Ransomware is a form of malware (a computer virus) that encrypts files, denies the user the ability to access their device, or both. There are many forms of ransomware, but nearly all lead to a demand for payment of a ransom for access to be regained. The ransomware may also be accompanied by the theft of data and a threat to post this information online.

Attacks typically come in the form of phishing emails, downloading free software, and remote access scams (where a threat actor, posing as a trusted source, is provided access to a device and installs ransomware whilst in control). Once the ransomware has been executed, such as by clicking on links or attachments, the criminals have largely automated their whole process. Pop-ups or other on-screen messaging will alert the user to “a virus” or “encryption” or the computer being "locked”. A contact point will be provided, typically with a short timeframe to respond to the ransom demand.

‍

This fact sheet will address the following:

Preventing Ransomware

Detecting Ransomware

Responding to Ransomware

Additional Considerations

Guidance Note:

This fact sheet may contain references to several third-party products and services. Please note that IDCARE does not have any affiliation with these services, and only provides named services in the interest of hardening your cyber resilience.

‍

Preventing Ransomware

Back up and Encrypt your Data: Ensure you back up and encrypt all of your data, both offline (to a separate hard drive) and in the cloud (through an online hosting service), as this minimises the impact of a ransomware attack by preserving access to your files.

Run Anti-Virus Software Frequently: Regularly run your anti-virus software and keep it updated to protect against the millions of new viruses created each year.

Keep Systems Updated: Always keep your operating system, devices, and applications updated to patch vulnerabilities that cybercriminals may exploit.

Enable Multifactor Authentication: Use multifactor authentication wherever possible to add an extra layer of security to your accounts, making it harder for unauthorised users to gain access.

Use Strong Passwords: Create strong, unique passwords for each account and store them securely in a password manager to prevent easy access by attackers.

Block Ads and Pop-Ups: To reduce the risk of inadvertently clicking on malicious ads that can lead to a ransomware infection. Note that some ad blocker extensions may be suspicious in origin, so its best to do this directly via your browser’s settings page.

Be Cautious with Freeware: Think twice before downloading freeware without checking its security, as these programs can often carry hidden malware.

Spot Phishing Emails: Familiarise yourself with how to identify phishing emails, which can trick you into providing sensitive information or downloading malware.

Don’t Provide Remote Access: Never grant remote access to your device if contacted unexpectedly by someone claiming to be from tech support or any service provider.

Educate Employees: Provide training to your employees on how to prevent and respond to ransomware and phishing threats, fostering a culture of cybersecurity awareness.

Discuss Network Security: If your business handles sensitive data, consult with your IT provider about implementing additional network security measures, such as network segmentation, to enhance protection against attacks.

‍

Detecting Ransomware

There are two ways to detect ransomware:

1. Your anti-virus software informs you that it has detected and prevented the malware from executing, or

2. On-screen messaging appears from the criminal demanding payment or some other form of action.

Be aware: If a ransomware message is received via email, be sure that is a genuine email and not simply a phishing attempt.

‍

Other signs of a Ransomware Infection:

Files Become Encrypted: One of the most telling signs of a ransomware infection is the sudden inability to access files. You may notice that files have changed extensions (e.g., from.docx to .locked) or that they cannot be opened without a decryption key.

Unusual File Behaviour: If files are being modified, renamed, or moved without your input, this may indicate that ransomware is actively encrypting your data. Additionally, the presence of new files with unfamiliar names or extensions could be a sign of malicious activity.

New User Accounts or Changes in Permissions: Ransomware can create new user accounts or modify existing ones to facilitate further access to your system. If you notice unfamiliar accounts or unexpected changes in user permissions, investigate promptly.

Access Denied Errors: Receiving "access denied" messages for files that were previously accessible can indicate that ransomware has altered permissions as part of its encryption process.

Backup Failures: If your regular backup processes are failing without clear explanations, it could indicate that ransomware is blocking access to files to prevent them from being backed up.

If you suspect a ransomware infection, it’s crucial to disconnect from the network immediately and consult with cybersecurity professionals for remediation.

‍

Responding to Ransomware

Disconnect your device immediately, including removing anything plugged into it (cables,USBs, dongles), disabling any wireless connections (Wi-Fi, Bluetooth, hotspot, or mobile data), and disconnecting from any other devices on your network (such as laptops, printers or modems).

Take photos (on a non-infected device) of any communications from the criminals, including pop-ups, payment demands, cryptocurrency wallet addresses and websites.

If your device is not responding, hold down the power button to switch it off.

Make sure the malware is removed from your device before reconnecting to the internet, joining a network, plugging anything back in, or installing backups of your data.

The ACSC has several tips to recover from a ransomware infection - which also includes how to remove ransomware from infected devices by reformatting the hard disk or initiating a factory reset of the affected device.

Note that if you do not have a backup of your data, a factory reset or reformat will completely wipe all data from the device.

You may wish to try to decrypt the files on your device. There are hundreds of ransomware types, and in many cases only the criminals have the tools to decrypt.

You can try:

1. Engaging an IT professional - see the ACSC tips.

2. Using free decryption tools online, including Crypto Sheriff, ID Ransomware, Emsisoft and Heimdal Security.

3. Accessing decryption services - these are by no means a guaranteed result and most cost money.

‍

If you are considering paying the ransom, keep in mind:

You are dealing with criminals, so there is no guarantee that your files will be decrypted, will not be shared online, or that you will not be targeted again.
In New Zealand, paying ransomware is not an offence, however it is not recommended for the reasons outlined above.
In Australia, there are grey areas surrounding the legality of paying ransomware. According to the Department of Home Affairs in their March 2021 report "At worst, payment of these amounts may be unlawful and involve committing a criminal offence."

‍

Additional Considerations

Remember that removing the ransomware from your device may not be the end of the attack on your business. Consider all the information that the cybercriminals had access to on your device and assume that all accounts have been compromised. This could include your emails, bank account details (including logins and customer reference numbers), tax file numbers, driver licence details, and superannuation details.

Information stored on your device most likely also includes information about your employees and customers. Contact your IDCARE small business adviser to discuss how to protect your employees and customers, and whether the ransomware infection is also considered a notifiable data breach.

‍

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).

Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
If you would like to provide feedback please use our Feedback Form.