What do you know about Ransomware?

Originally published: October 25, 2017

This week we have learned of another version of Ransomware that has been found, this version called "Bad Rabbit" is in Europe now but could be here any day, or another version of it could jump over the ocean. It leads me to the question; what do you know about Ransomware? Not just the word that is in the news - do you know what it is, what it does, and how it happens? Worse yet what do you do when you do get it?

I can speak in depth on this subject as having been through and attack like this before. It is an ugly situation which evolves so quickly that you have already lost all of your data before you know what happened or that it is even happening. By the time you figure out that it is going on you have most likely lost most of your business data. I was lucky and I had prepared for such an incident, I knew that no matter how much training users had or how much security I put in place that there is always a gap that something can come through. I had backups - this was the savior and I want it to be for you as well.

How it works:

1. End user receives an email that appears to be from their boss, friend, family member, or another trusted person. The email contains a URL to an application such as Salesforce, Workday or ZenDesk, etc...

2. When you open the link it directs the user to a website which seems legitimate. The page is actually a landing page for an exploit kit.

3. Upon loading the page, the web server begins communicating with the victim machine, finding vulnerabilities and attempting to push malicious code.

4. Once execute, the program deletes existing shadow copies to limit recovery options.

5. The binary uses PowerShell to propagate copies of itself and begins encrypting files of specific extensions.

6. After encrypting the victim's files, the malware sends the encryption key back to the command-and-control server.

7. The server then sends a ransom message to the victim.

To amplify the victim's distress, ransomware often includes a countdown clock with a deadline for paying the ransom - or else the decrypt key will be destroyed.

So, what do you do next? If you have done proper preparations you can restore your servers or systems back to the state they were in right before the attack.

If you encounter this terrible situation Sparrowhawk can help you out, we specialize in affordable backup solutions for businesses, which can restore you back to a running state quickly.

Sparrowhawk - keeping your technology safe.