“We guarantee we can PROTECT YOU FROM RANSOMWARE!”
Any vendor that says that or implies that is lying. There is no one magic happy pill, service, or device to stop ransomware. When done right guarding against ransomware is a combination of multiple technologies, backups, education good layered network design and human intervention.
Protected Harbor is a unique vendor because we don’t resell other company services, we engineer our own solutions. That depth of knowledge is a foundational difference between us and anyone else. The depth of technical ability allows us to write this document and solve the problem at the core and not band-aid the problem as others do.
What is a Ransomware attack?
Ransomware is the encryption of files, without knowing the password, and most of the time the encryption is self-executed for local files, network files and operating system files combined with Trojan installations to enable later additional data theft or additional attacks.
Most of us have used or made a password protected ZIP file before. ZIP files are a form of encrypted and compressed files. The encryption and compression process
works by mathematically removing the empty and repeated characters in the data using password. The mathematical formula uses the password as a seed and applies a
compression algorithm to the data, securing and reducing the data. Using this technique, a ZIP file is both secure, because without the password it can’t be decrypted and smaller in size.
A Ransomware attack at its core is where the organizations data files have been encrypted using a similar technique to a password protected ZIP file. Typically,
ransomware attacks encrypt one file at a time. Ransomware attacks can be devastating because the data once encrypted is not recoverable. Initially versions of ransomware attacks targeted local files on local computers, but more recent attacks have caused greater damage by targeting network folders and operating system files.
Once an operating system file is infected the server or PC will never work right and should be totally reformatted and recreated.
Ransomware attacks also attempt to install infected files, also called Trojans. The Trojans are used to later attack the computer or server again and or are used to
monitor the infected system to steal data. Some Trojans don’t directly attack but instead run in background monitoring and sending new data. This is what occurred at the Sony attack; Modern cleaning tools like Malwarebytes do a good job at removing infected cookies and web attacks but do not clean operating system files very well, which is why we always recommend not cleaning a PC or Server but rebuilding it.
How does a Ransomware attack occur?
But how did it occur? How did it get in? Virtually all of the time the attack is self-started, meaning the attack was triggered by a trusting employee. Most Ransomware attacks start via email. An external email server or email account is compromised, and the compromised account is then used to send out infected emails.
Image is an example. The email itself it not infected. The email account is legitimate, and at the time the email server amegybank.com was not flagged as a spammer – meaning this email would have passed through most firewalls, filters and blocking services.
The infection is the attached HTML file. The attached HTML file is the payload. The HTML file will look to many anti-virus programs as a web cookie or bot, i.e. a
legitimate attachment. Bots or payloads can take many forms, Macros in Word, Excel or PDF files are typically used.
A payload is a small piece of programming code designed to look like a legitimate web from a web site. Once the end-user clicks on the attachment the payload is activated. Once active the payload will download from a remote site the actual attack. The attack will be a larger program that is also designed to slip through firewalls and content filters, this program will start to encrypt files and also will look for links to remote data, either remote server (RDP for example) login information, web site links with stored passwords, FTP or STP file transfer links, virtually any form of data connection is attempted. The attack is designed to find as much data as is possible, the more data that is encrypted the more the infected company is willing to pay.