How to handle Ransomware attack?

4 min readMay 30, 2022
Ransomware infects your device, locks you out and asks you to pay a ransom.

What is Ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system, often encrypting data in an unrecoverable fashion. Ransomware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

Types of Ransomware

The main types of ransomware to look out for are:

  • Locker ransomware — This type of malware restricts access to the infected.
  • Crypto ransomware — Perhaps the most dangerous type of ransomware, this malware restricts access to stored data and files. It encrypts the user’s data and demands a ransom in exchange for the decryption key. However, paying the ransom doesn’t guarantee to get the key.
  • Mobile ransomware — This type of malware is spread from a mobile device to a computer and typically displays a message claiming that the device has been locked due to some type of illegal activity.
How Ransomware Works?
Ransomware timeline

Detection of a ransomware attack

There are three primary ways to detect ransomware:

  • Signature-based
  • Behavior-based
  • Based on Abnormal traffic

1. Detection by Signature

Malware carries a unique signature composed of information like domain names, IP addresses, and other indicators that identify it. Signature-based detection uses a library of these signatures to compare them to active files running on a machine. This is the most basic method of detecting malware, but it’s not always effective.

Ransomware attackers can create novel versions of malware with new signatures for every attack. Signature-based malware detection can’t identify what it doesn’t recognize. This leaves systems vulnerable to every new malware variant.

2. Detection by Behavior

Ransomware behaves in an unusual way: it opens dozens of files and replaces them with encrypted versions. Behavior-based ransomware detection can monitor for this unusual activity and alert users to it. This method of detection can also help users stay protected against other common cyberattacks.

3. Detection by Abnormal Traffic

Abnormal traffic detection is an extension of behavior-based detection, but it works at the network level. Sophisticated ransomware attacks are often twofold: they encrypt data to ransom, but they also steal data before encrypting it to use as extra leverage. This leads to large data transfers to outside systems.

While ransomware can cover its tracks and conceal the transfers, it may create network traffic that can be tracked. Abnormal traffic detection can trace back to the ransomware on the machine so that users can delete it.

Reactive Measures for the Mitigation of a Ransomware Attack

  1. Act Quickly
  2. Communication
  3. Backups
  4. Decryption tools
  5. Don’t pay a ransom
  6. Hire a Cybersecurity Expert

Protection against Future Ransomware Attacks

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Keep your operating system and software up-to-date with the latest patches.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to execution.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
  • Do not follow unsolicited Web links in emails.

How to Mitigate an Active Ransomware?

Many successful ransomware attacks are only detected after data encryption is complete and a ransom note has been displayed on the infected computer’s screen. At this point, the encrypted files are likely unrecoverable, but some steps should be taken immediately:

  1. Quarantine the Machine: Some ransomware variants will try to spread to connected drives and other machines. Limit the spread of the malware by removing access to other potential targets.
  2. Leave the Computer On: Encryption of files may make a computer unstable, and powering off a computer can result in loss of volatile memory. Keep the computer on to maximize the probability of recovery.
  3. Create a Backup: Decryption of files for some ransomware variants is possible without paying the ransom. Make a copy of encrypted files on removable media in case a solution becomes available in the future or a failed decryption effort damages the files.
  4. Check for Decryptors: Check with the No More Ransom Project to see if a free decryptor is available. If so, run it on a copy of the encrypted data to see if it can restore the files.
  5. Ask For Help: Computers sometimes store backup copies of files stored on them. A digital forensics expert may be able to recover these copies if they have not been deleted by the malware.
  6. Wipe and Restore: Restore the machine from a clean backup or operating system installation. This ensures that the malware is completely removed from the device.