What is ransomware?
Ransomware is a subclass of malware that is characterized by holding device control—and therefore locally stored data—for a ransom, which is typically paid using virtual currencies such as Bitcoin.
WannaCry, perhaps the most well-known single ransomware attack, uses a flaw in Microsoft’s SMB protocol, leaving any unpatched, internet-connected computer vulnerable to attack.
Ransomware is constantly evolving with new variants. Here’s one of the Petya ransomware family. (unfortunate person’s screen below, Doah!).
How do I defend against attackers and avoid ransom demands?
95% of ransomware attacks use phishing emails as the attack vector so diligent system patching and daily cyber security practices are very important to protect yourself at home, work or even when mobile.
Steps of defense
Ryan Sommers, manager of threat intelligence and incident response at LogRhythm Labs, recommended the following five steps of defense against ransomware:
1. Preparation: Patch aggressively so vulnerabilities are eliminated and access routes are contained. Protect endpoints with tools that can automatically detect and respond to infections.
2. Detection: Use threat intelligence sources to block or at least alert you to the presence of anomalies in your network traffic. Screen emails for malicious links.
3. Containment: If infected, ensure you have an endpoint protection system that can detect the execution and kill the process. Block and isolate the local host from the network to prevent additional files from being encrypted.
4. Eradication: Replace machines affected by ransomware. You can also clean network locations such as mailboxes or file shares, removing the malicious message. If you chose to clean rather than replace, continue to monitor to prevent the same attack from reemerging.
5. Recovery: Restore from a backup if you have one. Investigate what specific infection vector was used against the system, and how to protect it next time.