How should businesses and individual users respond to ransomware?

Ransomware re-emerges as a global focus. On May 10, Colonial Pipeline, the largest refined oil pipeline operator in the United States, was attacked by ransomware software, forcing it to shut down its key fuel network supplying the states along the east coast of the United States. In fact, this was not an accident, since the global sweep of WannaCry in 2017, ransomware has become a global security problem.

Although the attack posture of ransomware has slightly declined in the first half of 2021 compared to the same period last year, ransom incidents still occur frequently, with multiple well-known international companies being extorted, and the ransom continues to reach record highs.

Ransomware stays active causing global losses of billions of dollars

On May 12, 2017, the WannaCry ransomware outbreak occurred worldwide, creating a global worm virus storm. In the four years since then, ransomware frequently extended its claws toward enterprises and individual users.

In the first half of 2021, traditional ransomware families such as GlobeImposter and the variant-rich Crysis family remained active, while new ransomware families such as Phobos, Sodinokibi, Buran, Medusalocker, Avaddon, lockbit, Ryuk, NEMTY also showed a widespread trend. Most of these ransomwares are characterized by multiple variants, high specificity, and rapid infection rate, with viruses like Sodinokibi, Medusalocker even showing customized operations for domestic systems.

Some wrong practices when dealing with ransomware

1. After discovering a ransomware infection, continue to use USB drives, external hard drives, and other mobile storage media on the infected host/server, causing the ransomware to further complete its spread through these devices.

2. Trusting non-authoritative decryption methods or tools found online, repeatedly reading and writing the files on the infected host's disk. This practice will destroy the original files in the disk space, further reducing the likelihood of correct data recovery.

3. Being eager to restore production without comprehensively checking the network assets for viruses, leading to continued spread of remaining ransomware. After reinstalling the system and using backup data to recover business, they suffer from a second round of extortion.

4. Not retaining virus samples, log files, and system images of the infected host, making it impossible to trace the event, analyze the virus afterward; when pursuing legal responsibility, there's no evidence.

In the face of the emerging ransomware, whether it is businesses or individual users, should pay attention to cybersecurity measures and take proactive precautions. The 'three don’ts and three dos' approach:

1. Don't take the bait: Don't open unknown emails with attractive titles

2. Don't open: Don't randomly open email attachments

3. Don't click: Don't randomly click on URLs contained in emails

4. Do back up: Back up important data

5. Verify: Confirm the sender is trustworthy before opening emails

6. Update: Keep system patches/security software virus databases up-to-date

Shanghai Six Productions specializes in data decryption recovery.