Ransomware has, in reality, become one of the most lucrative businesses in the crime industry.
And the worst part is that its growth is more than assured, as it was clear in the white paper about the new types of ransomware.
The reasons are obvious:
- They are easily scalable and monetizable: They are launched once through some kind of social engineering and / or phishing campaign, and we forget. The resources that are consumed in encryption are usually consumed on the victim’s machine. To make matters worse, it is the victim who must take the initiative to solve the problem. The only moment in which the cybercriminal must take action on the matter is when the victim has in fact made the payment, sending him the key, and as long as this really happens. It is estimated that about 30% of victims who have paid for ransomware have not received the tool to decrypt their files.
- Even a noob can carry them out: You don’t even need great technical knowledge. With the industrialization of cybercrime, any unscrupulous person could rent a CDC for just over $ 200 from which to manage the attacks only by pressing buttons. The creators of the platform remain a percentage of the benefits, and the rest goes to the cybercriminal, whose only relationship with the attack is done through a graphical interface.
- They attack where it hurts the most: The assets of a person/company. Mainly, and at least so far, to the data and documents of their systems, but more and more, and as I commented on the whitepaper, towards the own systems of an organization, “hijacking” for example the surveillance cameras of an office or the control of a water purifier.
Therefore, I found it interesting to dedicate today’s article to a kind of guide on the guidelines to follow once our systems have been infected by ransomware.
1.- Act as soon as possible
It does not matter the attack vector (a link, a phishing campaign, a document sent via the internet …) and the excuse used in this case (alert via SMS of a carrier, rental campaign each year, PayPal security alert or of the bank that is…) , the first point that I would recommend to carry out is to act as soon as possible :
- Trying to specify the exact moment of the infection: As I was saying, it was most likely that it was just after opening a link, installing something or accepting that macros or third-party content be uploaded to a specific document. This information will be very useful to report it to the authorities, and possibly also to locate possible decrypters.
- If we have backup copies, consider returning to an earlier state: If it is possible (sometimes losing all the information until the last backup is the last alternative to consider) , it would be best to do so as soon as possible. If we return to an earlier state of our Windows / macOS, and although it is true that there are some ransomware capable of replicating in copies or staying in lethargy, it is most likely that the ransomware is no longer active, and the problem will have disappeared.
2.- Identify and alert
Assuming that in effect or we do not have backups (-.-), or we prefer to try to solve it without resorting to it (I understand then that the copies we have them safely outside the reach of ransomware) , or we have already solved it and We want to help the rest of the potential victims that the same thing does not happen to them, the second step is to identify to which family of ransomware we are.
3.- In search of a tool that decrypts the hijacked files
Now we should go to Zonealarm, a service that offers along with anti ransomware and that today is the most complete ransomware decryption tool database that exists.
In the decryption tools section, we would look for the ransomware family that has attacked us to see if there is already medicine for it.