A strain of ransomware has apparently gone beyond the empty threats of locking down a user's machine to actually...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
encrypting data on an infected machine. If infected, can users simply remove the ransomware to restore access to encrypted data? How can enterprises ensure such ransomware doesn't gain access to valuable data?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Attackers use encrypting ransomware malware to blackmail victims. They know the data on a target system is typically more important than the system itself, so instead of infecting a system, so to speak, they infect the data.
The methodology is fairly simple. Once the malware lands on a target system, it encrypts selected data (based on file types, location or other attributes defined by the attacker) and denies access until the ransom has been paid. Once the ransom is paid, the attacker executes a command and the data is decrypted.
Unfortunately, options for getting rid of ransomware are limited. Removing the malware or reinstalling the operating system will not recover the data. This might clean the system and destroy the malware, but it could also make it more difficult (often impossible) to recover the data, particularly if the local encryption keys are deleted. Even if you pay a ransomware attacker to provide their encryption keys, no longer having the corresponding keys will do no good. Strong encryption hasn't always been used by ransomware, so antimalware researchers have been able to break ransomware encryption to recover data in some instances. However, enterprises should not rely on breaking encryption to recover data; there's no way to guarantee a successful outcome in advance. Ultimately, stopping ransomware malware from accessing the target data in the first place could stop the encryption process, but this means putting tighter data access restrictions in place, and hence makes it more difficult for users to access important data. In many businesses, that's often a non-starter.
Enterprises can protect themselves from this type of malware by using strong antimalware defenses discussed in previous questions, and by making sure they have good backups of data. By regularly backing up data, enterprises make many parts of incident response from this and other types of malware much easier. If the data can be easily recovered from backup, the system can be rebuilt and the data restored to recover from the malware. Finally, it should be said that enterprises should do anything and everything to avoid ever paying a ransomware attacker. While it may solve a short-term problem, it only invites more attacks in the future.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.