Skip to main content
Let's start with some facts.
In 2020
2,474

Ransomware complaints which recived by the FBI’s Internet Crime Complaint Center received and these are just reported complaints

in the first quarter 2021
537,137

NortonLifeLock recorded a 35 percent increase in the first quarter 2021 with 537,137 ransomware detections out of a total of 919 million total cyberthreats blocked by Norton.

With a spate of staggering attacks throughout 2020, Ransomware has definitely taken center stage in any conversation about cyber security. Ransomware attacks are one of the most lucrative options for cyber criminals.

In a span of just two years, ransomware attacks increased 15 times from 2015 to 2017 resulting in a total of $5 billion in losses. This included all losses stemming from ransom paid by businesses as well as productivity losses and all the financial cost of data recovery, fines and more.

Ransomware has proved to be a plague for not just businesses but also healthcare organizations, Financial organizations, educational institutions and government agencies.

Nearly 45 percent of all ransomware attacks are targeted at healthcare organizations. In August and September of 2020, 57% of ransomware attacks reported to the federal Multi-State Information Sharing and Analysis Center involved schools, compared to 28% of all reported ransomware incidents from January through July.

There is a good reason behind this trend. Healthcare, government agencies and essential services are sectors where these kinds of attacks cannot just result in financial and reputation losses for the organization involved, but actually result in a loss or significant impact on civilian lives. The most recent and palpable example of this can perhaps be seen in the Colonial Pipeline attack that resulted in near stampede to stock up gas – thanks to the hysteria generated by the media.

Similarly, nearly all financial organizations face ransomware attacks on a regular basis with nearly 90 percent of organizations targeted in 2017.

The recent spate of attacks has also resulted in increased demand for cyber insurance coverage. According to an April report from Fitch Ratings, total premiums for cyber insurance coverage clocked in at $2.7 billion in 2020, a 22% increase over the previous year, and is expected to go up further in 2021. (CNN Business)

How does Ransomware Work?

Ransomware attacks are fairly straightforward in their operational mechanism. The hackers simply gain access to the sensitive data stored on your system, encrypt it, and ask you for a ransom in exchange for the decryption key.

The attacks can happen when a user unwittingly downloads malware that is sent through email attachments or links from unknown sources. Once the attack takes hold, it can prevent you from accessing any files or data stored on your system. If the attack happens on a larger scale, such as in an enterprise environment, it can effectively put the entire production and operational environment in jeopardy. The problem with ransomware attacks is that even if the organization or the individual decides to pay the ransom, there is no guarantee that we will actually get their sensitive information and files back to them intact. While the motivation of the hackers may differ, from financial motivation to political ideology, they could easily decide to either sell your information or disclose it to the public at large resulting in huge financial and reputation impact for the organization.

Protection against ransomware attacks can be difficult as your anti-malware software may not be able to protect you. Ransomware is written and tweaked on the go by its developers. Most antivirus programs are not capable of keeping track of the rapidly changing signatures. Recent data indicates that nearly three quarters of all recent ransomware victims had the most up-to-date endpoint protection active on the infected machines.

How to remove ransomware?

It may be possible to remove file encryption on some types of ransomware attacks.

You can try to do so by following these steps.

1

Disable all internet connections

The first and foremost step is to disable all internet connections to prevent the ransomware from spreading and infecting other systems on the network.
2

Run a scan

Run a scan with your internet security software to identify and quarantine malicious files.
3

Run a decryption tool and restore access

Once this step is completed, you should be able to run a decryption tool and restore access to all system data.
4

Use back up to restore the system

Having an external backup of your data can be really helpful as you can use this back up to restore the system.

But in all honesty, the best cure to run ransomware is to prevent it from happening in the first place. One way to do this is to implement best practices. For instance, CISA recommends organizations, including MSPs, implement the best practices and hardening guidance in the CISA and MS-ISAC Joint Ransomware Guide. This can help organizations manage and mitigate ransomware risks. And they could also help formulate an adequate coordinated response to any ransomware incident.

How to recover encrypted files?

Restore using Professional Data Recovery Software

Before you can contemplate data recovery, you need to be able to ascertain the ransomware workflow.

Most ransomware work through a framework where they do not encrypt the original files, but create encrypted copies. The original files are deleted by the ransomware. This is where a data recovery tool can come in handy to restore the removed source files. If the tool is able to locate the deleted source files, it is possible for you to do a full recovery. Try and use one of the reputable file recovery software that will enable you to recover your files.

Restore from System

If the data recovery tool does not work in your case, you could try to do a system restore if you have already created a system backup.

If you had your system set for Automatic Windows Backup, you could prevent significant data loss and recover virus-infected files with the Windows backup.

Restore from Previous Version

If you had a previous version of the file, that can also help in recovering infected encrypted files.

Just check for a list of available snapshots of the file you were trying to restore and select the most recent stable version. Once you have located the right file, you can choose to do any of the following:

View
View the recovered file and save it.

Copy
Copy the recovered file in the same directory as the original file. This will enable access to both copies of the file

Restore
You can also choose to restore the recovered file. Be careful as choosing to restore the file will replace the current file. This means that any data that’s unique to the latest version of the file will be lost as the existing file gets overwritten by the version you choose.

Ransomware Decryption Tools

Some ransomware can prove too tough to decrypt, but some Ransomware Decryption Tools can come in handy to recover ransomware encrypted files.

You can use any of the Free Ransomware Decryption Tool from reputed sources such as Quick Heal that can be effective against certain varieties of Ransomware like Ninja Ransomware, Apocalypse, and more. Running the Decryption Tool is automatic once you complete installation. Once you manage to retrieve the file successfully, you should ensure the safety of the system. If it had no malware detection tool installed, you should install one. But if the existing antivirus program was incapable of detecting the ransomware, it would be wise to invest in a more effective antivirus program.

Are DIY tools effective in ransomware removal?

DIY tools can only be effective if you have a clear line of sight into the activities of your network and understand what’s happening.

There is a plethora of security tools available to you including tools for intrusion prevention and detection systems to security information and event management (SIEM). All of these tools can help you leverage an understanding of what’s happening with the traffic on your network and help you detect any suspicious activity in real time. Having a real time direct line of sight is the only way you can prevent or mitigate an attack like ransomware.

Ransomware response: To pay OR not to pay?

If ransomware data recovery is not an option for you, then should you think about paying the ransom?

This is a critical question for enterprises especially as each last minute counts for enormous losses in productivity, sales, customer service and opportunity cost. For some companies the demanded amount may seem insignificant compared to the enormous loss they face with each passing hour without access to critical systems. Recent research from Trend Micro shows that while 66 percent of companies assert their strong stance against paying ransom as a business principle, a startling 65 percent end up paying the ransom in case of an actual attack.

The truth is that sticking to principles becomes a hard choice for many when faced with the immense financial losses that accompany a ransomware attack.

Even as federal agencies and cyber security regulatory committees insist on companies not paying ransom – to the point of ascribing harsh measures and fines if they do – this kind of insistence only seems to put companies between a rock and a hard place. They are well aware of the fact that paying the ransom means encouraging the next ransomware attack, but may well choose to put short term benefits over long term security. This is also helped by the fact that most ransomware attackers keep the ransom amount low enough to flush out a profit margin for themselves but not cause the company too much pain.

Some attackers even incentivize quick action in paying the ransom. In fact, payment has become such a common practice that many companies are starting to reserve some bitcoins in order to pay the ransom quickly in case of an attack.

This is even true for companies who otherwise have no dealing with Bitcoins whatsoever.

While keeping that unfortunate trend in perspective, it’s important for companies to remember that hackers are not always honourable. The people who have illicitly gained access to your system and are holding your data ransom may as easily choose not to keep their promise after the payment. Some hackers may go ahead and sell your data on the dark net or may choose to divulge the sensitive information publicly anyway. There is even a trend of scareware these days – something that appears like a ransomware attack but ultimately does not encrypt your data. At other times, hackers may not even build decryption into the malware and simply choose to take the money and run.

Report Ransomware Attack:

Submit a report to your country’s scam reporting website:

Identify types of attacks

The main types of ransomware prevalent today:

Locker ransomware

As the name suggests, this (mostly Android-based) Locker ransomware is efficient at infecting systems and locking genuine users out completely except for the opportunity to interact with the window containing the ransom demand to make the payment.

The users will be unable to access any files or applications stored on the system and even access to peripherals like the mouse and the keyboard may be affected. But this kind of ransomware rarely ever targets the destruction of your data – the target is simply to disable access until payment is made. Ransomware recovery is generally effective at getting rid of locker ransomware.

Crypto ransomware

Remember the 2017 WannaCry ransomware attack that affected thousands of computer systems globally?

Crypto ransomware is the cause of a lot of headache for enterprises because this kind of ransomware has the ability to encrypt your files, folders, and even data stored on hard-drives. Although this kind of attack encrypts all your files, it is designed so as not to interfere with normal computer functions. Ironically, this base level of functionality often ends up creating more panic for users who see their files but are unable to access them. To make matters worse, attackers often attach an ominous countdown to the ransom demand screen that counts the minutes and seconds until the complete deletion of all valuable user data. With many users still not making regular backups of their files and folders on physical assets or the cloud – they are forced to pay the ransom to get the data back.

Mobile ransomware

With the appearance of Simplocker in 2014, mobile ransomware has only grown more prevalent.

The way it works is that the ransomware is delivered via a malicious app, that actively locks you out of your mobile device. The attackers claim that the device will only be unlocked once the ransom is paid.

How MSPs can help you?

Unlike your in-house IT team, an MSP specializes in cyber security defense and takes a proactive approach to ensure your network security.

Engaging an MSP
will ensure

Your network gets monitored 24/7.

You are updated on system status in real-time – even as the issues get resolved behind the scenes.

In the case of an attack, an MSP takes steps to quarantine the threat and ensure maximum uptime as it works to get the threat resolved.

They also take care of installing all the latest security patches and necessary updates to your software.

With human error being the primary driver of data loss, MSPs also take care to conduct effective Security Awareness Training among all your employees on a regular basis.

Most importantly, MSPs offer guaranteed failsafe Backup and Disaster Recovery and Business Continuity services that ensures the continuity of your business even in the case of a severe breach. All your mission-critical data is securely backed up on and off site and checked regularly for accessibility and effectiveness.

If you have already experienced a ransomware attack, consider reaching out to MSP cybersecurity experts before taking any further action. Penncomp – A provider of managed IT service Houston is widely experienced in handling ransomware attacks and will always get you the best case scenario results so you come out unscathed from the attack.

Penncomp

A provider of managed IT service Houston is widely experienced in handling ransomware attacks and will always get you the best case scenario results so you come out unscathed from the attack.

Backup & Recovery Solutions

Network Security Solutions

Chief information officer

Patch & Update Management

Cybersecurity & Anti-virus

Scott Young

Scott Young

Scott Young, is the president of PennComp LLC, an IT Support Houston company. Being a CPA, Six Sigma Master Blackbelt, Change Management Certified and Myers Briggs Qualified, Scott’s expertise is reflected in PennComp as a leading IT company for computer services and network integration. PennComp utilizes Six Sigma methodologies and practices in their service delivery and offers state-of-the-art monitoring and management tools to their clients.