BotNet News

Ransomware is malware that encrypts files and displays a message to victims that demands payment to unlock the data. The attackers typically demand a ransom paid in cryptocurrency, like Bitcoin, which is nearly impossible to trace and makes cybercriminals anonymous.

Ransomeware attacks typically start when an unsuspecting employee clicks on a malicious URL or attachment in a spam email. This downloads and executes a ransomware agent, which infects the victim’s computer and any attached file shares. The ransomware then encrypts the master boot record (MBR) and other critical files, including Microsoft Exchange mailboxes. It also scans the network for other targets and tries to spread by executing unauthorized lateral movement.

Fortunately, there are several ways to defend against ransomware, including best practices such as the separation of duties using least privilege; restriction of data access as far up the directory hierarchy as possible; and routinely auditing permissions and roles. Other defenses include implementing network management technology that can automatically quarantine endpoints that display atypical behavior, block C&C server connections and lock down network segments to prevent lateral movement.

If the organization pays the ransom, attackers might release a decryptor key, but the attackers aren’t in the file recovery business. They’re in the moneymaking business, and paying a ransom merely sends a signal to other cybercriminals that an organization is easy prey.

It’s important to report a ransomware attack to law enforcement as soon as it happens. This can help to bring criminals to justice, and may also make it easier to recover lost or encrypted data from the perpetrators. In addition, working closely with international law enforcement can facilitate access to tools and resources that most organizations can’t afford to purchase or build themselves.