A Complete Guide to Ransomware and Malware

What is malware?

In cyber security malware is a blanket term for any type of intrusive computer software that is specifically designed to cause unwanted or unwelcome issues to a computer system. The term is an abbreviation of Malicious Software.

Malware is designed to cause damage and is largely used by cybercriminals to attack a computer’s core functions, spy on activity, or steal, tamper with or damage data. It can affect a single device or an entire network.

Examples of malware

Viruses – These are strings of code which attaches to code within a piece of software, corrupting it so it spreads throughout the system.

Worms – This is a piece of software that reproduces itself and moves from computer to computer.

Trojans – A piece of software that disguises itself as something useful, so the user activates it enabling it to spread through the network.

Spyware – This gathers data on a specific user which it then sends to a third-party.

Ransomware – This software enables cybercriminals to gain access to the system and encrypt the data. They demand a ransom in bitcoin to restore it.

Rootkit – This is a series of tools that enables a hacker to gain access over a system whilst simultaneously hiding their presence.

Backdoor/Remote Access – This enables the hacker to gain access to your computer or network from anywhere in the world.

Adware – This software directs the user to constant advertisements which themselves may download more malicious software to the computer.

Key Loggers – This is a form of spyware which records keystrokes, making it easy for cybercriminals to obtain passwords.

How does malware work?

In essence malware, as a piece of software, needs to be installed onto the machine in order for it to do the ‘job’ it is designed for. This software is generally installed without the user being aware.

There are various ways that malware gets onto a computer system including:

USB drives – Inserting a USB into the computer without being aware of its source can be an easy way for hackers to infect a machine.

Phishing – Sending an email – supposedly from a legitimate source – with a link to click on or an attachment to open which are malicious, is an effective way to download malware.

Drive-by-downloads – Some websites when visited will automatically install malware to your computer without any interaction from the user.

Even with anti-malware cybersecurity software installed some malware can get through, and with new strains of malware which include evasion and obfuscation techniques, they changes their code making them increasingly more difficult to identify and therefore remove from the machine.

Other malware includes anti-sandbox technology which means it is able to identify when it is being analysed by the anti-malware software and therefore remain dormant until the analysis has ended. New Malware developments mean that the hackers are creating software which is more able to avoid detection and therefore makes it more difficult to remove.

How dangerous is malware?

Our networks, PCs and mobile devices are a hub for our own personal data and sensitive information. The same can be said for company networks; there is an increasing reliance on computer networks and software to store and manage company data.

Malware infections and data breaches in the UK have the potential to become more of a problem than they currently are following the GDPR regulations. Not only is a data breach or cyberattack of any kind inherently damaging to PCs, networks and systems, but now they carry extra costs and risks.

Malware can cripple your business, no matter what type it is.

What does malware do?

Malware infects your devices and PCs in order to make money for their authors. Whether it is Adware that introduces popups or keyloggers that look at your login information, malware is insidious and intrusive.

How can you get malware?

Malware can be contracted from many different sources, and unfortunately, some aren’t even through your actions.

The main way is through malicious communications such as emails – unsolicited messages with dodgy attachments that when opened infect your system. However, they can also be found in seemingly legitimate applications, infected music files, new toolbars, software downloads and game demos too.

Some websites can perform a drive-by download of malware without you knowing about it – you enter a normal-looking, seemingly reputable site and in the background, something has been downloaded through that connection.

Mobile malware

Nowadays, we carry what is essentially a complex handheld computer in our pockets – in the form of a smartphone. On that smartphone, whether it is Android or iOS, we store reams of valuable data like personal information and financial details – and we do not protect our phone security nearly as diligently as we do our computers.

Mobiles can be infected in the same way as computers, but there are also instances of calls and messages with dodgy links or unreliable apps.

With billions of consumer-owned sophisticated handheld computers in use across the globe, malware authors can exploit weaknesses in mobile security – and can use that as a way past your business system security too.

How to detect malware

Malware is developing and growing every day to become more sophisticated and harder to detect on computer networks. So, even with anti-malware software some malware can still get through and sit on your computer waiting to strike.

To identify this, it is always a good idea to regularly run anti-virus scans of your computer which can be carried out from the security settings on your PC.

If this doesn’t show up anything, that doesn’t necessarily mean there is no malware present, but there are various warning signs that things are not running as they should be.

Keep your eye out for the following warning signs as they might help you find malicious software quickly and easily.

Detecting Malware in Computers

• Computer slowing down

Look out for unexpected or sudden slowness when browsing the Internet, running local applications or in just general day to day use.

• Unexpected Popups

Often, unexpected pop-ups are the types of malware that entices you to open a link because you have won some money. Be careful, as this is a common way that individuals find themselves exposed to a malware attack.

• Mysterious loss of disk space/increased system usage

When malware is lurking in the depths of your systems, there might be less available disk space, and programs may be unexpectedly running in the background – causing the fan to be on full and sluggish response times.

• Internet changes

You might notice your browser homepage changes or unusual toolbars, extensions and plugins appearing. Your actual internet usage might increase too – without you spending more time on the internet.

• Antivirus stops working

Some sophisticated malware can interrupt the service your antivirus provides, disabling it from working or from being updated so the malware can run without interruption.

Detecting mobile malware

Android operating systems make up over 80% of the mobile device market, and this makes them a wide target for malware. However, there are still some simple ways you can spot a possible malware issue on your smartphone or tablet.

• A sudden appearance of popups and invasive advertising

Since complaints have been made about popups on computers, Adware has been less and less rife in the PC world – but on mobiles, with their lacklustre security, a sudden influx of popups might mean that you have inadvertently clicked a nefarious link somewhere.

• Increase in data usage, strange charges on bills

Because malware does, in most cases, rely on sending information to a host via data or the internet, you will likely see an unusual hike in your data usage. This can also translate to charges on your bill for calls and messages as some malware can hijack these systems to call or message premium rate services, passing the cost on to your bill.

• Strange calls or messages to family and friends.

One of the ways mobile malware can be spread is through calls and texts to family and friends, with infected attachments or links

• Performance lags and phone overheating

In a similar way to computers, the processing capacity of mobile devices can be compromised when malware is present. This can cause lagging performance and overheating – in some cases, destroying the device.

With regards to iOS devices, malware is not a significant problem – the strict security measures that prevent users from downloading anything from anywhere else than the App Store (where Apple have closely vetted the apps available to download) means that creating malware that is effective against iOS security is very expensive. So, malware attacks are likely to be nation-state level targeted attacks. However, if you have a jailbroken iOS device, then you are more at risk of contracting malware.

How to prevent malware

There are many steps you can take to prevent any malware infection, and these should form part of your cybersecurity policy in both your personal and business space.

• When visiting a link, make sure the domain name doesn’t end in an odd-looking set of letters. When you are browsing the internet, don’t click on popups.
• Be aware of unsolicited emails and don’t open unknown attachments.
• If you are looking to get new software, get it directly from the developer and don’t trust cheap websites.
• In fact, avoid using Peer-to-Peer file transfer networks at all – they are hotbeds of malware activity and you really do not know what else you are downloading onto your PC.
• Make sure that you keep your operating system, browser, and plugins up to date as security patches are being brought out by their developers to protect users from malware.

The biggest protection you can have for yourself and for your business is good, active, cybersecurity software. This should offer real-time protection, AI learning and recognition of threats, removal and remediation as well as backup and restore facilities.

IT support for malware

If you would like some practical advice on keeping your computer systems malware free contact the team at CiS. We offer IT support for all forms of malware including anti malware protection, removing and more importantly preventing infection, working in partnership with cybersecurity experts Sophos.

What is ransomware?

Ransomware is a particular strand of malware that essentially holds data to ransom. The software is installed on a machine and can sit in the background for months before it is activated. It then encrypts all the data on the machine, meaning it is inaccessible until a ransom is paid in bitcoin.

It is the fastest growing malware threat, and no one is safe; from domestic users, solopreneurs to multi-national corporations. In 2020 ransomware attacks are thought to have cost more than $20billion a rise of $8.5 billion on 2019.   Each incident is thought to have cost the individual involved $8,100 not including business downtime, lost revenue and potential GDPR fines if the attack was thought to constitute a data breach.

Many businesses do pay the ransom asked, as they are worried by threats of the data being published on the dark web, or the impact on their business if the data is lost. Whilst some who pay are given the decryption keys to access their data once more, not everyone does. Paying the ransom, however, puts you on the hackers’ radar and could mean you would be continually targeted.

How does ransomware work?

There are a few types of ransomware that have been recognised, but the idea is that the cybercriminals get access to data, and prevent you from accessing or protecting it, asking for money for it to be released. Below is a ransomware guide to all the forms you could be victim to.

• Scareware: a popup appears on your screen telling you that malware has been detected and you need to pay for it to be removed. This often poses as security software or tech support chats and is relatively harmless as no data is being held ransom
• Screen Lockers: When a user logs into their computer, they are locked out from the system entirely, and there is often a page displayed that informs them they have broken some law and need to pay a fine to get access to their system.
• Doxware: data and personal information are being held, and if money is not paid, then it will be released on the internet. A form of blackmail, this is especially hard for individuals rather than businesses.
• Encryption: in this ransomware attack, data is collected and encrypted, with the key held remotely. Access to the key – and the ability to decrypt the files – is offered in return for payment. This ransomware is dangerous as no software or any form of backup/restore process can get the data back – and even if you pay the ransom there is no guarantee that you will receive access to the data.

Ransomware was first noted in the late 1980s when malware known as PC Cyborg encrypted all the files in the C: directory after 90 boots. To unlock the directory, £189 had to be mailed to a specific address. This encryption software was simple to reverse if one was tech-savvy.

The next widespread ransomware attack was a screen locker known as WinLock in 2007. Infected systems displayed pornographic images, and the only way to remove them was via paid SMS.

Then came the most well-known screen locker ransomware – the Reveton family presented users with a screen bearing imagery that looked as if it belonged to the FBI or Homeland Security, accusing users of hacking, committing fraud, or in some cases, child pornography. To avoid prosecution, they had to pay a large fine in the form of a prepaid card – anything from $100-$3,000.

From 2013 onwards, ransomware became more sophisticated, with military-grade encryption and remote servers providing extra layers of complexity – and data under threat of deletion. Cryptolocker, WannaCry and Petya, along with GandCrab are some of the most well-known ransomware threats – in fact, it is believed that GandCrab has made the authors over $300,000,000 in paid ransoms since 2018.

How common is ransomware?

Initially, ransomware was targeted at individual users, often these people lacked sophisticated protection, so it was relatively easy to infect them.

However, it soon became apparent that big businesses would pay big money to protect their sensitive data – and that was where more sophisticated attacks began to happen.

A study completed by Malwarebytes (a cybersecurity software program) suggests that in the UK, ransomware detections went up by 365% between 2018 and 2019, so protecting yourself and your business from this specific type of attack is going to be beneficial.

Ransomware attacks are still mostly focused on Western markets, with the US, Canada and UK the top three targets. However, with the wider PC adoption throughout the rest of the world and relative wealth increasing, we can see the Eastern markets becoming more of a target.

How does ransomware spread?

Ransomware spreads in the same ways as other malware.

Infected websites, game demos, unexpected emails with attachments – and sometimes even photos – software, legitimate applications that aren’t regularly patched or updated, new toolbars, music files…

If a ransomware author is determined to get at your data, there are so many ways they can get in – and not all are due to user error.

What to do if you get ransomware

The first thing to remember is that if you are infected by ransomware of any kind, do not pay the ransom.

This has always been the advice of cybersecurity experts, but now has the backing of major lawmakers such as the FBI.

Paying the required ransom encourages these cybercriminals to attack more businesses and/or consumers, continuing the problem.

With some ransomware, free decryption programs are available, so you may be able to retrieve and recover at least some of the data that is being held hostage. Do not attempt to decrypt the data yourself; ask a cybersecurity or IT expert to ensure that you are not likely to make the situation worse.

If you have fallen victim to a screen locker attack, a full system restore or a scan from bootable CD or USB might be all it takes to get back into the system.

For a full decryption attack, you might be wisest to cut your losses and do a full remediation and removal of threat using sophisticated software. You will not necessarily get your files back, but you will be free of that malware.

How to prevent ransomware

On a personal level, if you are looking to protect yourself from ransomware specifically, following the general advice regarding avoiding any malware infection is good enough to encompass the ransomware threat.

However, if you are a business, and therefore a larger target for ransomware attacks, there are some more specific steps you can take. It is estimated that a data breach costs an average of $3.86m, including remediation, penalties, and ransoms.

• Network Segmentation: Network segmentation, divides a large network into smaller more manageable sections. By keeping data on individual separate, smaller segments of the network reduces the attack surface and makes managing the fallout easier and less damaging for your business.
• Principle of Least Privilege (PoLP): This allows users and systems, access to the minimal essential systems and admin rights needed to complete their usual work. This means that should a computer be infiltrated, the malware will cause limited damage.
• Educate Users: Educating the users is key in the fight against malware and ransomware as often they are the weakest link. Reiterate the importance of not clicking on links or opening attachments from unsolicited emails as well as the potential impact of doing so. This threat is also a key consideration with handheld devices and SMS messages which appear to be from a genuine sender. Additionally, enforce secure user passwords and introduce Multi-Factor Authorisation.
• Update Software Regularly: Although having the latest and most efficient software is a great start, it should be an ongoing process. It is important to ensure that patches and updates are applied regularly, both in end-user environments and throughout the organisation. Often these can be set up to run automatically when they are released.
• Remove Obsolete Software: In the same vein as maintaining software updates, so-called abandonware is a risk to your cybersecurity – if it is no longer supported then get rid of it. Malware authors love unsupported software because there are so many opportunities for exploitation. Additionally, if you know your software needs updating, you should seek an updated alternative. Removing any software will also help to speed up slower machines and increase RAM.
• Back up regularly: Whether you back up to the Cloud, or to a USB or external hard drive, make sure you back up all your systems as regularly and securely as is feasible for your business. When you have completed the backup, disconnect from the archive area to reduce the risk of infection. Backup tapes should be stored off-site rather than on the same servers ensuring they are available regardless of what happens.
• Invest in Cybersecurity: Considering the potential losses you can incur should you be the victim of a malware attack, investment in cyber security is a no-brainer. Look for anti-malware software that offers real-time protection, learns through experience and can shield vulnerable programs as well as block ransomware. It should offer regular monitoring of files, downloads, clicks and anything else. You can get advice from our team and explore our cyber security services here.

If you need more information about any aspect of protecting your systems from cyberattacks, then contact the team at CIS. We are experts in protecting businesses using our software, infrastructure and Cloud solutions – and we can help your business too.

Ransomware protection

Protection against ransomware is better than being able to remove it after the fact, as there is no guarantee that all data will be decrypted or that it hasn’t been breached. And as the software encrypts your data, simply removing the ransomware doesn’t remove the damage caused.

Although having data backups is one of the best defences in the fight against ransomware, by reverting to an older back-up before the ransomware was on the system, they are not always the most convenient. Any data created or changed since the last backup will be lost which is why it is important to update regularly.

As ransomware is evolving every year to become harder to detect it is important to have the most up to date anti-ransomware software and ensure that this is maintained and updated regularly. A large number of anti-ransomware software no longer looks for known threats but instead monitors and blocks any malicious behaviour or access requests from unknown sources.

So, prevention is the way forward. Here at CiS we have partnered with Sophos Solutions to offer a solid protection against malware and ransomware. This is essentially protective software backed up by a qualified team of cyber security experts whose sole job is to keep your systems safe.

IT support for ransomware

With ransomware attacks on the increase, it is important to ensure your business is protected. If you would like some practical advice on keeping your computer systems ransomware, contact the team at CiS.