A Brief Guide to Ransomware

Ransomware is a significant and growing threat that can have severe consequences for individuals and organisations. The number of ransomware attacks has been increasing over the years, and the impact of these attacks has also been growing in terms of the number of victims, the amount of ransom demanded, and the damage caused.

What is ransomware?

Ransomware is a type of malware (malicious software) that locks access to, or
encrypts the data on a computer system or network of systems. Victims are requested
to pay a ransom in return for regaining access to the data and systems.

New strains of ransomware are being released very frequently and more recent strains are also used to transfer the data to the attacker before encryption. This provides the cyber-criminals with an additional way to extort money out of the victims by threatening to release the data unless a ransom payment is made.

Newer developments in ransomware have made it much easier for people to get hold of ransomware software and easier for people with little computer skill to launch an attack.

How does ransomware infect your system?

Computers are infected with ransomware by a number of methods. Sometimes users are tricked into running legitimate-looking programs and documents which contain the ransomware. These may arrive as authentic-looking email attachments or links to apparently-genuine websites, a method known as phishing.

More recently, ransomware infections are being seen that rely on unpatched vulnerabilities in software, and simply visiting a malicious website can be enough to result in being infected.

Ransomware may also be introduced as a result of another malware infection. Botnets are a common way for ransomware to be introduced to a system and networks. Botnets infect computer systems and wait for commands from a Command & Control (C2) server which could include the download of ransomware.

Ransomware prevention

Anti-virus software - A reputable security product is a necessity for any computer system or mobile device. Anti-virus protection is a valuable tool that will search for, identify and then remove any known malware. These products typically contains other features that will keep you and your system protected. Ensure it is enabled, regularly check the status and updates. Set it to automatically run complete full scans, ensuring that a full scan is performed at least once a month.

Defend against phishing attacks - Check for obvious signs of scam emails: poor spelling or grammar, vague contents, not addressing you by name but instead as ‘Customer’ or by email address, e.g. ‘Dear johnsmith@gmail.com’, and urgency. Another sign are emails which say that they are from someone or a company that you know but which have a strange or unconventional email address. If in doubt, it in safest to disregard the email or consider speaking to the legitimate person or organisation by telephone. For more information on phishing, please read our Phishing guide.

Keep your software updated - Ensure that applications such as your web browser are always up to date to reduce the possibility of a vulnerability being exploited to infect your computer. Always update your operating system when it is suggested as security flaws are regularly patched. Anti-malware signatures should also be kept up to date to give you the best chance of being protected.

Macro-security - Unless you are sure of the authenticity of a document, do not enable or run macros if asked. Macros are automated procedures (typically built into spreadsheets and word-processed documents) that can be used to execute code which can download and install malicious software onto your system.

Controlled Folder Access and Ransomware Data Recovery – Windows 10 and 11 have an in-built anti-malware service called Windows Defender or Windows Security and it has anti-ransomware features though these are turned off by default. Controlled Folder Access is a setting in this service that will block all programs from making changes to your folders unless you grant access. Ransomware Data Recovery will automatically synchronise common folder with a One Drive account, as a way of backing up your files.

Zero-Trust - In the workplace, limited a person’s access to information, networks and application to the least that is necessary for performing their role can greatly reduce the attack-surface. An attack-surface is the number of points at which an attack can be made: the more points, the more options available to potential attackers. Establishing these limits on access is called a ‘zero-trust’ rule.

Backup your important data

You should keep backups of any important files that you may have.
Do not store them on the same system as the original files and do not store them on a device connected to your network as ransomware can spread to network-connected systems.
If your files are being stored on an external hard drive, disconnect it from the system when not in use.
It is recommended to follow the ‘3-2-1 rule’: have at least three copies of your important data, on two devices with 1 of those backups being offsite.
There is a high chance that your data will not be retrievable if you have not backed it up before an infection.

What to do if you have been infected

Immediately disconnect your computer from the network by unplugging any network cables, disconnect the Wi-Fi and power-off or hibernate the computer.
Do not restart the computer, as this could encrypt more files.
Report to the Office of Cyber-Security and Information Assurance (OCSIA) and the Police using our cyber concerns online reporting form found on our website or by calling 686060.
It is highly-recommended that you do not pay the ransom: it encourages and funds the attackers and there is no guarantee that you will be able to regain access to your files.
If you are at work, inform the security team of the situation without delay and await further instructions.
Organisations (large and small) should follow their incident plans so that the attack and its consequences can be effectively managed. If your organisation does not yet have a plan, please read our Incident Response and Recovery guidance for further details.
If using a home computer, unless you are comfortable with formatting and re-installing your Operating System, contact a qualified IT repair centre or experienced IT technician.

What about "decryptors"?

Some reputable cyber-security firms and researchers have started producing "decryptors" for some of the variants of ransomware in circulation, however, these decryption tools are specific to each version of ransomware so using the incorrect tool may result in further encrypting your files. Do not store them on the same system as the original files and do not store them on a device connected to your network as ransomware can spread to network-connected systems.

It is highly recommended that you consult with an experienced IT specialist to determine if, and how, your files can be decrypted.

No More Ransom (https://www.nomoreransom.org) is a website with a collection of official decryptors for various ransomware strains and versions.

This page was last reviewed 17/05/2023