At Data Recovery Group we receive customer calls asking if we can help them recover hard drives infected with ransomware. The best help we can offer is to prevent the infection from destroying your data in the first place.
What is Ransomware? – Ransomware is an insidious type of malware that is covertly installed to encrypt or lock your data and / or disable your computer until you pay a ransom to the criminal. For organizations the inability to access data can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption of operations, financial losses and potential harm to reputation. For home users it includes the loss of irreplaceable files such as family photos and videos.
Ransomware has been around for years. In a recent FBI article they reported there has been increase beginning in 2015 and continuing into 2016 of these types of cyber attacks. Further the FBI expects that these attacks will continue grow if individuals and organizations don’t prepare for these types of arracks in advance. In that vein Kaspersky Lab published a study in May 2016 that reported that 43% of connected consumers did not know what ransomware is. Further, 44% of consumers did not know what data could be stolen in a ransomware attack. Conclusion, there is still a large number of computer users that are vulnerable to this type of cyber attack.
How does the computer become infected? – In a typical attack the criminal sends an official looking email with a link to website or a legitimate looking attachment. The user will open the email, open the attachment or click on the link and their computer will become infected with the malicious software. The software will then begin encrypting the files and you may not know you’ve been attacked until you try to open the files. Be aware that if you have an attached external drive or you are connected to network the infection could spread.
The criminals are also seeding legitimate websites with the code to take advantage of unpatched software on computers.
How can an infection be prevented? – The first step is knowing that there is a risk of infection. Be diligent in knowing where the emails originate and delete anything that looks suspicious. Keep your operating system and software current and up to date. Apply patches when they become known. Keep your anti-virus software current. Vendors such as Symantec, Kaspersky, Macafee constantly update their virus definitions to address new risks. Lastly, back up your files.
How should data be backed up? – the United States Computer emergency Readiness Team (US-CERT) recommends that you follow the 3-2-1 rule. Keep 3 copies of any important file (1 primary and 2 backup). Keep files on two different media types to protect against different types of hazards. Lastly, keep 1 copy off site. Having a robust backup will allow you to restore your data without having to pay the ransom. If you use external hard drives, use two and rotate them. Keep one hard drive offsite. When the backup is complete, properly eject the drive and disconnect it from the device being backed up. If the external drive remains attached to the computer, the external drive could also be subject to infection. Cloud back up services such as Carbonite provide an economical service that can protect your data. Speak with your trusted computer service technician to determine which methods will work best for you. Make sure you know how to restore your data in the event of infection.
What should be done if the computer becomes infected? – As soon as you become aware of an infection immediately shut down any file sharing activity. Use your anti-virus software to determine to determine when and where the infection began. Assess the extent of the infection and damage. Remove the infection and any infected files. Finally restore your backed up files. Your trusted computer service technician should be able to help you restore.
Added Benefit - Using a backup plan as part of a prevention strategy also protects from other causes of data loss such as drive failure or human error. While any data recovery effort costs time and resources, paying the ramsom might be a bigger risk. You're essentially counting on the criminal to give you the encryption key, and that the key will work, after they've taken the money. With a complete backup of your system you stand a very good chance of recovering your data without paying the ransom.
This page is not meant to be a complete analysis of the risks and steps necessary to protect your data. Please consult with a trusted computer service technician. They should have a complete understanding of your computing environment and provide the appropriate safeguard for your data.