How to Deal with Encrypting Virus or Ransomware

One of the most common threats giant organizations face nowadays is an encrypting virus attack or ransomware attack. This type of attack paralyzes their corporate systems at least till they resolve the issue (decrypting files and data) either by paying ransom or restoring backups. Let’s explore more about encrypting virus/ransomware in this article.

What are Encrypting Viruses?

An encrypting virus is a form of virus that is used by malicious hackers to encrypt databases, emails, and files and make them unreadable for their rightful owners. Malicious hackers usually use this kind of virus to demand ransom from organizations and individuals by encrypting their files and data stored on their systems. Hackers use encrypting viruses to encrypt important and confidential files and data in order to get monetary gains by asking their owners (including individuals and corporations) to pay ransom. For this reason, it is popular as ransomware.

Since encrypting viruses are used mainly for ransom, they are popularly known as ransomware. Ransomware is malicious software that hackers use to stop legitimate users or data owners from accessing their own files and databases. Ransomware is usually delivered to the target systems and networks through various social engineering attacks like sending  phishing emails. Once hackers successfully hijack the data and files on the systems, they start blackmailing and demanding ransom from the data owners to decode or decrypt the data.

Encryption refers to the process of converting data or files into a format that makes them unreadable for the users who do not have the cryptographic key that was used for encryption. Cryptographic keys are used to make files and data into an unreadable format and these keys are known as encryption keys. The owners of the data can recover their files, emails, and databases only by decrypting them. Decryption is a process that involves using the same encryption key to decode the files, emails, and databases to make them accessible and readable again.

How Do Encryption Viruses Work?

Malicious hackers introduce encryption viruses or ransomware into the target systems (mainly into corporate systems) through some phishing emails, malicious email attachments, etc. When the system users access these phishing emails or open malicious attachments, the virus gets into their systems and installs itself on the systems. After getting installed, the ransomware establishes a connection with the control server managed by the malicious hackers for generating a cryptographic key that is delivered to the target system.

With the cryptographic key, the ransomware starts encrypting the files and data present on the system. If one system is affected in a network, the ransomware can spread to all systems and network devices that are connected to that network. It modifies the database and files by adding an extension and makes them unreadable. The ransomware then displays extortion messages that demand money and may also threaten to destroy the data if the ransom is not paid. The image below shows a sample threatening message that is used in a ransomware attack.

Ransomware
Ransom message

Phases of Ransomware Attacks

All computing devices like computers, mobile phones, and tablets are vulnerable to ransomware attacks. Attackers perform ransomware attacks in the following stages:

  • Infection: This is the first stage of a ransomware attack where an attacker uses social engineering techniques (e.g., adware, malicious apps, or phishing emails) to install the malicious software on a device. Once the malicious software or ransomware is installed on the device, it can be triggered by the attacker remotely or when the user performs some specific actions on the device.
  • Backup Destruction: Once the ransomware gets triggered, it destroys any backup (if present) on the device after locating it. This is done by the attacker to ensure the victim pays them the ransom at any cost to retrieve their important files.
  • Device Blocking: In this stage, the attacker makes sure that the user cannot use the device. The attacker does this by encrypting the files, showing a threatening or warning message, or even changing the user password.
  • Notification: This is the last stage where the attacker demands ransom from the owner/user. The data owner is threatened informing that if they do not pay the requested ransom within some specified time, the data would be deleted permanently by the attacker.  

Data Recovery Options

Once files and data of an organization are encrypted by the ransomware, the organization has two options to recover its data. These options are discussed below:

  • Paying the ransom: The organization can pay the ransom demanded by the hackers and wait for them to provide the cryptographic key for decryption. The organization can decrypt the affected files using the encryption key provided by the hackers to recover its files and data.
  • Recovering from the backup: If the organization does not want to pay the ransom, it can recover its database and files by deleting the infected files (that were encrypted by the hackers) and then restoring them from the backup. As this data recovery option involves a backup, the organization must have a backup of all the files and data. If the organization does not have the backup, this option is not useful for it and it can only recover the affected data by getting the encryption key from the hackers after paying the ransom.

Ways to Prevent or Mitigate Encryption Virus Risk

Organizations that became the victim of ransomware or want to protect themselves against encryption virus or ransomware attacks must ensure the following:

  • Manage your accounts securely: Never use the administrator account for routine work and browsing the web. Instead, create a different account with restricted system privileges to use for routine work.
  • Exercise caution while opening email attachments: Hackers deliver ransomware software mainly through malicious email attachments. Always be careful while opening phishing emails and their attachments. Many attachments may have malicious executable files that get themselves installed once they are downloaded and then encrypt all the files present on the system. Do not open emails that are from unsolicited sources because it is highly possible that they contain malicious software/links. Ensure that the emails you open are from a legitimate/trusted source and do not contain any software that can harm your system or network.
  • Have a robust cybersecurity program: Organizations must have a strong cybersecurity program in place and train their employees on how to handle such incidents. If organizations provide training to their employees as per the cybersecurity program, they can avoid many awful situations that may arise in the absence of this program and training.
  • Back up files and databases regularly: Organizations should back up all confidential files and databases regularly, so that they can use the backup when such incidents happen. The backup must be taken on a separate system that is not attached to the network. Not having a backup can lead to the loss of affected data (if they are incapable of paying the ransom) and their reputation. On the other hand, recovery becomes easy and stress-free if they have the most recent backup of files and databases that can be restored.
  • Empty your system storage before recovery: Empty the storage of your system by deleting all files and data to ensure the ransomware is deleted completely. Data recovery must be done only after cleaning the storage. This can be done by formatting the storage or using the factory reset option.

Wrapping Up

Many businesses are vulnerable to ransomware attacks and many have already become a victim, including Accenture. Some popular ransomware that made rounds in news recently are WannaCry and LockBit ransomware. Preventing ransomware attacks is the first line of defense, however having a backup is equally important to overcome uncertain situations where attackers successfully breached the corporate security and launched ransomware attacks. Read more on cyberattacks like Sniffing attacks, Session Hijacking, SQL Injection attacks to increase your knowledge.

Comments