Ransomware – What is it, how to protect yourself, and what to do when an attack is already underway?

There is a saying: money rules the world. It turns out that this applies to the digital world as well. The most common reason hackers utilize an ever-growing variety of malware is expected profit. How does ransomware work? Is it possible to secure yourself against it? Check out the tips from our experts.

What is a ransomware attack?

Ransomware is malicious software that encrypts data on the victim’s system. The attack itself involves using this encryption to subsequently demand a ransom in exchange for restoring access to valuable data.

Currently, ransomware is a leader in the field of cyberattacks. It often utilizes cryptographic algorithms to encrypt files and system data, making it exceptionally effective.

High-profile examples of attacks from recent weeks

The University of Zielona Góra fell victim to a ransomware attack carried out by the Akira group, which caused the shutdown of University websites such as email and the “student” portal, the electronic key issuance system, and systems of cooperating institutions and sports clubs. Student data was also encrypted. Log analysis provided no evidence of data transfer/download from the attacked servers.

Another recent victim of ransomware was the video game developer Insomniac Games. Hackers demanded $2 million, which the company did not pay. As a result, employee data and pre-release information about games currently in development were leaked.

How to recover data after a ransomware attack?

If you have become a victim and your data has been encrypted, here is what you can do:

• Recover data by restoring a backup, assuming you have one. If you don’t – create one as soon as possible; it is a best practice that is often appreciated only after an incident occurs.
• Pay the ransom. Payments are usually made in Bitcoin because users can maintain anonymity. However, rememeber that there is never a guarantee that the other party will fulfill the terms and actually decrypt your resources – or they might simply demand further payments… it is pure blackmail.

Therefore, it is better to take preventive measures and ensure that our data remains secure for as long as possible.

How to protect yourself against ransomware?

Follow these best practices to primarily reduce the risk of an attack:

• Perform backups – this will allow you to restore encrypted data. It is worth noting that automatic backups do not guarantee security, as the backup itself can also be encrypted.
• Update your software – It is vital to stay current regarding zero-day attacks. If patches are not implemented, they can serve as a gateway for cybercriminals. An attack based on such vulnerabilities exploits software flaws that are unknown to the manufacturer or only recently discovered, where a corresponding update has not yet been provided. In such situations, you can find temporary safeguards and wait for a software patch.
• Log everything in system logs and monitor network traffic – a Security Operations Center (SOC) can be helpful here, as its task is to monitor network traffic 7 days a week, 24/7/365 using SIEM technology. SIEM is a technology used in enterprises to provide real-time reporting and long-term analysis of security events. It greatly facilitates log analysis, allowing us to react quickly to an attack and estimate the losses it caused.

Security rules that catch unusual network traffic are helpful in analysis. Incidents are created based on these rules, enabling us to detect an attack in its early phase.

SOC operators are able to limit the virus’s progress directly from the SIEM level by:

• blocking infected domain accounts or computers,
• killing the process in which the virus is hidden,
• blocking ports or IP addresses through which the attacker penetrated the organization.

What to do after detecting a ransomware attack?

Once ransomware is detected, you should:

• isolate infected systems, by disconnecting them from the network; if this is not possible, it may be necessary to disconnect the internet for the entire company infrastracture;
• switch the systems to sleep or hibernation mode instead of turning them off, so that the collected data can be analyzed later;
• reset user passwords.

If we detect malware quickly and follow the steps above, we may be able to block the attacker before encryption begins or interrupt the encryption of further data.

Protection against ransomware is a process that requires continuous monitoring, analysis, and the refinement of defense strategies. Implementing the best security measures and practices, along with threat awareness, are key elements of an effective defense against ransomware attacks.