Industry Insights from Our Experts

What is Ransomware?

ransomware01Ransomware is malicious software created by hackers to infect a workstation or file server and encrypt all files so that they are unreadable. Soon after infection, the hacker(s) responsible demand a large sum of money to decrypt the affected files, effectively holding the infected system hostage until the ransom is paid. Many vicious ransomware infections add pressure by imposing a deadline for ransom payment. Depending whether the infected system belongs to a home user, a company or an institution, the ransoms can range from hundreds to thousands of dollars. Recent statistics from the US government show that ransomware attacks have quadrupled each year since 2013, averaging 4,000 per day. The University of Calgary paid out $20,000 for a June 2016 ransomware attack on their email server.

What does Ransomware do to a system?

When ransomware runs, it looks for any files on the workstation or server with common file extensions. Targets include document files (.xlsx, .pptx, .docx, .txt, .rtf), image and media files (.gif, .jpg, .png) and other basic operation files (.asp, .aspx, .html, .xml), among others. Ransomware adds a “.locked” extension to the filenames of all locked files.   The ransom demand may come in the form of a pop-up window, or via email. If the deadline lapses without payment, the infection may delete the encrypted files or “brick” the infected system, rendering it permanently useless. Ransomware is impossible to reverse unless the ransom is paid or the system administrator can rebuild the infected system from scratch, restoring all files to their state prior to infection.


An example of a ransomware email. [Source]


How does ransomware infiltrate a company network?

Ransomware can infect systems over the Internet via three main vectors:

  1. Email – Malicious emails may contain a malicious attachment or a hyperlink to an infected website.
  2. Web Browsing – Unsafe browsing practices can lead users to infected websites.
  3. Network Ports – Unprotected network ports can allow potentially malicious port traffic. Your IT department should be capable of locking vulnerable ports.


How can you protect your network?

  1. User Security Training – The easiest way for ransomware to infiltrate your company network is through your own users.
    • Dangerous hyperlinks and attachments can be sent through email, social networks or instant messengers and usually come from trusted sources. Cybercriminals hack user accounts and send malicious code to everyone in the hacked user’s contact list.
    • Train and yearly retrain all users on the types of attachments to avoid and how to practice good Internet searching skills.
    • Test your training program by creating emails that lure employees to click on links and track the clicks.
  2. Business Class Firewall – Business class firewalls detect malicious network and web activity. Popular appliances include Sophos, Cisco, SonicWall and FortiGate.
  3. Email Security Gateways and Email Scanning Services – Email gateways scan incoming email and remove potential threats on the server or appliance side before they arrive in your inbox. Email scanning services, such as Microsoft Exchange Online Protection, scan emails in the cloud before send to the individual’s inbox.
  4. Block Certain Email Attachments – All companies should be blocking emails with these types of attachment extensions: .JS, .EXE, .VBS, .SCR, .CMD and .BAT.
  5. Backup Data – Ensure thorough daily backups of all data, and that those backups are working by restore-testing regularly. Both local and Cloud backups are recommended.
  6. Patching – Ensure your IT department is patching workstations and servers for security updates on a monthly basis.
  7. Remove Users’ Local Administrator Access Local administrator access leaves systems vulnerable to malicious code that would have been blocked without administrator privileges. Your IT department should have sole administrator access.
  8. Disable Macros – Ransomware is commonly embedded in Microsoft Office documents that trick users into enabling macros. Microsoft Office 2016 currently limits macro functionality, preventing users from enabling them on documents downloaded from the internet.
  9. Software Restriction Policies – Directories often used for hosting malicious processes include Program Data, App Data, Temp, SysWow and Windows Script Hosting (WSH). Your IT department will be able to manage software restriction policies.

About Clayton Mitchell

Clayton is a Service Manager with Quercus, a company experienced in delivering technology services to health regulatory authorities in Alberta. To speak with Clayton or anyone at Quercus, you can email us at hello@quercussolutions.com, call us at (780) 409-8180, or visit our website at www.quercussolutions.com.  

Copyright 2017 by Quercus Solutions