SlideShare una empresa de Scribd logo

Ransomware

m3 Networks Limited
m3 Networks Limited
1 de 11
Descargar para leer sin conexión
ransomware   1 RANSOMWARE How to keep your business safe from extortion malware
ransomware   1 Contents 2 Ransomware prevention 4 Keep your company desktops safe 7 What if my company desktop is already infected? 8 Don’t forget about company Android devices 9 What if my company Android device has already been infected? 10 Last but not least: Should I pay a ransom? Executive summary Ransomware is malware that can lock a device or encrypt its contents in order to extort money from the owner in return for restoring access to those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met, otherwise the price for unlocking the data and hardware will grow – or the information and the device will ultimately be rendered permanently inaccessible. Among the well-known examples of ransomware affecting desktop computers are Reveton, CryptoLocker, CryptoWall and TeslaCrypt; and on mobile platforms Simplocker and LockerPin. Analyses by ESET show that ransomware has emerged as a very popular form of malware for cybercriminals, and that incidences of its use have been rising for many years, targeting both privately owned as well as business devices. Windows and Android are currently the most commonly targeted operating systems, but recent research shows that even Linux and OS X are not exempt from ransomware. To help companies mitigate the risks of ransomware infection, this white paper documents frequently used attack vectors, offers guidance on how to effectively protect company devices and their contents, and describes the available options when devices or files have already been taken hostage. Additionally, it provides ESET’s views on the most pressing question that victims of ransomware attack have to answer: “Should I pay what the cybercriminals demand?”
ransomware   2 Ransomware prevention For businesses, the stakes are fairly high. Compared to private users, if a firm loses access to crucial resources it might result in financial loss and/or reputational damage. And as a recent survey of nearly 3,000 IT and cybersecurity professionals worldwide showed, as many as one in five organizations has already experienced an incident involving this kind of threat. Attackers nowadays use encryption that is as strong as that used by banks to protect payments by their clients, making recovery of files and devices more complicated—and in the worst cases, even impossible. It is therefore cheaper to focus on prevention than to pay for the consequences. If company devices are not protected and employees lack proper training, there is a high risk that in the event of a ransomware infection, valuable data stored on company devices and subsequently on disks connected to them via networks, will be lost forever. A.  Use the latest version of your security software Install the most recent version of your security software, as many in- fections occur because outdated solutions remain in place. If you have a valid ESET license, updating to the latest version costs nothing. If you are still using ESET Endpoint Security versions 3 or 4, we strongly recommend updating to the newest, 6th generation of our business products, which applies the latest technologies specially crafted to improve client protection from malware that uses obfuscation and/or encryption to stay undetected. Examples of these technologies include Advanced Memory Scanner, which looks for suspicious behavior after malware decloaks in the memory, and Exploit Blocker, which strengthens protection against targeted attacks and previously unseen vulnerabilities, also known as zero-day vulnerabilities. B.  Keep your security software’s virus database up-to-date New versions of ransomware are released frequently, so it is impor- tant that computers and other company devices receive regular virus database updates. Among other precautions, this helps to ensure they are not vulnerable to ransomware infections. ESET products check for updates every hour, provided they detect a valid license and a working Internet connection.
ransomware   3 IMPORTANT NOTE It is possible that your company firewall could block ESET Live Grid communications, so you should verify that it is working properly. To do this, please visit the following web- page of the renowned testing organization AMTSO, of which ESET is a member: http://www.amtso.org/feature-settings-check-cloud-lookups/ Click on the link “Download the CloudCar Testfile” and download the test file “cloudcar.exe”. If ESET LiveGrid works properly, the file will open on ESET’s servers and, after obtaining the necessary information, will block it. The file will not be downloaded onto your computer and following message will be displayed: C.  Enable the ESET LiveGrid® cloud protection system Unknown and potentially malicious applications, and other possible threats, are monitored and submitted to the ESET cloud via the ESET LiveGrid Feedback System. The samples collected are subjected to automatic sandboxing and behavioral analysis, which results in the creation of automated signatures if malicious characteristics are con- firmed. ESET clients learn about these automated detections via the ESET LiveGrid Reputation System in a matter of minutes, without the need to wait for the next signature database update. If a process is deemed unsafe – such as deleting a backup – it is immediately blocked. It is im- portant to note that ESET LiveGrid uses only hashes of suspicious files, never their contents, thus respecting the privacy of ESET customers.
ransomware   4 Keep your company desktops safe To mitigate the risk of data loss and damage to devices commonly caused by ransomware, we encourage all companies to follow these eleven steps. 1. Back up important data regularly The single, best measure to defeat ransomware before it even starts its malicious activity, is to have a regularly updated backup. Remem- ber that malware will also encrypt files on drives that are mapped and have been assigned a drive letter, and sometimes even on drives that are unmapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores. Hence, a regular backup regimen is essential, ideally using an off-site, offline device for storing the backup files. 2. Patch and update your software automatically Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently access company devices and their systems. Businesses can significantly decrease the potential for ransomware pain if they make a practice of updating company software and devices as often as possible. Some software vendors release security updates on a regular basis, but there are often “out-of-cycle” or unscheduled updates in cases of emergency. Enable automatic updates if you can, or go directly to ven- dors’ websites. 11 STEPS FOR PREVENTING DATA LOSS ➊ Back up important data regularly ➋ Patch & update your software automatically ➌ Pay attention to your employees' security training ➍ Show hidden file-extensions ➎ Filter executable attachments in email ➏ Disable files running from AppData/LocalAppData folders ➐ Consider shared folders ➑ Disable RDP ➒ Use a reputable security suite   10 Use System Restore to get back to a known-clean state   11 Use a standard account instead of one with administrator privileges
ransomware   5 3. Pay attention to your employees’ security training One of the most common infection vectors is social engineering – methods that are based on fooling users and trying to convince them to run executable files. By claiming to be a tracking notification email from a delivery company (such as FedEx or UPS), an email from their bank, or an internal company message such as New_Wages.pdf.exe, the attackers try to dupe employees to achieve their malicious goals. To prevent this from happening, employees should be trained not to open any unknown or suspicious email attachments, links or files. 4. Show hidden file-extensions Ransomware frequently arrives in an email attachment with the ex- tension “.PDF.EXE”. This counts on Window’s default behavior of hiding known file extensions. Re-enabling the display of the full file extension makes spotting suspicious files easier. 5. Filter executable attachments in email If your gateway mail scanner has the ability to filter files by extension, you may wish to block emails sent with “.EXE” file attachments, or those with attachments that have two file extensions ending with an executable (“*.*.EXE” files, in filter-speak). We also recommend filtering files with the following extensions: *.BAT, *.CMD, *.SCR and *.JS. 6. Disable files running from AppData/LocalAppData folders A notable behavior of a large proportion of ransomware variants is that they run their executable from the AppData or Local AppData folder. You can create rules within Windows or with intrusion preven- tion software to disallow this behavior. If for some reason legitimate software is set to run from the AppData rather than the usual Program Files area, you will need to exclude it from this rule. 7. Consider shared folders Bear in mind that any company device infected by ransomware might also cause encryption of all files in shared folders to which it has write permission. For this reason, employees should consider which valuable and sensitive files they store on shared disks, as their data in these lo- cations might get encrypted by malware, even though their computer wasn’t directly infected. 8. Disable RDP Ransomware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access desk- tops remotely. Cybercriminals have also been known to log in via an RDP session and disable the security software. It is best practice to dis- able RDP unless you need it in your environment. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base articles. 9. Use a reputable security suite Malware authors frequently send out new variants of their malicious code, trying to avoid detection, so it is important to have multiple lay- ers of protection. Even after it burrows into a system, most malware relies on remote instructions to perform serious mischief. If you encounter a ransomware variant that is so new that it gets past antimalware software, it may still be caught when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting files. ESET’s latest software suite provides an enhanced Botnet Protection module that blocks malicious traffic trying to communicate with a C&C server.
ransomware   6 RANSOMWARE: HOW IT WORKS 10. Use System Restore to get back to a known-clean state If System Restore is enabled on the infected Windows machine, it might be possible to take the system back to a known-clean state and restore some of the encrypted files from “shadow” files. But you have to outsmart the malware and move quickly. This is because some of the newer ransomware has the ability to delete the “shadow” files from System Restore. Such malware will start deleting “shadow” files whenever the executable file is run, and you might not even know that this is happening, since executable files can run without the operator knowing, as a normal part of Windows system operation. 11. Use a standard account instead of one with administrator privileges Using an account with system administrator privileges is always a security risk, because then malware is allowed to run with elevated rights and may infect the system easily. Be sure that users always use a limited user account for regular daily tasks and the system administra- tor account only when it is absolutely necessary. Do not disable User Access Control. $$ Ransomware is a type of malicious software that can lock your device and take hostage files that might have some personal or professional value to you. Malware is often spread via email or by drive-by downloads from compromised websites. After it’s done its malicious job, the ransomware generates a pop-up message telling you to pay. PAY $$$ PAY $$$ $$$ $ PAY $$$
ransomware   7 What if my company desktop is already infected? Disconnect the device If you or any of your employees run a suspicious file and you are unable to open some of the stored files, immediately disconnect the device from internet, company network and if possible also from the electricity supply. This can prevent communication between the malware and its C&C server before it finishes encryption of the data on that device and all its mapped disks. Although this isn’t a bulletproof technique, it gives your company at least some chance to save some of the valuable files before they are fully en- crypted. We recommend a hardware shutdown, as ransomware might be programmed to monitor software shutdown and cause more damage. Contact ESET technical support If the ransomware has already run its course and you don’t have a functional backup, contact ESET technical support. Don’t forget to attach a log from ESET Log Collector and a few samples of the encrypted files—if possible, send approximately five MS Word or MS Excel files. If your company license has 100 or more seats, our specialists will contact you requesting more information about the infection after you submit a ticket via our online system. In cooperation with the ESET Malware Re- search Laboratory, our specialists will attempt to decrypt and recover the affected files. But please bear in mind that the authors of malicious code have gone to considerable lengths to make their ransomware effective, using ever stronger and more advanced encryption. It is therefore often impossible to decrypt everything, or to do so quickly. Nowadays, encryption is a technological standard protecting bank and financial transfers, e-shop transactions and many other online services and the latest versions are close to impenetrable. It is for this reason that no vendor can guarantee to recover your files. ESET experts will attempt to find ransomware loopholes that will allow them to repair the damage caused to your affected disks and devices. If they are successful, they will provide you with a decryption tool tai- lor-made for your business. Based on our experience, this outcome is possible for one in five ransom- ware cases. This process can take up to several weeks, depending on how skillful the malware authors were. It is possible that the attempt will not succeed. If you have opted for ESET Premium Support, our specialists are available to answer your requests 24 hours a day, 365 days a year.
ransomware   8 Don’t forget about company Android devices As we already mentioned, malware authors are not focusing solely on Windows. In recent years they have shifted their attention to the most dominant mobile operating system, Android, which is used by many businesses smartphones and tablets. ESET has seen various families of Android ransomware designed to target mobile devices specifically. Attackers use various techniques, such as pre- tending to be antivirus software or disguising their ransom demand as a local law enforcement agency and blocking the device (an example of such ransomware is Reveton). In 2014, our researchers encountered the first ransomware that attempt- ed to encrypt data on mobile devices running Android. Since then, attackers have come up with more than 50 variants, each more dangerous and more advanced than the last. Only a year later, the first ransomware that blocked access to a device by setting a random four-digit screen-lock appeared. Remember that all of these malicious codes were able to effectively block access to resources vital for everyday business, and demanded hundreds of dollars from the victims and their companies to restore access. HOW TO KEEP YOUR ANDROID DEVICES PROTECTED? A. Train your employees For employees using Android devices, it’s important to be aware of ran- somware threats and to take preventive measures. Training is therefore an essential countermeasure. • Among the most important steps to take is to avoid unofficial or third-party app stores. • Before employees download anything from the official store, they should read the reviews by other users. Malicious behavior is quickly identified by users and comments about it are published directly on the app page. • Employees should always check if the permissions that the app is requesting are necessary for its proper function. • If possible, create a whitelist of apps allowed on company Android devices. B. Use security software Have a mobile security app installed and kept up to date in all the company Android devices. If you are an ESET customer, you can install ESET End- point Security for Android as a part of the following ESET Business Solu- tions security packages: • ESET Endpoint Protection Standard • ESET Endpoint Protection Advanced • ESET Secure Business • ESET Secure Enterprise
ransomware   9 C. Backup all the important data Additionally, it is important to have a functional backup of all important data from each Android device. The chances are that users who take appropriate measures against ransomware will never face any request for ransom. And even if they fall victim and – in the worst-case scenario – see their data encrypted, having a backup turns such an experience into noth- ing more than a nuisance. What if my company Android device has already been infected? If your device or your employee’s device gets infected by ransomware, you have several options for its removal, depending on the specific malware variant. 1. Boot in safe mode For the most simple lock-screen ransomware families, booting the device into Safe Mode – so third-party applications (including the malware) will not load – will do the trick and the user can easily unin- stall the malicious application. The steps for booting into Safe Mode can vary on different device models (to find out which apply to your device(s) consult your manual, or Google the results). 2. Revoke administrator privileges for malware In the event that the application has been granted Device Administra- tor privileges – as it is often the case with new variants of ever-more aggressive ransomware – these must first be revoked from the set- tings menu before the app can be uninstalled. 3. Reset password via Mobile Device Manager If ransomware with Device Administrator rights has locked the device using Android’s built-in PIN or password screen lock functionality, the situation gets more complicated. It should be possible to reset the lock using Google’s Android Device Manager or an alternative MDM solu- tion. Rooted Android phones have even more options. 4. Contact technical support If files on the device have been encrypted by crypto-ransomware such as Android/Simplocker, we advise users to contact their security provider’s technical support. Depending on the specific ransomware variant, decrypting the files may or may not be possible. 5. Factory reset A factory reset, which will delete all data on the device, can be used as the last resort in case none of the previous solutions are available.
ransomware   10 Last but not least: Should I pay a ransom? ESET advises its business customers as well as all other users not to pay ransoms. First of all, the attackers are not acting legally, so they have no obligation to fulfill their end of the bargain by decrypting the affected data or unlock- ing your device in return for payment. Paying a ransom also helps them to finance their ongoing malicious activi- ties. Even if the malware authors provide you with a decryption key, there is no guarantee that it will actually work. ESET has seen many cases in which the tool sent by the attackers wasn’t able to decrypt the files, or worked only partially. In some cases of Android ransomware, the randomly gen- erated PIN code blocking the device wasn’t sent to the cybercriminal and there was therefore no way to unlock it. Also, if you pay the cybercriminals, how do you know they won’t come back for more? If they were successful in attacking your company, they may regard that as weakness and try to exploit you again.

Recomendados

Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Ransomware
RansomwareRansomware
RansomwareG Prachi
 

Recomendados

Ransomware
RansomwareRansomware
RansomwareChaitali Sharma
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomwarejeetendra mandal
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)phexcom1
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attackAmna
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Ransomware
RansomwareRansomware
RansomwareG Prachi
 
Ransomeware
RansomewareRansomeware
RansomewareAbul Hossain Ripon
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
It security and awareness training 5 10-2018
It security and awareness training 5 10-2018It security and awareness training 5 10-2018
It security and awareness training 5 10-2018jubke
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomwareJawhar Ali
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attackAbdelhakim Salama
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
cyber security
cyber security cyber security
cyber security NiharikaVoleti
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesLearningwithRayYT
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
CYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYCYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYSahil Vashishtha
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security Sanguine_Eva
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: WannacryMikel Solabarrieta
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Wannacry
WannacryWannacry
WannacryAravindVV
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 

Más contenido relacionado

La actualidad más candente

WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
It security and awareness training 5 10-2018
It security and awareness training 5 10-2018It security and awareness training 5 10-2018
It security and awareness training 5 10-2018jubke
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomwareJawhar Ali
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesLearningwithRayYT
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security Sanguine_Eva
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 

La actualidad más candente (20)

Ransomeware
RansomewareRansomeware
Ransomeware
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
It security and awareness training 5 10-2018
It security and awareness training 5 10-2018It security and awareness training 5 10-2018
It security and awareness training 5 10-2018
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomware
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
cyber security
cyber security cyber security
cyber security
 
Ransomware
Ransomware Ransomware
Ransomware
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & Principles
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
CYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYCYBER CRIME AND SECURITY
CYBER CRIME AND SECURITY
 
Cyber Crime and Security
Cyber Crime and Security Cyber Crime and Security
Cyber Crime and Security
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineering
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Wannacry
WannacryWannacry
Wannacry
 

Destacado

How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 
ISACA April 21 - Eric Sorenson - Risk Presentation
ISACA April 21 - Eric Sorenson - Risk PresentationISACA April 21 - Eric Sorenson - Risk Presentation
ISACA April 21 - Eric Sorenson - Risk PresentationEric Sorenson
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoorsShrey Vyas
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityLayer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityCA API Management
 
Logikcull Webinar: Preventing the Next Panama Papers
Logikcull Webinar: Preventing the Next Panama PapersLogikcull Webinar: Preventing the Next Panama Papers
Logikcull Webinar: Preventing the Next Panama PapersLogikcull.com
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatRansomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatEric Vanderburg
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of RansomwareUnitrends
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 

Destacado (20)

How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
 
ISACA April 21 - Eric Sorenson - Risk Presentation
ISACA April 21 - Eric Sorenson - Risk PresentationISACA April 21 - Eric Sorenson - Risk Presentation
ISACA April 21 - Eric Sorenson - Risk Presentation
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and ComplexityLayer 7: Getting Your SOA to Production Without Cost and Complexity
Layer 7: Getting Your SOA to Production Without Cost and Complexity
 
Logikcull Webinar: Preventing the Next Panama Papers
Logikcull Webinar: Preventing the Next Panama PapersLogikcull Webinar: Preventing the Next Panama Papers
Logikcull Webinar: Preventing the Next Panama Papers
 
Operating Your Production API
Operating Your Production APIOperating Your Production API
Operating Your Production API
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware ThreatRansomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware Threat
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Architecting for Resiliency
Architecting for ResiliencyArchitecting for Resiliency
Architecting for Resiliency
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of Ransomware
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Computer Security Threats
Computer Security ThreatsComputer Security Threats
Computer Security Threats
 

Similar a Ransomware

Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention GuideBrian Honan
 
Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryBright Technology
 
How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudNordic Backup
 
In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfanandanand521251
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityUltraUploader
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESKatherine Duffy
 
An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)Cyber Security Infotech
 
Cybersafety basics
Cybersafety basicsCybersafety basics
Cybersafety basicsjeeva9948
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remediesManish Kumar
 
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public school
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public schoolDev Abhijet Gagan Chaitanya VII-A ....Salwan public school
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public schoolDevku45
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?TechSoup
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protectionphanleson
 
Tips to remove malwares
Tips to remove malwaresTips to remove malwares
Tips to remove malwaresanthnyq
 

Similar a Ransomware (20)

Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention Guide
 
Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive Summary
 
How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
 
In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdf
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
PROJECT REPORT.docx
PROJECT REPORT.docxPROJECT REPORT.docx
PROJECT REPORT.docx
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
Chapter 5.pptx
Chapter 5.pptxChapter 5.pptx
Chapter 5.pptx
 
An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)
 
Cybersafety basics
Cybersafety basicsCybersafety basics
Cybersafety basics
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remedies
 
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public school
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public schoolDev Abhijet Gagan Chaitanya VII-A ....Salwan public school
Dev Abhijet Gagan Chaitanya VII-A ....Salwan public school
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
 
It kamus virus security glossary
It kamus virus security glossaryIt kamus virus security glossary
It kamus virus security glossary
 
Tips to remove malwares
Tips to remove malwaresTips to remove malwares
Tips to remove malwares
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 

Ransomware

  • 1. ransomware   1 RANSOMWARE How to keep your business safe from extortion malware
  • 2. ransomware   1 Contents 2 Ransomware prevention 4 Keep your company desktops safe 7 What if my company desktop is already infected? 8 Don’t forget about company Android devices 9 What if my company Android device has already been infected? 10 Last but not least: Should I pay a ransom? Executive summary Ransomware is malware that can lock a device or encrypt its contents in order to extort money from the owner in return for restoring access to those resources. This kind of malware can also have a built-in timer with a payment deadline that must be met, otherwise the price for unlocking the data and hardware will grow – or the information and the device will ultimately be rendered permanently inaccessible. Among the well-known examples of ransomware affecting desktop computers are Reveton, CryptoLocker, CryptoWall and TeslaCrypt; and on mobile platforms Simplocker and LockerPin. Analyses by ESET show that ransomware has emerged as a very popular form of malware for cybercriminals, and that incidences of its use have been rising for many years, targeting both privately owned as well as business devices. Windows and Android are currently the most commonly targeted operating systems, but recent research shows that even Linux and OS X are not exempt from ransomware. To help companies mitigate the risks of ransomware infection, this white paper documents frequently used attack vectors, offers guidance on how to effectively protect company devices and their contents, and describes the available options when devices or files have already been taken hostage. Additionally, it provides ESET’s views on the most pressing question that victims of ransomware attack have to answer: “Should I pay what the cybercriminals demand?”
  • 3. ransomware   2 Ransomware prevention For businesses, the stakes are fairly high. Compared to private users, if a firm loses access to crucial resources it might result in financial loss and/or reputational damage. And as a recent survey of nearly 3,000 IT and cybersecurity professionals worldwide showed, as many as one in five organizations has already experienced an incident involving this kind of threat. Attackers nowadays use encryption that is as strong as that used by banks to protect payments by their clients, making recovery of files and devices more complicated—and in the worst cases, even impossible. It is therefore cheaper to focus on prevention than to pay for the consequences. If company devices are not protected and employees lack proper training, there is a high risk that in the event of a ransomware infection, valuable data stored on company devices and subsequently on disks connected to them via networks, will be lost forever. A.  Use the latest version of your security software Install the most recent version of your security software, as many in- fections occur because outdated solutions remain in place. If you have a valid ESET license, updating to the latest version costs nothing. If you are still using ESET Endpoint Security versions 3 or 4, we strongly recommend updating to the newest, 6th generation of our business products, which applies the latest technologies specially crafted to improve client protection from malware that uses obfuscation and/or encryption to stay undetected. Examples of these technologies include Advanced Memory Scanner, which looks for suspicious behavior after malware decloaks in the memory, and Exploit Blocker, which strengthens protection against targeted attacks and previously unseen vulnerabilities, also known as zero-day vulnerabilities. B.  Keep your security software’s virus database up-to-date New versions of ransomware are released frequently, so it is impor- tant that computers and other company devices receive regular virus database updates. Among other precautions, this helps to ensure they are not vulnerable to ransomware infections. ESET products check for updates every hour, provided they detect a valid license and a working Internet connection.
  • 4. ransomware   3 IMPORTANT NOTE It is possible that your company firewall could block ESET Live Grid communications, so you should verify that it is working properly. To do this, please visit the following web- page of the renowned testing organization AMTSO, of which ESET is a member: http://www.amtso.org/feature-settings-check-cloud-lookups/ Click on the link “Download the CloudCar Testfile” and download the test file “cloudcar.exe”. If ESET LiveGrid works properly, the file will open on ESET’s servers and, after obtaining the necessary information, will block it. The file will not be downloaded onto your computer and following message will be displayed: C.  Enable the ESET LiveGrid® cloud protection system Unknown and potentially malicious applications, and other possible threats, are monitored and submitted to the ESET cloud via the ESET LiveGrid Feedback System. The samples collected are subjected to automatic sandboxing and behavioral analysis, which results in the creation of automated signatures if malicious characteristics are con- firmed. ESET clients learn about these automated detections via the ESET LiveGrid Reputation System in a matter of minutes, without the need to wait for the next signature database update. If a process is deemed unsafe – such as deleting a backup – it is immediately blocked. It is im- portant to note that ESET LiveGrid uses only hashes of suspicious files, never their contents, thus respecting the privacy of ESET customers.
  • 5. ransomware   4 Keep your company desktops safe To mitigate the risk of data loss and damage to devices commonly caused by ransomware, we encourage all companies to follow these eleven steps. 1. Back up important data regularly The single, best measure to defeat ransomware before it even starts its malicious activity, is to have a regularly updated backup. Remem- ber that malware will also encrypt files on drives that are mapped and have been assigned a drive letter, and sometimes even on drives that are unmapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores. Hence, a regular backup regimen is essential, ideally using an off-site, offline device for storing the backup files. 2. Patch and update your software automatically Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently access company devices and their systems. Businesses can significantly decrease the potential for ransomware pain if they make a practice of updating company software and devices as often as possible. Some software vendors release security updates on a regular basis, but there are often “out-of-cycle” or unscheduled updates in cases of emergency. Enable automatic updates if you can, or go directly to ven- dors’ websites. 11 STEPS FOR PREVENTING DATA LOSS ➊ Back up important data regularly ➋ Patch & update your software automatically ➌ Pay attention to your employees' security training ➍ Show hidden file-extensions ➎ Filter executable attachments in email ➏ Disable files running from AppData/LocalAppData folders ➐ Consider shared folders ➑ Disable RDP ➒ Use a reputable security suite   10 Use System Restore to get back to a known-clean state   11 Use a standard account instead of one with administrator privileges
  • 6. ransomware   5 3. Pay attention to your employees’ security training One of the most common infection vectors is social engineering – methods that are based on fooling users and trying to convince them to run executable files. By claiming to be a tracking notification email from a delivery company (such as FedEx or UPS), an email from their bank, or an internal company message such as New_Wages.pdf.exe, the attackers try to dupe employees to achieve their malicious goals. To prevent this from happening, employees should be trained not to open any unknown or suspicious email attachments, links or files. 4. Show hidden file-extensions Ransomware frequently arrives in an email attachment with the ex- tension “.PDF.EXE”. This counts on Window’s default behavior of hiding known file extensions. Re-enabling the display of the full file extension makes spotting suspicious files easier. 5. Filter executable attachments in email If your gateway mail scanner has the ability to filter files by extension, you may wish to block emails sent with “.EXE” file attachments, or those with attachments that have two file extensions ending with an executable (“*.*.EXE” files, in filter-speak). We also recommend filtering files with the following extensions: *.BAT, *.CMD, *.SCR and *.JS. 6. Disable files running from AppData/LocalAppData folders A notable behavior of a large proportion of ransomware variants is that they run their executable from the AppData or Local AppData folder. You can create rules within Windows or with intrusion preven- tion software to disallow this behavior. If for some reason legitimate software is set to run from the AppData rather than the usual Program Files area, you will need to exclude it from this rule. 7. Consider shared folders Bear in mind that any company device infected by ransomware might also cause encryption of all files in shared folders to which it has write permission. For this reason, employees should consider which valuable and sensitive files they store on shared disks, as their data in these lo- cations might get encrypted by malware, even though their computer wasn’t directly infected. 8. Disable RDP Ransomware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access desk- tops remotely. Cybercriminals have also been known to log in via an RDP session and disable the security software. It is best practice to dis- able RDP unless you need it in your environment. For instructions on how to do so, visit the appropriate Microsoft Knowledge Base articles. 9. Use a reputable security suite Malware authors frequently send out new variants of their malicious code, trying to avoid detection, so it is important to have multiple lay- ers of protection. Even after it burrows into a system, most malware relies on remote instructions to perform serious mischief. If you encounter a ransomware variant that is so new that it gets past antimalware software, it may still be caught when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting files. ESET’s latest software suite provides an enhanced Botnet Protection module that blocks malicious traffic trying to communicate with a C&C server.
  • 7. ransomware   6 RANSOMWARE: HOW IT WORKS 10. Use System Restore to get back to a known-clean state If System Restore is enabled on the infected Windows machine, it might be possible to take the system back to a known-clean state and restore some of the encrypted files from “shadow” files. But you have to outsmart the malware and move quickly. This is because some of the newer ransomware has the ability to delete the “shadow” files from System Restore. Such malware will start deleting “shadow” files whenever the executable file is run, and you might not even know that this is happening, since executable files can run without the operator knowing, as a normal part of Windows system operation. 11. Use a standard account instead of one with administrator privileges Using an account with system administrator privileges is always a security risk, because then malware is allowed to run with elevated rights and may infect the system easily. Be sure that users always use a limited user account for regular daily tasks and the system administra- tor account only when it is absolutely necessary. Do not disable User Access Control. $$ Ransomware is a type of malicious software that can lock your device and take hostage files that might have some personal or professional value to you. Malware is often spread via email or by drive-by downloads from compromised websites. After it’s done its malicious job, the ransomware generates a pop-up message telling you to pay. PAY $$$ PAY $$$ $$$ $ PAY $$$
  • 8. ransomware   7 What if my company desktop is already infected? Disconnect the device If you or any of your employees run a suspicious file and you are unable to open some of the stored files, immediately disconnect the device from internet, company network and if possible also from the electricity supply. This can prevent communication between the malware and its C&C server before it finishes encryption of the data on that device and all its mapped disks. Although this isn’t a bulletproof technique, it gives your company at least some chance to save some of the valuable files before they are fully en- crypted. We recommend a hardware shutdown, as ransomware might be programmed to monitor software shutdown and cause more damage. Contact ESET technical support If the ransomware has already run its course and you don’t have a functional backup, contact ESET technical support. Don’t forget to attach a log from ESET Log Collector and a few samples of the encrypted files—if possible, send approximately five MS Word or MS Excel files. If your company license has 100 or more seats, our specialists will contact you requesting more information about the infection after you submit a ticket via our online system. In cooperation with the ESET Malware Re- search Laboratory, our specialists will attempt to decrypt and recover the affected files. But please bear in mind that the authors of malicious code have gone to considerable lengths to make their ransomware effective, using ever stronger and more advanced encryption. It is therefore often impossible to decrypt everything, or to do so quickly. Nowadays, encryption is a technological standard protecting bank and financial transfers, e-shop transactions and many other online services and the latest versions are close to impenetrable. It is for this reason that no vendor can guarantee to recover your files. ESET experts will attempt to find ransomware loopholes that will allow them to repair the damage caused to your affected disks and devices. If they are successful, they will provide you with a decryption tool tai- lor-made for your business. Based on our experience, this outcome is possible for one in five ransom- ware cases. This process can take up to several weeks, depending on how skillful the malware authors were. It is possible that the attempt will not succeed. If you have opted for ESET Premium Support, our specialists are available to answer your requests 24 hours a day, 365 days a year.
  • 9. ransomware   8 Don’t forget about company Android devices As we already mentioned, malware authors are not focusing solely on Windows. In recent years they have shifted their attention to the most dominant mobile operating system, Android, which is used by many businesses smartphones and tablets. ESET has seen various families of Android ransomware designed to target mobile devices specifically. Attackers use various techniques, such as pre- tending to be antivirus software or disguising their ransom demand as a local law enforcement agency and blocking the device (an example of such ransomware is Reveton). In 2014, our researchers encountered the first ransomware that attempt- ed to encrypt data on mobile devices running Android. Since then, attackers have come up with more than 50 variants, each more dangerous and more advanced than the last. Only a year later, the first ransomware that blocked access to a device by setting a random four-digit screen-lock appeared. Remember that all of these malicious codes were able to effectively block access to resources vital for everyday business, and demanded hundreds of dollars from the victims and their companies to restore access. HOW TO KEEP YOUR ANDROID DEVICES PROTECTED? A. Train your employees For employees using Android devices, it’s important to be aware of ran- somware threats and to take preventive measures. Training is therefore an essential countermeasure. • Among the most important steps to take is to avoid unofficial or third-party app stores. • Before employees download anything from the official store, they should read the reviews by other users. Malicious behavior is quickly identified by users and comments about it are published directly on the app page. • Employees should always check if the permissions that the app is requesting are necessary for its proper function. • If possible, create a whitelist of apps allowed on company Android devices. B. Use security software Have a mobile security app installed and kept up to date in all the company Android devices. If you are an ESET customer, you can install ESET End- point Security for Android as a part of the following ESET Business Solu- tions security packages: • ESET Endpoint Protection Standard • ESET Endpoint Protection Advanced • ESET Secure Business • ESET Secure Enterprise
  • 10. ransomware   9 C. Backup all the important data Additionally, it is important to have a functional backup of all important data from each Android device. The chances are that users who take appropriate measures against ransomware will never face any request for ransom. And even if they fall victim and – in the worst-case scenario – see their data encrypted, having a backup turns such an experience into noth- ing more than a nuisance. What if my company Android device has already been infected? If your device or your employee’s device gets infected by ransomware, you have several options for its removal, depending on the specific malware variant. 1. Boot in safe mode For the most simple lock-screen ransomware families, booting the device into Safe Mode – so third-party applications (including the malware) will not load – will do the trick and the user can easily unin- stall the malicious application. The steps for booting into Safe Mode can vary on different device models (to find out which apply to your device(s) consult your manual, or Google the results). 2. Revoke administrator privileges for malware In the event that the application has been granted Device Administra- tor privileges – as it is often the case with new variants of ever-more aggressive ransomware – these must first be revoked from the set- tings menu before the app can be uninstalled. 3. Reset password via Mobile Device Manager If ransomware with Device Administrator rights has locked the device using Android’s built-in PIN or password screen lock functionality, the situation gets more complicated. It should be possible to reset the lock using Google’s Android Device Manager or an alternative MDM solu- tion. Rooted Android phones have even more options. 4. Contact technical support If files on the device have been encrypted by crypto-ransomware such as Android/Simplocker, we advise users to contact their security provider’s technical support. Depending on the specific ransomware variant, decrypting the files may or may not be possible. 5. Factory reset A factory reset, which will delete all data on the device, can be used as the last resort in case none of the previous solutions are available.
  • 11. ransomware   10 Last but not least: Should I pay a ransom? ESET advises its business customers as well as all other users not to pay ransoms. First of all, the attackers are not acting legally, so they have no obligation to fulfill their end of the bargain by decrypting the affected data or unlock- ing your device in return for payment. Paying a ransom also helps them to finance their ongoing malicious activi- ties. Even if the malware authors provide you with a decryption key, there is no guarantee that it will actually work. ESET has seen many cases in which the tool sent by the attackers wasn’t able to decrypt the files, or worked only partially. In some cases of Android ransomware, the randomly gen- erated PIN code blocking the device wasn’t sent to the cybercriminal and there was therefore no way to unlock it. Also, if you pay the cybercriminals, how do you know they won’t come back for more? If they were successful in attacking your company, they may regard that as weakness and try to exploit you again.