A strain of ransomware has apparently gone beyond the empty threats of locking down a user's machine to actually...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
encrypting data on an infected machine. If infected, can users simply remove the ransomware to restore access to encrypted data? How can enterprises ensure such ransomware doesn't gain access to valuable data?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Attackers use encrypting ransomware malware to blackmail victims. They know the data on a target system is typically more important than the system itself, so instead of infecting a system, so to speak, they infect the data.
The methodology is fairly simple. Once the malware lands on a target system, it encrypts selected data (based on file types, location or other attributes defined by the attacker) and denies access until the ransom has been paid. Once the ransom is paid, the attacker executes a command and the data is decrypted.
Unfortunately, options for getting rid of ransomware are limited. Removing the malware or reinstalling the operating system will not recover the data. This might clean the system and destroy the malware, but it could also make it more difficult (often impossible) to recover the data, particularly if the local encryption keys are deleted. Even if you pay a ransomware attacker to provide their encryption keys, no longer having the corresponding keys will do no good. Strong encryption hasn't always been used by ransomware, so antimalware researchers have been able to break ransomware encryption to recover data in some instances. However, enterprises should not rely on breaking encryption to recover data; there's no way to guarantee a successful outcome in advance. Ultimately, stopping ransomware malware from accessing the target data in the first place could stop the encryption process, but this means putting tighter data access restrictions in place, and hence makes it more difficult for users to access important data. In many businesses, that's often a non-starter.
Enterprises can protect themselves from this type of malware by using strong antimalware defenses discussed in previous questions, and by making sure they have good backups of data. By regularly backing up data, enterprises make many parts of incident response from this and other types of malware much easier. If the data can be easily recovered from backup, the system can be rebuilt and the data restored to recover from the malware. Finally, it should be said that enterprises should do anything and everything to avoid ever paying a ransomware attacker. While it may solve a short-term problem, it only invites more attacks in the future.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
SSL attacks "in stealth mode" are helping attackers avoid detection and analysis. Expert Nick Lewis explains how to discover and defend against the ...continue reading
Learn how sinkholing is helping security experts analyze infected devices and even disable malware in compromised endpoints.continue reading
Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.