forensic ransomware

Perspectives

Tackling ransomware

What can organizations do to safeguard themselves?

The recent WannaCry ransomware attack, that has affected millions of computer systems around the world, has left organizations and individuals concerned about the safety and security of their digital information. Part reason for the unprecedented spread of this attack is lack of awareness about ransomware and about tackling it.

Ransomware prevents or restricts access to user files, typically in three ways: user screen lockdown, user file encryption, and remote access and control of victim’s system through a command and control centre. In many cases, victims may have to pay a ‘ransom’ or ‘release fee’ through a digital payment gateway in order to re-gain access to their systems. However, in our experience there is no guarantee of regaining system access even after the ransom money is paid. Many victims of the WannaCry ransomware have also faced this problem, even after having paid up to 300 Bitcoins (approx. INR 4.12 crore) as release fee.

The most common sources of ransomware are phishing emails that contain malicious attachments, website pop-up advertisements and infected systems in the network. Upon manually clicking/downloading such links, one’s computer can get affected. However, WannaCry was able to affect systems on such a large scale because it replicates itself and spreads to vulnerable machines without human intervention.

What can organizations do to safeguard themselves?
  1. Regularly update their operating system or software for security patches, as well as keep their anti-virus/anti-spam-ware/anti-ransomware definitions updated. Using tools to encrypt files, and taking periodic backup of data and storing copies offline are also good preventive measures.
  2. Ensure that users are educated to identify unsafe file types and do not open email attachments from unknown sources. If in doubt, users can verify email addresses against known contacts and perform a virus scan before downloading and opening an attachment.
  3. Enable system restore points, an in-built feature of many commonly used operating systems, which can assist in restoring files. Endpoint protection is also recommended to protect your devices. Network protection could also help prevent network encryption which could also happen with some crypto ransomware threats.

In case businesses suspect that their system has been infected, they should disconnect it from their computer network and shut it down. This can prevent ransomware from spreading in the network and encrypting more data and mapped drives. They can also consider seeking support from external experts in event of an incident, as specialist forensic teams can attempt recovery of the deleted data and identify the source of infection, check if any malicious files were downloaded or dropped into the system for infection, or check if any malicious files are left in the system. They may also help assess whether other malware may have also been installed that could compromise the system, or whether other systems may have been similarly affected.

If you have any comments or would like to share your views, please write to us at inforensic@deloitte.com or talk to us on Twitter @deloitteindia.

A version of this article appeared in the Economic Times. You may read it here.

The recent WannaCry ransomware attack, that has affected millions of computer systems around the world, has left organizations and individuals concerned about the safety and security of their digital information. Part reason for the unprecedented spread of this attack is lack of awareness about ransomware and about tackling it.
Ransomware prevents or restricts access to user files, typically in three ways: user screen lockdown, user file encryption, and remote access and control of victim’s system through a command and control centre. In many cases, victims may have to pay a ‘ransom’ or ‘release fee’ through a digital payment gateway in order to re-gain access to their systems. However, in our experience there is no guarantee of regaining system access even after the ransom money is paid. Many victims of the WannaCry ransomware have also faced this problem, even after having paid up to 300 Bitcoins (approx. INR 4.12 crore) as release fee.

The most common sources of ransomware are phishing emails that contain malicious attachments, website pop-up advertisements and infected systems in the network. Upon manually clicking/downloading such links, one’s computer can get affected. However, WannaCry was able to affect systems on such a large scale because it replicates itself and spreads to vulnerable machines without human intervention. 

What can organizations do to safeguard themselves?

1. Regularly update their operating system or software for security patches, as well as keep their anti-virus/anti-spam-ware/anti-ransomware definitions updated. Using tools to encrypt files, and taking periodic backup of data and storing copies offline are also good preventive measures.

2. Ensure that users are educated to identify unsafe file types and do not open email attachments from unknown sources. If in doubt, users can verify email addresses against known contacts and perform a virus scan before downloading and opening an attachment.

3. Enable system restore points, an in-built feature of many commonly used operating systems, which can assist in restoring files. Endpoint protection is also recommended to protect your devices. Network protection could also help prevent network encryption which could also happen with some crypto ransomware threats. 

In case businesses suspect that their system has been infected, they should disconnect it from their computer network and shut it down. This can prevent ransomware from spreading in the network and encrypting more data and mapped drives. They can also consider seeking support from external experts in event of an incident, as specialist forensic teams can attempt recovery of the deleted data and identify the source of infection, check if any malicious files were downloaded or dropped into the system for infection, or check if any malicious files are left in the system. They may also help assess whether other malware may have also been installed that could compromise the system, or whether other systems may have been similarly affected.

If you have any comments or would like to share your views, please write to us at inforensic@deloitte.com or talk to us on Twitter @deloitteindia.
A version of this article appeared in the Economic Times. You may read it here.

Authored by: Jayant Saran, Partner, Deloitte India

Did you find this useful?