Let's take a moment out to talk about ransomware. Ransomware is caused by a malware infection and ransomware effectively encrypts the data on an infected computer. Some variants will also target system components like routers and other other things you probably haven't heard of like switches and hubs. Don't worry about that now, please. And in effect what it'll do is it'll post a notice on your screen demanding payment, typically via Bitcoin or another type of cryptocurrency like Monero or something like that. And that is necessary to give you the decryption key which will allow you to get your data back. Now keep in mind the vast majority of malware isn't some super sophisticated attack code like you'd see in a movie. It doesn't have to be. One other thing to mention, HHS considers a ransomware infection - even though it's scrambling your data, not stealing it - it considers that to be a data breach, which again is a reportable event. As it is malware, it's delivered like most malware. So that would mean emails with infected web links and/or attachments, compromised or malicious websites. That includes what's called malvertising, where it's basically it's an ad would you click on it and it actually takes you to an infected site even though it looks like just an innocent ad. And you can also get downloads directly from the Internet, can also be compromised and also direct connections to someone in your system. Like someone else on your network has been infected. They can infect you or something that you plug into your system could be infected. The WannaCry infection, which came out in early 2018, it was delivered by a type of malware called a worm, which is self replicating. So once it got out there, it just kept jumping on.


In effect, it was looking for systems that had not updated software and gotten rid of a certain Microsoft functionality that Microsoft had directed to be gotten rid of years ago. People left it on the system. That's what WannaCry attacked. Now, some variants will use attachments that look like gibberish and suggest that the recipient should enable what are called macros if the message isn't rendering clearly. As soon as they're enabled, it attacks. A macro is basically a task automator in Microsoft Office. It's always best to leave those disabled. Ransomware more and more commonly is being used against networks as opposed to individual computers. There was a big spike in high profile attacks, especially against a few hospitals, in early 2016. I guess the question then that begs is how much would you be willing to pay if an attacker encrypted your office's document storage database or all of your billing records?


Now, how do you prevent it? First and foremost, keep all of your software up to date. Like most malware, it's attacking flaws in older systems that haven't been updated yet because most people aren't up to date with their systems. Attackers know this and, say it's something that should have been updated two years ago, a lot of people haven't done it, and that's an open door for attackers to go through. Data backups are also critically important because even if something does take down your system like this, if your data is backed up, you can basically flush out all of that, get the thing off your system, update your software and then repopulate the system from the data backups. One thing to realize with that though is it shouldn't be directly connected to the network because all ransomware, once it gets in network, starts fishing around for every network connection it can to infect. Once it's infected everything that's a problem, if your data backups are connected because they'll be infected too. Once again, disable macros in Microsoft Office. Another thing that's great to use is application whitelisting, which is a security measure, which again acts like an invite only party in that the only software that's allowed to run on your system is stuff that's been whitelisted or allowed. It's not impervious. No security measure really is. There's no such thing as perfect security. I digress, but it's very, very helpful and a lot of times that too will block ransomware attempts. Also security awareness training can greatly reduce the likelihood of an initial attack succeeding because people can see what's happening and also that will increase the likelihood that an attack is reported once it happens, giving you a much better chance to stop it early.

Ransomware typically encrypts the data on the infected computer.

  • A pop-up notice on your screen will demand payment (via cryptocurrency like Bitcoin) to give you the decryption key
  • Ransomware is delivered like most malware:
    • Emails with infected weblinks and/or attachments
    • Compromised or malicious websites (including malvertising (the practice of incorporating malware in online advertisements)) or downloads, and
    • Direct connections to media or another system component that’s infected

What steps can prevent a ransomware attack from succeeding?

  • Keep software up-to-date
  • Regularly back up your data (shouldn’t be directly connected to the network)
  • Disable “macros” function in Microsoft Office
  • Use application whitelisting (only approved software applications are permitted to be present and active on a computer system)
  • Provide security awareness training to reduce the likelihood of an initial attack succeeding