protection measures to avoid being a victim of this information hijacking.
Why don’t they stop the creators of these shows?
Taking into account its spread and the damage it causes, it is a question that many ask themselves.
The answer is that it is not a simple task at all . The Internet has no borders (or almost) and attackers can operate from anywhere in the world. It can be done from a single location or in a distributed way.
Let’s not say if we contemplate the possibility that we have mentioned before, of offering it as a service.
Organized groups of criminals are constantly developing and “improving” malware . Others are dedicated to infecting computers. Other different rent these services and in turn third parties hire them to exploit their own network of victims.
There are those who are exclusively in charge of collecting the extortion money … And so on until they form a network and organization similar to that of any company … and it is much more profitable than most businesses.
Even extortion payments are made using bitcoins, the digital currency, precisely because with it you can make payments that are not traceable by the authorities and that can cross the borders of the real world without problems.
You can see the complexity of the system and since many people profit in the process, it is really very difficult to stop it in the short / medium term.
in a study: “52% of Spanish companies infected by ransomware paid the ransom, but 15% did not recover their data”
It can be avoided?
Ransomware, like any malware, takes advantage of vulnerabilities in our systems.
It is essential to keep the browser, operating system and antivirus updated.
It does not mean that by taking these measures we are safe, far from it, but it is minimally protected. It will be useless if our computer is affected by a ransomware virus that takes advantage of a zero-day vulnerability (one that has just been discovered and for which there is still no solution).
By keeping our equipment updated, we will avoid being infected by all those malware that take advantage of known vulnerabilities in the systems and that have already been duly patched.
It is incredible how when antivirus companies publish the different infections registered on clients’ computers, you can still see malware that take advantage of vulnerabilities that were corrected years ago .
Another point to highlight in the protection against all these programs (and we are not only talking about ransomware but also about Trojans, viruses, adware …) is the need to educate users . In companies, a safety awareness must be instilled and for that, the employees themselves must be included in the prevention process.
Recommended Post :
Giving training on computer security on a regular basis, to know which documents can and cannot be opened, how to recognize a phishing email, etc.
Sometimes the attack vectors of criminals are very crude and easily detectable by anyone who is used to seeing this type of situation, but they have a really high success among those with little training in this field.
It is necessary to differentiate 2 types of profiles when planning protection against these threats: individuals and companies.
They use different resources to carry out their tasks. They have different infrastructures, needs, equipment… and therefore their security needs are also different.
We could think that the target victims of these malware campaigns are large companies from which they can ask for large amounts of money and store valuable information.
And since the distribution of these viruses is usually done massively and indiscriminately, it is likely that a company of this type will end up infected, but it is not the usual thing.
Large companies also have large means of protection and it is shown by looking at the analysis of the reports of antivirus companies, that those who suffer the most from this type of attack are small and medium-sized companies and end users .
It is logical to understand the reason for this situation: they have fewer resources, a more relaxed security policy and the very fact of the infection is often downplayed.
It can be much more profitable to infect 100 computers of home users and ask them for € 300 to recover their information, than to deal with a multinational that will surely take action before the competent authorities.
What all users can do, both companies and individuals, is:
- Install an antivirus system that works centrally. we work with the manufacturer Sophos that has Sophos antivirus for professional users and Sophos Home aimed at private users (and the latter is completely free)
- Install a firewall that allows us to filter the connections. As in the previous case, we can find the UTM Sophos XG range for companies and the home version of the firewall for home users (the home version, as in the case of antivirus, is free).
Synchronize firewall and endpoint security . If a computer becomes infected and its content is encrypted, it will be blocked from accessing network resources, regular Internet use, server applications, etc. This will prevent other computers on the same network from being compromised.
Specific products to detect malware are beginning to be marketed . They are capable of blocking ransomware viruses before they can render the system unusable. It is a very interesting option, since as they are not based on signatures, they perfectly complement the antivirus that we are using.
What do I do if my data is hijacked?
In the event that we become victims of ransomware, these are our recommendations:
Identify the route (source) by which we have been infected and report it to the Telematic Crimes Group of the Civil Guard (dependent on the Ministry of the Interior of Spain) . Although you can generate the complaint through its website, then you will have to present it in person (there is no telematic complaint). You can find all the information about it on their website.
Disconnect the computer from the network , to prevent it from spreading to the rest of the company’s computers.
Depending on the ransomware variant in question and if we can access the operating system of our computer: we will run some antivirus / antimalware tools (eg malwarebytes, spybot) until we verify that the system is clean. On windows systems, we will check (with the right mouse button) that the “Restore previous versions” option is active in the documents to access old versions that hopefully are not encrypted.
If the previous option does not work, the volume of data is large, it is scattered in many folders or the compromised data is that of an application, it would be necessary to restore the backups. Although it is always better to have a disaster recovery system.