What is ransomware?
Ransomware is a type of malicious software (malware) that cybercriminals use to block access to a victim's data or computer system, typically by encrypting it. The attacker then demands a ransom, usually in cryptocurrency, in exchange for providing the decryption key needed to restore access. Ransom attacks can also involve stealing data and simply threatening to publicly disclose it without any encryption having taken place. If the ransom is not paid, the victim risks losing their data permanently, having it leaked, or facing other consequences.
Ransomware attackers have now orchestrated large-scale gangs and affiliates, causing the threat to grow. Along with these groups, the increase in AI adoption has heightened the risk through the introduction of Ransomware-as-a-service (RaaS), and the ease of malware creation and distribution.
How does ransomware infect your system?
Computers are infected with ransomware by a number of methods. Sometimes users are tricked into running legitimate-looking programs and documents which contain the ransomware. These may arrive as authentic-looking email attachments or links to apparently-genuine websites, a method known as phishing.
More recently, ransomware infections are being seen that rely on unpatched vulnerabilities in software, and simply visiting a malicious website can be enough to result in being infected.
Ransomware may also be introduced as a result of another malware infection. Botnets are a common way for ransomware to be introduced to a system and networks. Botnets infect computer systems and wait for commands from a Command & Control (C2) server which could include the download of ransomware.
Ransomware prevention
Anti-virus software: a reputable security product is a necessity for any computer system or mobile device. Anti-virus protection is a valuable tool that will search for, identify and then remove any known malware. These products typically contains other features that will keep you and your system protected. Ensure it is enabled, regularly check the status and updates. Set it to automatically run complete full scans, ensuring that a full scan is performed at least once a month.
Advanced threat protection tools: advanced threat protection tools incorporate AI and machine learning tools to detect and prevent ransomware attacks before they occur. AI algorithms can quickly analyse large data sets and identify patterns and anomalies that may indicate a ransomware attack is occurring. Machine-learning can be used to recognise current ransomware signatures and predict new ones based on similarities in performance and code style.
Defend against phishing attacks: check for obvious signs of scam emails: poor spelling or grammar, vague contents, not addressing you by name but instead as ‘Customer’ or by email address, e.g. ‘Dear johnsmith@gmail.com’, and urgency. Another sign are emails which say that they are from someone or a company that you know but which have a strange or unconventional email address. If in doubt, it in safest to disregard the email or consider speaking to the legitimate person or organisation by telephone. For more information on phishing, please read our Phishing guide.
Employee training and awareness: teaching employees to recognise the signs and risks of ransomware is crucial, so they can inform their IT team or an IT provider if something seems suspicious.
Backup and recovery plans: by performing regular backups you can create a safety net that allows you to recover encrypted data without having to follow the attacker’s demands. Quick data recovery helps to minimise downtime and reduce operational disruption. The ability to restore data from backups also reduces the leverage attackers hold over you or your business as the threat of withholding data is less potent.
Regular security updates: by conducting thorough assessments, organisations can pro-actively discover and patch any security loopholes, update outdated systems, and reinforce weaknesses within their network. The ongoing process includes reviewing and updating access controls and employee privileges, to help minimise the risk of internal threats. Windows 10 and 11 have an in-built anti-malware service called Windows Defender or Windows Security and it has anti-ransomware features though these are turned off by default. Controlled Folder Access is a setting in this service that will block all programs from making changes to your folders unless you grant access. Ransomware Data Recovery will automatically synchronise common folder with a One Drive account, as a way of backing up your files.
Macro-security: unless you are sure of the authenticity of a document, do not enable or run macros if asked. Macros are automated procedures (typically built into spreadsheets and word-processed documents) that can be used to execute code which can download and install malicious software onto your system.
Zero-Trust: In the workplace, limit a person’s access to information, networks and application to the minimum necessary for performing their role effectively. This can greatly reduce the attack-surface: the number of points at which an attack can be made. The more attack points present, the more options available to potential attackers. Establishing these limits on access is called a ‘zero-trust’ rule.
Backup your important data
- You should keep backups of any important files that you may have.
- Do not store them on the same system as the original files and do not store them on a device connected to your network as ransomware can spread to network-connected systems.
- If your files are being stored on an external hard drive, disconnect it from the system when not in use.
- It is recommended to follow the ‘3-2-1 rule’: have at least three copies of your important data, on two devices with 1 of those backups being offsite.
- There is a high chance that your data will not be retrievable if you have not backed it up before an infection.
What to do if you have been infected
Immediately disconnect your computer from the network by unplugging any network cables, disconnect the Wi-Fi, and power-off or hibernate the computer.
If you are at work, inform the security team of the situation without delay and follow instructions.
Do not restart the computer; await instructions first, as this could encrypt more files and lead to a loss of useful data for decrypting the system.
Report to the Cyber Security Centre (CSC) and the Police using our cyber-concerns online reporting form found on our website or by calling 686060.
Organisations (large and small) should follow their incident plans so that the attack and its consequences can be effectively managed. If your organisation does not yet have a plan, please read our Incident Response and Recovery guidance for further details.
If using a home computer, unless you are comfortable with formatting and re-installing your Operating System, contact a qualified IT repair centre or experienced technician.
It is highly recommended that you do not pay the ransom: it encourages and funds the attackers and there is no guarantee that you will be able to regain access to your files.
What about "decryptors"?
Some reputable cyber-security firms and researchers have started producing "decryptors" for some of the variants of ransomware in circulation, however, these decryption tools are specific to each version of ransomware so using the incorrect tool may result in further encrypting your files. Do not store them on the same system as the original files and do not store them on a device connected to your network as ransomware can spread to network-connected systems.
It is highly recommended that you consult with an experienced IT specialist to determine if, and how, your files can be decrypted.
No More Ransom (https://www.nomoreransom.org) is a website with a collection of official decryptors for various ransomware strains and versions.
This page was last reviewed 13/11/2024