A strain of ransomware has apparently gone beyond the empty threats of locking down a user's machine to actually encrypting data on an infected machine. If infected, can users simply remove the ransomwareto restore access to encrypted data? How can enterprises ensure such ransomware doesn't gain access to valuable data?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Attackers use encrypting ransomware malware to blackmail victims. They know the data on a target system is typically more important than the system itself, so instead of infecting a system, so to speak, they infect the data.
The methodology is fairly simple. Once the malware lands on a target system, it encrypts selected data (based on file types, location or other attributes defined by the attacker) and denies access until the ransom has been paid. Once the ransom is paid, the attacker executes a command and the data is decrypted.
Unfortunately, options for getting rid of ransomware are limited. Removing the malware or reinstalling the operating system will not recover the data. This might clean the system and destroy the malware, but it could also make it more difficult (often impossible) to recover the data, particularly if the local encryption keys are deleted. Even if you pay a ransomware attacker to provide their encryption keys, no longer having the corresponding keys will do no good. Strong encryption hasn't always been used by ransomware, so antimalware researchers have been able to break ransomware encryption to recover data in some instances. However, enterprises should not rely on breaking encryption to recover data; there's no way to guarantee a successful outcome in advance. Ultimately, stopping ransomware malware from accessing the target data in the first place could stop the encryption process, but this means putting tighter data access restrictions in place, and hence makes it more difficult for users to access important data. In many businesses, that's often a non-starter.
Enterprises can protect themselves from this type of malware by using strong antimalware defenses discussed in previous questions, and by making sure they have good backups of data. By regularly backing up data, enterprises make many parts of incident response from this and other types of malware much easier. If the data can be easily recovered from backup, the system can be rebuilt and the data restored to recover from the malware. Finally, it should be said that enterprises should do anything and everything to avoid ever paying a ransomware attacker. While it may solve a short-term problem, it only invites more attacks in the future.
This was first published in July 2013