what if you got infected with Ransomware

If your computer infected with ransomware, first let me commiserate with you, you are in the same boat with myriad people around the globe which once faced a terrible dilemma, to pay the ransom or lose their data. Ransomware victims are often baffled after seeing ransomware warning screen, hence they may make other dangerous mistakes or waste their valuable time on endless searches or examination of useless solutions. In this article, I as a Panda security support technician will suggest some solutions to you base on my experiences.

The most important thing for ransomware victims is recovering their file which encrypted by criminals, but is it indeed possible?
If you infected with ransomware recently, there is no chance at this time to recover your files, although some tools were published to decrypt the files held hostage, but those tools just work on the defunct version of ransomwares and are useless for new and active version of them. you have to choose one of these options base on your encrypted files importance:
1- Recovering from back-up

If you are reading this article, probably don’t have practical backup solution, but I strongly suggest you to use all your power to search your archives, external storages and … to find any copy of lost data even very old version of them, also this is important to know that many department and employees of your company may suggest interesting solutions to recover the lost data, some may have a copy in their personal storages or have a printed version of them. some data may doesn’t have that much value than you think or might be possible to obtain them from different resources. So please put pettiness and sorrow away and talk to them about the current situation. In one case, I was able to persuade a network admin to talk with account manager of their company and surprisingly they had a printed version of lost data and were able to recover them just by 5 days of work of the secretary.

2- Backup encrypted file to recover them in the feature

If your encrypted data are valuable for you but not critical, like old family photos or archived documents, I recommend you to have a copy of them and looking for the tools that publish by security companies sporadically. Cyber Police in cooperation with security companies was successful on detect and arrest some ransomware developers, usually after arresting these cyber criminals, their command and controller (C&C) servers investigate by security specialists in a hope to find key they used to encrypt their victims’ data and these key will publish as tool on the internet, sometimes ransomware developers retire themselves after reaching a specific amount of money and publish a decryption tool for their victims to healing from guilt, like Tesla-locker. Finding every published tool could be an arduous task, you may even download another ransomware instead of decryption tool and again become a victim of cyber criminals. I have solution for this, you can go to https://id-ransomware.malwarehunterteam.com/ website, upload an encrypted file, ransomware note or even Email address which criminal gave you to contact them and examine your chance. If there were any decryption tool for your ransomware, you can download it from this site directly.

3- Pay the ransom

This is the bitter fact should deal with. All security agencies suggest not to pay the ransom as this will make cyber criminals stronger, but if your data is critical for your business, there is no way left. There are two important point here, first, cyber criminals will give you one or two period, and after finishing each of them, the amount of ransom may increase or may threating you that recovery key may expunge forever. Second point is you may doubt about receiving the key after payment, regarding the second point I should mention that there is an unwritten law among ransomware developers that base on that low if they don’t give the key after payment, the general trust will fade among people and nobody even in the urgent need of its encrypted data will take the risk of inconclusive payment. Regarding the first point I advise you to arrange a meeting with all affected and effective people in your company, first make certain that there is no way to restore the data, after that estimate the value of the hostage data and amount of ransom criminals demand, at last, make the final decision and if this decision is to pay the ransom at least preventing the increase of the amount of it.

4- Format the hard disk and start again.

This is the solution for those lucky people who didn’t have valuable data on the infected computer, this way you could make sure that all the traces of virus were cleaned.

What now?

Now that you choose one of above options and passed this step, you should know that the chance of infecting with ransomware still exist and this chance is even higher for you or your company because probably there is a security hole there that once a time cybercriminal used it to infect you with malware, so I firmly advise you to get to know the way ransomwares come and infect you and close those doors with these simple methods:

1- Institutionalize safe cyber behavior in your home or company

Training is the most effective weapons against social engineering, employee as the weakest circle in the security chain, need to get familiar with different tapes of security threats and the cost of unsafe behavior in the cyber world. Social engineering is the most effective way to infect a computer. For instance, as we saw in the first version of Locky Malware, just an office file attached to an Email in the name of “invoice”, trigged many people specially account department employees to open it and then enable Macro to be able to read its content, with this legerdemain, Locky developers successfully infected thousands of computers around the world.

2- Review services which are available from the internet

Reports say that new kind of attacks are based on security vulnerabilities of published services which are accessible from the internet. Ransomwares made a bridge between hack and gaining money. In the past, maybe hacker had access to company servers but transmute this access to money was arduous or most of the time impossible, finally an unfortunate hacker may delete server data or publish it on the internet which may cause him further troubles. But with the genesis of ransomwares and the ransomware generation kits that are saleable in the internet, hackers can simply encrypt the server data and demand a ransom for decryption key, this caused them to find interest to penetrate to servers as more as they could so they created fully automated programs which search the internet for vulnerable servers. A good example of them is “Cerber Ransomware”. Cerber developers search the internet in order to find IPs that Remote Desktop is enabled on them, then test certain passwords on them in order to gain access. The point here is that in this situation, the security product installed on that server have no chance to prevent ransomware from encrypting data because having access to server, hackers could disable or completely uninstall the endpoint protection and then run their ransomware. Put a firewall with intrusion prevention system (IPS) on the network edge can cover majority of servers’ security vulnerabilities, if you don’t have IPS or want more security, you can restrict those published services to just be accessible from certain IPs, in case of securing remote desktop service you can use IP white list or two factor authentication.

3- Manage the permission on share folders

Share folders currently not counting as point of ransomware spreading or infection, but they use as weak point which may force you to pay the ransom. These folders hold the important portion of clients’ data and in case of incorrect implementation, may encrypted by any infected machine in your network. In this case also, security software on file server which host the shared folders is useless as the virus process hosts in different machine and just its affect can be seen on fileserver.

I’m sure that you are not one of those guys who set “everyone full control” on share folders but just for the record I want you to know that the best practice for share a folder in the network is to obey the “least privilege” principal. For instance, week ago I went to a company as monthly observation of their antivirus, a folder with the name of public on file server caught my attention which was the place to transfer file between employees, this folder was contain subfolders same as the name of employees and was mapped on all computers in the network, from a client I went to other employees folder and saw that I have full permission on them, in fact all employees had full permission on all public sub folders, I ask for the reason and admin told me that employees should be able to send file to others, so they go to that person folder and copy file there and because we don’t know who want to share with who, we have to give full permission to everybody. After think a while, I told them why each person doesn’t have full permission on his/her own folder and just read permission on others folder, this way everyone who want to share file with someone, will copy it to his/her own folder and the other one can copy it from there, the benefit of this configuration is that if one person’s computer infects, just his/her folder on file server will affected. The network admin after thinking a while told me: yes, this way is also OK.

4- Update software and use standard security product

This advice doesn’t need much explain and all of us know that updating operating systems such as windows, Linux and firmware of printers, modems and other devices and also all installed application is mandatory for security which will help covering security vulnerabilities used by malwares, this fact, beside using a standard Antivirus can help you be safe on the internet. Some companies introduced special solution for ransomware attacks like Panda Adaptive Defense 360. You can read more in Tobesafe.ir