Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Handling An Ransomware Attack When It Happens”, In Cyber Defense, 05 Apr. 2017, Web, http://incyberdefense.com/james-lint/handling-ransomware-attack-happens/
Co-Authored by Yoohwan Kim, Ph.D.
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas
This is the fifth article in a series on ransomware.
When you have a ransomware attack on your computer system, your first reaction will be: Can the attack be stopped? Although you want to scream, “Do something!,” this is only effective if you have a business with an IT team that has kept up with ever-changing developments in the ransomware industry and can properly manage the ransomware attack. In some businesses, this type of data loss also destroys their intellectual property and reputation.
You can also ask your employees if they made backup copies of your business data. If they did, then you have an advantage against the attacker. A backup system is also useful in recovering data, even though you might not initially want the extra cost.
If you do not have the luxury of your own IT team and there are no backups of your data, then you have a decision to make: Pay the ransom or lose your files permanently.
After an attack is initiated, it takes some time for the ransomware to encrypt all of your files. By the time the ransom notice pops up on your computer or in your system, it is too late to thwart the attack.
Still, all may not be lost, especially if you do not wait to be attacked.
Mitigating Damage from a Ransomware Attack
There are several actions you can take to handle a ransomware attack. These steps will help you to detect when ransomware first infects your computer and to minimize the damage ransomware causes.
- Call in a ransomware expert to find a list of previously known ransomware programs and the types of telltale files associated with those ransomware programs. The expert can search for these files in your computer and eliminate them. This technique may work for older, more established ransomware programs. However, note that this search is only good until one of your employees clicks on a link in a ransomware email later.
- Have the expert scan your system to find other telltale ransomware files that don’t normally belong in your computer system. For example, “ransom.exe” could be an example of a ransomware file.
- Keep large junk files such as a large, picture-loaded PowerPoint in the C:\ directory and open it often to see if the images are still present. In some ransomware programs, the images will be gone after the PowerPoint has been encrypted and you can more quickly detect when your computer is under attack.
Delay and Recovery Tactics
- If you accidentally clicked on a link that downloaded ransomware to your computer and it appears your machine is starting the encryption process for ransomware, try to change the file extensions of your computer files so that they won’t attract the ransomware. For example, a .pdf file extension could be changed to .myp to hide the file from a ransomware search and encryption. Some system owners can also write an emergency script, but this type of script needs to be prepared in advance.
- You can also try using a ransomware recovery tool. However, the tool may or may not be effective depending on the age of the ransomware program that infects your computer.
- Try to delay the attack, which can take up to 12 hours to fully encrypt and lock up a large computer system. Ransomware scans files from your C:\ drive, and it encrypts files in alphanumeric order. Large junk files in your C:\ directory will help slow down the attack on good, useful files and give yourself more time to cope with the situation.
It is important to remain calm, even though it is not easy to stay calm during an attack. When an attack happens, you may not be able to shut down your computer through the Ctrl-Alt-Delete keys or by accessing the control panel, so it is easy to become frustrated.
Also, remember that it is important to keep up with ransomware’s evolution. Ransomware code writers are smart people who change their ransomware programs to negate techniques to slow them down.
Other Ways to Prevent and Recover from Ransomware Attacks
The simplest prevention method is to back up your files before you have any problems. If your backups are done correctly, you can return to normal operations with 95% or more of your files. The best technique is to back up multiple versions of your files over time, so you can recover files not affected by malware or ransomware.
External hard drives are also vulnerable to ransomware attack. So if you have an external hard drive, only connect it to your computer when you’re backing up your files. By keeping your external hard drive disconnected from your computer whenever possible, you prevent the ransomware from jumping into your hard drive.
If you have multiple drives with multiple versions of your files, then you may be able to go to another backup system to restore your files. Ideally, your backup system should be off-site in case of fire, which could destroy your computer and backup files.
DVD-ROMs can also be used for backing up your files. Although DVD backups require more disks due to larger hard drives, they do offer reliable storage that can’t be affected by ransomware because users normally take a DVD out of the computer after use. Additionally, DVDs are easy to move to another site for storage. Some businesses and professionals such as attorneys even keep them in a bank safe deposit box.
Network automated storage is another backup plan that must be set up by an IT professional. However, it is a business cost that must be maintained.
Cloud storage services are an option, depending on the storage service’s version capability. If a cloud provider only offers the ability to store one version of your files, there is a possibility that the ransomware will jump into the files on your cloud’s server.
Larger cloud storage companies, such as Google Drive, Dropbox, Amazon, Backblaze and CrashPlan, keep multiple versions of your files. The file history is usually available as well.
One exception is Microsoft OneDrive, which does not currently allow you to have a file history and is therefore not good for countering ransomware. (Note: OneDrive for Business does have a file history system for recovering older versions of files.)
Prevent Ransomware from Ruining Your Day
When ransomware attacks your computer or your system, it’s going to be a bad day. How bad that day is depends on how well you’ve backed up your files beforehand and whether or not those files are securely stored off-site.
Backing up your files is good insurance against ransomware and also helpful if your office is affected by fire or flooding. While it costs money, time and effort to back up your files and maintain your security, the extra security leaves you with greater peace of mind.
[Related articles: Ransomware Targets Continue to Pay Hackers
About the Authors
James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.
Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, “Secrets to Getting a Federal Government Job.”
Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company.