Cyber threats

Ransomware (Enterprise)

Ransomware is a family of malware that encrypts individual files and directories or even complete data carriers (e.g., the hard drive) or makes access impossible or at least difficult in some other way. The attackers then demand a ransom for the release of the data. Malicious e-mail attachments or inadequately secured systems are a frequent gateway.

In so-called "double extortion" attacks, in addition to encrypting the data, threats are also made to release the data if no ransom is paid.

Preventive measures

• Train employees on how to handle e-mails, especially how to handle attachments.
• Block "dangerous" file extensions already on your email gateway (e. e. macros or file types such as .exe, .bat, .js, etc.).
• By using Windows AppLocker, you can strengthen the protection of your IT infrastructure. This is because it makes it possible to define which programs are allowed to run on the computers in your organization.
• Back up your data regularly. This backup can be done locally ( e.g. external data carriers) or online ( e.g. cloud storage). Make sure that the selected backup medium is disconnected from your system after the backup, otherwise there is a risk that the backup medium itself will also be encrypted or otherwise rendered unusable in the event of a ransomware attack.

Measures for those affected 

Ransomware can cause significant damage. Especially in those cases that the data backups (backups) are also affected by it. In the event of an incident, remain calm and act thoughtfully. If your company does not have the expertise to deal with the incident, seek assistance from a specialized company.

The following points should be considered in the event of a ransomware incident:

• Limitation of damage: Immediately disconnect the infected systems from the network. Take into account any existing WLAN devices.
• Identification of infected systems: System logs and other log files can help identify the affected systems. The metadata of encrypted files can also provide clues to infected systems. Back up the log files and clues to possible infected systems and compromised user accounts.
• Detection: The log files may be able to identify URLs and IP addresses used by the attacker. Block these URLs and IP addresses on the proxy server or firewall. This will prevent an unwanted connection to the attacker's infrastructure.
• Forensic investigations: Decide in a timely manner whether a forensic investigation should be conducted. This is especially important in those cases when you want to file criminal charges with the state police. Forensically correct backups of volatile memories and data carriers should be performed by expert employees or external service providers before further repair attempts or reboots of the affected systems.
• Backup of encrypted data: It is recommended, regardless of whether a backup exists or has also been encrypted, to keep and backup the encrypted data. If necessary, the data can be decrypted at a later time.
• Reinstall affected systems: Before you start restoring the systems and data, a reinstallation of the infected systems is required. This should be done using trusted media.

A partial or complete recovery of data may also be possible without a backup. For example, in those cases where the ransomware has not encrypted or deleted shadow copies in Windows, snapshots of virtual machines or previous file versions exist at cloud services, forensic recovery of deleted files is possible, or the ransomware has errors in its encryption function or the key for decryption is known.

Notes on the payment of of ransoms

The National Cyber Security Unit advises against paying a ransom. There is no guarantee that once the ransom is paid, the attackers will recover the data or that the data will still be released regardless of payment. Moreover, every successful extortion motivates the attackers to continue, finances the further development of the attacks, and promotes their spread.