A strain of ransomware has apparently gone beyond the empty threats of locking down a user's machine to actually...
encrypting data on an infected machine. If infected, can users simply remove the ransomware to restore access to encrypted data? How can enterprises ensure such ransomware doesn't gain access to valuable data?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Attackers use encrypting ransomware malware to blackmail victims. They know the data on a target system is typically more important than the system itself, so instead of infecting a system, so to speak, they infect the data.
The methodology is fairly simple. Once the malware lands on a target system, it encrypts selected data (based on file types, location or other attributes defined by the attacker) and denies access until the ransom has been paid. Once the ransom is paid, the attacker executes a command and the data is decrypted.
Unfortunately, options for getting rid of ransomware are limited. Removing the malware or reinstalling the operating system will not recover the data. This might clean the system and destroy the malware, but it could also make it more difficult (often impossible) to recover the data, particularly if the local encryption keys are deleted. Even if you pay a ransomware attacker to provide their encryption keys, no longer having the corresponding keys will do no good. Strong encryption hasn't always been used by ransomware, so antimalware researchers have been able to break ransomware encryption to recover data in some instances. However, enterprises should not rely on breaking encryption to recover data; there's no way to guarantee a successful outcome in advance. Ultimately, stopping ransomware malware from accessing the target data in the first place could stop the encryption process, but this means putting tighter data access restrictions in place, and hence makes it more difficult for users to access important data. In many businesses, that's often a non-starter.
Enterprises can protect themselves from this type of malware by using strong antimalware defenses discussed in previous questions, and by making sure they have good backups of data. By regularly backing up data, enterprises make many parts of incident response from this and other types of malware much easier. If the data can be easily recovered from backup, the system can be rebuilt and the data restored to recover from the malware. Finally, it should be said that enterprises should do anything and everything to avoid ever paying a ransomware attacker. While it may solve a short-term problem, it only invites more attacks in the future.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.