A strain of ransomware has apparently gone beyond the empty threats of locking down a user's machine to actually encrypting data on an infected machine. If infected, can users simply remove the ransomware to restore access to encrypted data? How can enterprises ensure such ransomware doesn't gain access to valuable data?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Attackers use encrypting ransomware malware to blackmail victims. They know the data on a target system is typically more important than the system itself, so instead of infecting a system, so to speak, they infect the data.
The methodology is fairly simple. Once the malware lands on a target system, it encrypts selected data (based on file types, location or other attributes defined by the attacker) and denies access until the ransom has been paid. Once the ransom is paid, the attacker executes a command and the data is decrypted.
Unfortunately, options for getting rid of ransomware are limited. Removing the malware or reinstalling the operating system will not recover the data. This might clean the system and destroy the malware, but it could also make it more difficult (often impossible) to recover the data, particularly if the local encryption keys are deleted. Even if you pay a ransomware attacker to provide their encryption keys, no longer having the corresponding keys will do no good. Strong encryption hasn't always been used by ransomware, so antimalware researchers have been able to break ransomware encryption to recover data in some instances. However, enterprises should not rely on breaking encryption to recover data; there's no way to guarantee a successful outcome in advance. Ultimately, stopping ransomware malware from accessing the target data in the first place could stop the encryption process, but this means putting tighter data access restrictions in place, and hence makes it more difficult for users to access important data. In many businesses, that's often a non-starter.
Enterprises can protect themselves from this type of malware by using strong antimalware defenses discussed in previous questions, and by making sure they have good backups of data. By regularly backing up data, enterprises make many parts of incident response from this and other types of malware much easier. If the data can be easily recovered from backup, the system can be rebuilt and the data restored to recover from the malware. Finally, it should be said that enterprises should do anything and everything to avoid ever paying a ransomware attacker. While it may solve a short-term problem, it only invites more attacks in the future.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.