Data Protection Commissioner
Data Protection Commissioner

What is Ransomware

 

Ransomware is an increasingly common cybercrime that can present a significant risk to individuals’ and businesses’ protection and availability of personal data. It is perpetrated by the installation of malware which locks access to files on a user’s device or computer. The ransomware is designed to extort money from users, which are infected by the malware, by encrypting their data and holding it to ransom. The malware software is used to encrypt important files such as Microsoft Office files, PDF files, images, videos, audio and other types of files.  Once these files are encrypted, the infected device will display a notification making demands for payments to release the encrypted files, usually in the form of the digital currency bitcoins. Paying the ransom never guarantees that your files and data are recovered.

There are measures that both individuals and businesses should take to help prevent attacks or outbreaks of ransomware, to limit the impact or spread of malware and to recover from impacts and return to “business as usual”. Some businesses may have more resources and skills available to undertake these measures. However, for small businesses this does not mean that the matter is less serious.

 

How are your files and data hijacked?

  • Ransomware gains access to your computer or device, locks your files, and disables certain functions, which prevents you from accessing your data.
  • Ransomware uses file encryption to scramble and encode your data, making it impossible to access without being able to decrypt or unscramble the data.
  • Ransomware leaves a ransom message demanding payment, usually in the digital currency bitcoin, to release the files.

 

How could I fall victim to a Ransomware attack?

Ransomware can be delivered through emails that look indistinguishable from genuine emails. These emails contain attachments that look familiar to the recipient.  However, when the attachment is executed/clicked by the recipient the ransomware will infect the computer or device. Other common forms of delivery are through downloading fake applications or by accessing websites that have been compromised by the ransomware. Ransomware can also be spread directly from an already-infected computer on a network.

Individuals and business users can fall victim to ransomware if they:

  • Open malicious attachments in emails
  • Click on compromised websites
  • Install fake software updates
  • Fail to follow providers’ instructions and advice to update software and install patches
  • Fail to keep anti-virus and anti-malware software up to date.

 

 

How can you prepare yourself for a ransomware attack ?

Individuals and Businesses can take a number of steps to help prevent ransomware incidents and outbreaks.

 

  1. KEEP REGULAR BACKUPS - Backups should be complete, up-to-date and kept in a secure location. Having up-to-date backups allows for a quick restoration of your data and files to a computer or a device that is not infected by the ransomware, allowing you to use your data and files as normal.
  2. USE STRONG PASSWORDS -Protect your computer or device by setting up unique passwords for the different accounts you have, keeping passwords safe and making sure the passwords you choose have a level of complexity that makes them difficult to guess[1].
  3. ADVANCED SECURITY SETTINGS -  Protect your computer or device by changing "Default credentials" (username / passwords) to secure alternatives and review what advanced security  settings are available to better protect your computer or device.
  4. VERIFY SENDER OF EMAILS - Ensure you recognise the sender of emails before you open any attached documents or files or click on links inside an email.
  5. ATTACHMENTS, BANNERS AND LINKS - Be cautious when clicking on advertisement, images or email attachments. These links can redirect you to a website from where the malicious software is downloaded to your computer without your control. It is also import not to enable macros in document attachments received via email. 
  6. USE ANTI-VIRUS SOFTWARE AND A FIREWALL – Install anti-virus software and a firewall to prevent, detect and remove malicious software from your computer or device. Many types of anti-virus software are free to download. Keep this software up to date at all times.
  7. UPDATE SOFTWARE REGULARLY – Be aware that cyber-criminals can take advantage of known bugs in software or browsers. Update your software with patches regularly to remove these bugs and vulnerabilities and to help protect your files and data against these attacks.
  8. TRUSTED WEBSITES - Use official websites to keep software patched with the latest security releases.
  9. MOBILE APPS - Only use official and trusted resources to download apps – for example manufacturer’s “marketplaces”. Where possible, apply additional available safeguards for the device e.g. some devices have additional protection that allows you to select an option to disable “Unknown sources” or to “Verify apps” before installing. Check out the options available on your device.
  10. BEING VIGILANT – If you hear about ransomware or other malware then it has likely already spread and the business may already have been targeted. Act quickly to check your systems and defenses and to limit any outbreak. Raise awareness throughout the organisation through training and information campaigns
  11. SEEK ADVICE FROM ANTI-VIRUS PROVIDER - Use official websites that offer instructions on prevention and how to safely remove malware such as www.nomoreransom.org.

 

 

Additional business preparations

Because of the greater volumes and concentration of personal data, a business typically has a greater need to adopt organisational measures to deal with ransomware.

These include:

  1.  USE A SUITE OF NETWORK DEFENCES – having network based anti-virus, anti-malware and protocol inspection tools may help protect your systems at the network perimeters. Ensure you have configured alerting and have an action plan when these tools encounter possible malicious traffic. Update your desktop virus and malware definitions systematically and patch your servers and other infrastructure regularly. Extend these defenses to include mobile devices.
  2. CONSIDER COMPARTMENTALISINGin addition to well managed and maintained access controls for your systems, consider isolating high value operations and assets from others. This may help preserve your control while isolating and limiting the impact of malicious attacks or outbreaks. In some cases an “air-gap”[2] might be the best way to secure high value resources.
  3. MANAGING MOBILE DEVICES– In addition to managing and defending the business’s fixed networks, it is important to consider protecting and managing employee’s devices. A Mobile Device Management (MDM) system can help a business do this by allowing only certain apps to be installed and provide remote control facilities to “wipe” a device if needed.
  4. TRAIN YOUR STAFF – everyone in the organisation should have training to raise awareness of ransomware and other malware. This should cover how to recognise possible ransomware, dealing with phishing attempts, dealing with message attachments, what to do when ransomware is suspected and who to inform. It should also cover what to do when working outside of the office or when using mobile devices.
  5. PLAN AND PREPARE FOR INCIDENTSit is essential that a business develops and maintains policy, practice and action plans for dealing with network security incidents like a malware attack or outbreak. This should cover the technological and organisational defenses, reactions, personnel and resources, communications, remediation, escalation and any required regulatory reporting.

 

If you are attacked

  1. NEVER PAY THE RANSOM – Ransom payments do not guarantee that your files can be accessed again. You will be supporting the cyber-criminals’ business and the financing of their illegal activities.
  2. DISCONNECT FROM THE INTERNET This will help stop other computer systems becoming infected from messages you might send, from malware spreading independently, or from more malware entering your network.
  3. REPORT - If you are a victim of a ransomware attack that compromises personal data, report it immediately to the Data Protection Commissioner, An Garda Siochána and the National Cyber Security Centre.
  4. DISINFECT COMPUTER(S) Use the anti-virus or malware scanning system to disinfect your computers and to quarantine or remove the malware. Consider restarting and re-scanning these computers.
  5. DETERMINE DATA LOSS If possible, check if you can recover data from disinfected computers. If this is not possible, you may have to restore data from your backup system.
  6. SEEK ADVICE FROM ANTI-VIRUS PROVIDER - Use official websites that offer instructions on prevention and how to safely remove malware such as www.nomoreransom.org.

 

Additionally if you are a business

  1. ACKNOWLEDG THE SCALE - Ransomware typically spreads using network messages and protocols. Some malware may also make use of network administration tools. Attacks can spread rapidly and across network boundaries, including internet connections. Recovering from such an attack can impact a business’s resources quickly.
  2. CONSIDER SHUTTING DOWN YOUR NETWORK This might stop further spread of malware to other computers within your organisation.
  3. SCAN ALL YOUR COMPUTERS If possible, use an effective and up-to-date malware and virus scanner on each computer on your network to detect and locate malware presencBE CAUTIOUS - because of the network effects and the sophistication of some malware and ransomware, your organisation should be sure it is ready to reconnect its systems to the outside world before doing so. If you have any remaining vulnerabilities you may be hit again if you open communication channels too early
  4. FURTHER STEPS Depending on your systems, you may need to inspect and disinfect operating system “snapshots” or “restore points” that may have also become infected. Identify what other preventative measures you should take before you can start to use the systems and networks again. Consider seeking expert advice.

 

 


[1] https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm#4.1

 

[2] Air gapping is a security measure designed to prevent unauthorised data processing or cyber-attack on a computer or network. Usually it is applied to protect types of critical systems such as stock markets, military or government etc. that can be a target of cyber-criminals.