Imagine you are the owner of a small business headed into the office early in the morning to knock a few tasks off of your long list of things to do. As you sit down in your chair, and take a sip from your cup of coffee, you reach over your desk, open up your computer and switch it on. You walk over to the coffee machine, fill up your cup and return to your desk. Instead of your normal computer background, there is a strange looking screen stating that all of your files have been encrypted and the only way to get them back is to send the creator of the malicious software that you are currently dealing with several hundred dollars. What’s worse is that the virus isn’t isolated to your computer – somehow it made its way onto your shared server, encrypting thousands of documents and other files that are absolutely critical to your business. These files will also be rendered indecipherable if you don’t pay the hacker’s ransom.
What happens next depends entirely on whether you have a backup of your files as well as where and how you are performing your backups. In many instances, people think they are safe because they have an external hard drive connected to their system making backups on a regular basis. There are a few potential shortcomings with this line of thought. First, your hard drive may stop making regular backups or might not be backing up your data properly. This means that when it comes time to restore from a backup, you will be unable to do so. Also, if you are leaving it connected to your computer or server on a regular basis, there is a very good chance that the ransomware has infected your external drive as well – if you restore from a backup on that hard drive, that backup will be encrypted as well.
If you are backing up your files to an offsite location, or intermittently to a hard-drive that is removed when you finish backing up and you are able to verify that your backup has been properly replicating all of your data, you’d be able to breathe easy. You could easily remove the ransomware by wiping your computer (and server) to factory settings and then restoring them from the backup. This means the impact of the attack will be limited to a fairly long period of network downtime, a costly but not fatal outcome. But if you haven’t been using these best practices to protect your data the story will likely end one of two ways *SPOILER ALERT* neither of those endings is a very happy one.
The first option, of course, is to pay the hacker or hackers the amount requested in which case there is no guarantee that they will make good on their promise to decrypt your files. Even if they do, there have been some instances where files were either lost or unable to be decrypted even after the ransom was paid. The other possible course of action would be refusing to negotiate with the people who have taken your data hostage which would almost certainly result in the loss of your business’s priceless data.
Of course, there are a number of techniques used by computer security experts and network engineers that are effective against this sort of malware. If you are at your wits end, it is certainly worth your while to get in touch with someone who could see what version you are dealing with (there are thousands of them) and possibly remove the ransomware.
Having explained what ransomware is, the obvious question to ask next is, “How does this pernicious malware make its way onto a computer or network?” Unsurprisingly, the answer to that simple question isn’t so simple – there are a number of ways to initiate and execute this sort of attack. Ransomware is generally dispersed much the same way that any other sort of computer virus or malware might be -- and there will be much more information on how that happens in our next blog post, so stay tuned.