Today we’re bringing you our guide on ransomware, covering everything from recent high-profile attacks, to how ransomware works and how you can protect your devices.

Ransomware attacks have been in the news recently, with the NHS and UCL both being hit within the last couple of months.

WannaCry

WannaCry was biggest ever ransomware attack, hitting organisations across Europe, Asia, and America, including NHS trusts.

Unlike traditional ransomware which relies on the user opening an email to execute the malicious scripts, WannaCry spreads across the network to affect every device that’s connected to the network, without user intervention.

It takes advantage of an Operating System vulnerability that Microsoft issued a patch against in March. This means that WannaCry not only targets Windows XP, but any system (and the device running it) where the patch has not been applied is vulnerable to WannaCry attack.

Petya ransomware

Not long after the WannaCry hit, Petya ransomware struck, once again hitting organisations across the world.This time it combined same ‘worm’ type of capability of WannaCry attack with some other exploits to make it more powerful (for example, Petya can take over the domain admin right to remotely manipulate other computers on the network).

What is ransomware, and what does it do?

Ransomware first appeared in 1989, but it didn’t really take off until the 2010’s.  Since then, it’s continued to evolve, with new versions of ransomware being discovered very quickly.

Once a device is affected by ransomware, it can encrypt every file on your hard drive, and on top of that, every file on the device or logical drive that’re connected to the device. This means that if you have your USB or your smart phone connected, then files on there can be doomed.

If your device is also used to access files on LSE network such as H:\ or departmentally shared folders, then these files would be encrypted too, leading to far more significant impacts.

Depending on the types of ransomware, it could also encrypt your entire device making it impossible to even boot up your device.

Once the ransomware has encrypted your files or device, it rather ‘helpfully’ notifies you what has happened. You’ll be given the crooks’ payment account details and how to transfer money to their account in order to get the decryption key to ‘unlock’ your files.

Ransomware normally uses a strong cryptographic mechanism, so without the decryption key it’s impossible to decrypt the files.

The amount of money the crooks demand (often in bitcoins) is usually a few hundred US dollars. The attackers demand an amount they think would be a reasonable for local economies (not so expensive as to put you off, but not too low to deprive themselves of profits).

How ransomware is delivered

Statistically, ransomware is mostly delivered through a poisoned email attachment. It does not normally need a vulnerability to even exist on your device. Instead, it relies on features, such as macro, PowerShell, or Java to execute malicious scripts that are wrapped inside the email attachment.

The email attachment is often a fake shipping order, invoice, airliner notice, or even a voicemail.  The format varies too, and it can be a PDF, rich text document, macro-enabled excel or word document, html, and so on.  It can also be a link in the email, instead of an email attachment.

That said, it can also take advantage of unpatched system and web browsers, such as what happened in the WannaCry attack.

How to keep your devices safe

Be aware that there is known ransomware targeting apple devices too. Whether you’re an Apple user or a Windows user, you’ll need to follow the advice below.

1. Prevention is way, way better than cure!

The best preventive measure is caution. Learn to recognise a suspicious email: the rule of thumb is never opening an expected email attachment.

It’s worth of pointing out that this is not just emails from unknown email senders, as you friends’ email address can be spoofed, or their email accounts can be compromised.

2. Keep a backup copy of your files

This means that if you are hit by ransomware, you can rebuild your PC and restore your files from your backup. However, this is only a reactive solution, and it does mean data between the point of attack and the last back up will be lost

Purely using a cloud backup service is not adequate, as it simply synchronises your files to the cloud, meaning at the point of attack it will synchronise the encrypted files which are no longer readable. Consider maintaining more than one copy of back at different place, such as in an encrypted external storage device.

3. Stay up-to-date

Always keep your Operating System, web browser, and applications/software up to date

4. Have an anti-virus installed in your device, and enable the ‘on-access’ scan

Anti-virus software vendors often update their virus definitions to include ransomware variants once they are known.

Again, this is only a reactive measure. It does not provide full protection as the ransomware variant might not yet be known to the vendor, or the ransomware could utilise certain techniques to bypass the anti-virus detection.

All staff and students at LSE can download Sophos anti-virus onto their personal devices for free.

5. Don’t enable macros in email attached documents

Lots of malware infections rely on the macros to execute the scripts. Use the default ‘disable macros with notification’ setting in Microsoft Office applications.

6. Consider having a separate administrator account, and only use it when you need the administrative privilege

Malware often needs the administrative access in order to be installed on your device. Most tasks we do on our devices do not need access privilege at the administer level.

Best practice is to keep a normal account without administrative access and use it for everyday tasks, and have a separate administrative account which you can use when it’s necessary to install new software.

Want more information?

Visit the IMT InfoSec webpages for more information about keeping your information safe.

For specific ransomware information, visit: