How Ransomware Works When It Breaches Your Computer or Website
Ransomware is a type of malicious software that encrypts the victim’s files, such as website data and content. After gaining access to the data, the attacker demands a ransom payment to restore access to the files. The recovery costs can range from a few hundred euros to several thousand, paid to cybercriminals in Bitcoin or other cryptocurrencies.
In the last two years, such viruses have primarily affected small and medium-sized businesses in Latvia, which lack the information and resources to mitigate cyber threats. The most common are the Dharma family ransomware viruses, which spread through Microsoft Remote Desktop access from the public internet, protected by weak passwords.
Ransomware attacks have become larger and more destructive recently, as attackers now target larger organizations.
How Do Ransomware Attackers Breach Websites and Access Data?
There are several ways ransomware can gain access to a computer. One common method is phishing spam – attachments that arrive in emails, disguised as seemingly trustworthy files. Once the file is downloaded and opened, the attackers can gain control of the victim’s computer. Some more aggressive ransomware forms, like NotPetya, exploit security vulnerabilities to infect computers, even without user interaction.
What Opportunities Do Attackers Have Once They Breach a Computer?
The most common action attackers take is encrypting the victim’s files, which renders them inaccessible without a decryption key known only to the attacker. After the breach, the victim is presented with a message explaining that their files are no longer available and will only be decrypted once a ransom payment is made in untraceable Bitcoin.
A popular tactic used by attackers is to claim that they represent a law enforcement agency and demand a “fine” to avoid reporting the attack to authorities.
Another common approach is doxxing, where the attacker threatens to publish sensitive data from the victim’s hard drive unless a ransom is paid. However, finding and obtaining such information can be very difficult for the attackers.
How to Avoid Ransomware That Encrypts Data?
Create regular backups of your computer’s data and store them separately from the system being backed up. It is recommended to store backups on a backup server in a data center (in a different location) and regularly check if these copies are usable.
Increase server security: Review write/delete permissions in shared folders (both internal network and external internet network folders).
Enhance remote access security for systems and administrative tools (e.g., RDP and SSH). It is recommended to avoid publishing the RDP service on the internet and instead access it through a corporate VPN. If RDP service is necessary, it should be protected with smartcards, not just passwords. Additionally, regularly update the RDP service, use IPSEC (Network Level Authentication).
Download antivirus software: Installing and updating antivirus software can help protect the computer from most viruses. New viruses appear every day, so antivirus programs should be regularly updated.
Avoid opening emails from unknown senders or suspicious attachments. Many viruses are attached to emails and spread as soon as the attachment is opened. If you receive suspicious emails, avoid opening links or attachments and verify the sender’s legitimacy.
Delete cookies and avoid saving/synchronizing passwords using public computers. It is good practice not to access your private or work email from public computers (including services like Dropbox). If this cannot be avoided, ensure you log out of these services after the session.
Use a firewall to protect your devices from unauthorized access.