Ransomware which is often called CryptoLocker, CryptoDefense or CryptoWall, is a family of malware that limits or even restricts users from full access of their computers. It usually locks the computer screen or encrypts the files. The recent types of ransomware called crypto-ransomware, ask the users to pay a certain amount to get an unlock key.

The current wave of ransomware families can have their roots traced back to the early days of fake Anti-Virus, through Locker variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware shares a common goal, to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration.

The following are key points to note on ransomware:

• Most ransomware attacks are quick. By the time you notice the encrypted files, the attack has completed.
• When ransomware has finished encrypting files, it will delete itself and leave only the encrypted files and ransom notes behind.
• The majority of ransomware are classified as trojans, not viruses.
  This means they won't spread across the network but will run on a particular machine, which is used to encrypt files across your network.
• The encrypted files and ransom notes are not malicious and most Anti-Virus products will not detect or clean these files.
• A vast majority of files encrypted with modern ransomware cannot be decrypted and will require a restore from backups.
• Prevention is the best cure to avoid a ransomware attack.

In many cases, a ransomware attack starts in two main ways:

• Malicious email

  Spam email with a malicious attachment is the most common method to get ransomware onto a victim's machine. The spam campaigns used in these attacks are usually in very large volumes and these emails often use social engineering techniques to trick users into trusting them. For example, an email posing as a parcel delivery company sending an attachment about a missed delivery. The common attachments currently used are: .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptx, .pptm, .pdf, .js, and .lnk. These files are in an archive file such as .zip, .rar, or .7z. When a user opens a malicious attachment or link, the ransomware is downloaded and installed in the computer.
   

• Malicious websites Another way to get infected with a ransomware is when a user visits a legitimate website that has been infected with an exploit kit. Popular websites can also be temporarily compromised.
• RDP attacks RDP allows users to control Windows computers via a full graphical user interface, over the internet. While RDP is an immensely useful tool for organizations, RDP servers are protected by no more than a username and password, and many of those passwords are bad enough to be guessed, with a little (sometimes very little) persistence. If you are using a server, consider closing down the standard port 3389 from the outside.  

After ransomware is downloaded into the system, it takes further action:

• The attacker’s Command & Control server is contacted to send information about the infected computer and download an individual public key for it.
• Specific file types (which vary by ransomware type) such as Office documents,
  database files, PDFs, CAD documents, HTML, XML, etc., are encrypted on the local computer, removable devices, and all accessible network drives.
• Automatic backups of the Windows operating system (shadow copies) are frequently deleted to prevent data recovery.
• A message appears on the desktop explaining how the ransom can be paid (typically in Bitcoin) in the specific time frame.

Sophos Home includes a CryptoGuard component that is responsible for detecting and blocking any file encryption behavior on protected systems and rollback of any encrypted files. Depending on the type of encryption technique, CryptoGuard can stop the ransomware before it encrypts the files. If the ransomware is stopped right after the files are encrypted, a rollback is no longer available.

IMPORTANT NOTE: To be able to recover files, CryptoGuard requires 3GB of available hard drive space.

If ransomware has successfully executed, your priority is containment and investigation before recovery:

• Disconnect the affected device from the network immediately to prevent further spread.
• If you have located the ransom notes left on the affected systems and/or the encrypted files, you can upload them to the following site to identify the malware group responsible. 
  • https://id-ransomware.malwarehunterteam.com/
  • Please note this is not a Sophos-supported site.
  • Research on how the malicious group likely was able to get into the environment can be very useful in locating vulnerabilities that once removed will protect you from future attacks.
• Investigate against best practices to identify gaps that allowed the attack (e.g., missing updates, weak passwords, lack of backups).
• Submit samples of spam emails containing suspicious attachments, or suspicious files to Sophos for analysis:
  • How to review and submit samples to Sophos 

Protecting and cleaning infected devices

After a ransomware attack, it is important to ensure that your security products are working correctly. Many variants of ransomware will encrypt files that are used by software in order to run. A good example of this is .xml files which are commonly used by software programs to store configuration settings. As a result of this type of damage, you may have to reinstall the software that is no longer working correctly.

For Sophos products, check that they are updating correctly and reporting their status to your Dashboard. Resolve any errors, and if a re-installation is required, do this as soon as possible. Make sure full scans are run on all affected devices.

Restoring data

Most modern ransomware uses strong encryption methods such as RSA-2048 or AES-128. This makes it impossible to get your files back unless you restore them from backups or pay the ransom. If you pay the ransom, there is no guarantee that you will get your files back or that you won't be targeted again.

Most files encrypted by ransomware cannot be restored. However, occasionally there are some variants of ransomware that can be restored. This is possible if:

• The used encryption method is weak
• The ransomware criminals made a mistake in their code
• The criminals were arrested, and the authorities got the decryption keys

Unfortunately, these scenarios are rare. If you are hit by ransomware, do a search on the internet for decryption tools for the particular ransomware attack to see if there is availability. 
Otherwise, your next step is to restore or rebuild from clean backups if available, or perform a clean system reinstallation.

For a detailed checklist and advanced guidance, see Sophos Ransomware: Recovery and Removal (KBA‑000004303). While this article is written for business environments, it covers all the needed steps you can take after a successful attack.

Most of the time, Sophos Home detects and blocks the ransomware immediately. In the event that the attack becomes successful, it is important to ensure that the Sophos Home installed is properly working. Check that it is updating and reporting the status to your dashboard correctly. Resolve any errors and if a re-installation is required, do it as soon as possible. Make sure full scans are run on the affected machine.

1. Backup regularly and keep a recent backup copy off-site.

There are other risks besides ransomware that can cause files to vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Always do a regular backup of your files and encrypt your backup. This way you don't have to worry about the backup device falling into the wrong hands.

2. Enable file extensions.

The default Windows setting has file extensions disabled. This means that you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to identify file types that are not commonly sent, such as JavaScript.

3. Open JavaScript (.js) files in Notepad.

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

4. Don’t enable macros in document attachments received via email.

Microsoft turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

5. Be cautious about unsolicited attachments.

Crooks rely on the dilemma that you can’t tell if the file is the one you want until you open it. If in doubt leave it out.

6. Don’t give yourself more login power than you need.

Don’t stay logged in as an administrator any longer than necessary and avoid browsing, opening documents or other regular work activities while you have administrator rights.

7. Consider installing the Microsoft Office viewers.

These viewer applications let you see what documents look like without opening them in Word or Excel. In particular, viewer software that doesn’t support macros, so that you can’t enable them by mistake!

8. Patch early, patch often.

Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more. The sooner you patch, the fewer vulnerabilities there are to be exploited.

9. Stay up-to-date with new security features in your applications.

For more information, check our https://news.sophos.com website for the latest news on ransomware and security in general.

Additional reading 

• For readers interested in a deeper dive into ransomware prevention strategies from a business perspective, check out the Sophos Endpoint Protection best practices to block ransomware. While this resource is designed for business environments, it offers valuable insights into advanced protection techniques.
• Help – I'm Under Attack by Ransomware!