NAVIGATING A RANSOMWARE ATTACK
Last week, the ransomware infection “WannaCry” invaded hospitals, universities, and many other institutions and organizations here in the United States and abroad. Ransomware is a unique form of malware. Once it invades a network, it can prevent users from opening their files because the files have been encrypted. The files are held hostage, and the users must pay a fee to be provided the decryption key.
There is a good chance that ransomware could affect you at some point during your career. So, if you find yourself in the middle of this difficult situation, take a deep breath and know that there are steps you can take to minimize the damage. Here are some questions to ask to help you through this process:
1. Where did the ransomware start?
Which user opened the infected email or file? The person who brought the problem to your attention may not be the person who opened the infection. You may need to examine the properties of one of the infected files to determine the file owner. Ask questions of your staff and partners.
Ask users to retrace their steps. Did they:
• Open any new documents?
• Click on any attachments or links in an email?
• Visit any websites they don’t normally visit?
2. How far has the ransomware spread?
Once a user has opened the infection, usually through an email or attached file, then that person’s computer is infected. But, the ransomware can spread beyond that machine throughout the network and the first step is to determine how many machines are affected and then isolate those machines and disconnect them from the network to prevent the further spread. Most ransomware strains will make changes to encrypted file names: ex. .Dharma or .CrySis. Looking for these extensions can help you determine how far the infection has spread.
3. How can I determine the type of ransomware with which I’ve been infected?
Determining the type of ransomware with which you’ve been infected is a key step because it may help you decide whether to pay for the decryption key. Not all ransomware attacks are effective and they all do not encrypt the data. Other ransomware types are able to be decrypted without paying for a key and still others are notorious for not delivering effective decryption keys. These examples offer illustrations of why you would not want to pay the ransom. But, there are other more sophisticated ransomware tools that will make your decision more difficult.
It is always important to fully understand what you are working with before deciding what to do. As of Wednesday, May 15, only $55,000 in bitcoins were paid for the massive ransomware attack, “WannaCry.” While this is a lot of amount of money, it is not as significant given the number of “Wannacry” ransomware infections across the globe. But, this amount is expected to grow, although no one knows by how much.
WannaCry is different from other ransomware attacks, like the ransomware attack “Locky” which required user interaction in the form of opening a link, “WannaCry” spread automatically if the user had not installed the latest Microsoft update. And, once it was inside a network it spread like wildfire.
For those of you who have not updated your computers, Microsoft offers guidance for protecting your computer here:
The information provided by the ransomware, in the URL and in the ransom screen, can give us some insight as to the type that has infected your computer. If you can’t gather the type of ransomware from the URL or ransom screen, then try the .exe file name. Remember, ransomware comes in the form of an .exe file. Try typing that .exe file name into your browser to see what types come up for you. If nothing comes up, try google. Search for the ransom screen message, the .exe file name that has been applied to all of your files, and even for some of the random things that are happening to your office computers. There are probably others out there who have similar experiences and might be able to offer you some advice.
4. Can I get my files back?
Your files are encrypted and unless you have the decryption key you are not going to be able to access them. As discussed earlier, there are flawed ransomware infections used that computer experts have been able to decrypt without a key. However, most of the time it will take a decryption key. The best options available to you is to have a back-up file system either on disc, off-site, the cloud, wherever you choose to keep your files. But, best practice suggests that you have 2 back-up locations for your files and data so you are able to keep working should your on-site data be attacked. Another question to consider here if you do not have a back-up for your files is: do I pay the ransom? It really depends on your particular situation. The authorities will discourage you from paying the ransom because you will be making yourself a target for future attacks. But, if your data is irreplaceable then you may have no choice. You will need to consider all of the options and consequences.
5. How do I make sure my computers are safe again?
I suggest wiping the hard drive and restoring it to the factory settings. You would then add your data from your back-up. If you don’t have a back-up then you will need to use the process below so that you can keep the data on the computer.
Step 1: Enter Safe Mode. Before you do anything, you need to disconnect your PC from the internet, and don't use it until you're ready to clean your PC.
Step 2: Delete temporary files.
Step 3: Download malware scanners.
Step 4: Run a scan with Malwarebytes.
6. How to keep your data safe in the future:
• Run all system updates on your Windows machine immediately.
• Update your virus protection software.
• Run a backup to ensure you have a protected copy of your files.
• Avoid web pages that aren’t regularly updated, or that you don’t already trust.
• Don’t click links to documents or web pages from someone if you are not expecting them.
• Don’t open files in Facebook Messenger, or other apps where videos automatically play unless you were expecting them.
• If you have questions about a file, call the sender before you open it.
The chances are that we will all have to deal with ransomware at some point. I hope this information helps you think through the situation and come to a helpful resolution.
If you would like more information about malware, ransomware, or computer security, please contact Sara Rust-Martin, KBA Law Practice Management Attorney, at 785-234-5696, or by email at firstname.lastname@example.org.
The contents of this blog are informational only and should not be construed as providing legal advice.