The ransomware attack is one of the most common types of cybersecurity attacks enterprises face. Obtaining the encryption key to unlock the files being held for ransom can be a scramble. Before panic sets in, a savvy cybersecurity team will rely on its ransomware preparation. A company needs to be prepared; otherwise, its ability to function could be thoroughly disrupted.
Knowing how to detect, respond to and remove ransomware — should an attack occur — is essential for minimizing damage to the business and its reputation.
Can ransomware be removed?
The short answer is yes, no and maybe. Consider the following scenarios:
If the in-progress attack is detected and blocked before it can lock out important systems and data, the answer is yes.
If the attack code is sufficiently powerful and can bypass security measures and capture critical assets, the answer is probably no.
If the user has access to powerful decryption software to break the lock, the answer is maybe.
Timing is a critical element in stopping a ransomware attack. As soon as it is detected, suspicious code must be quarantined and analyzed for ransomware signatures. It should be removed or retained for further analysis.
Many available tools can perform these actions. If a strong encryption code is used, the real challenge for a victimized organization becomes breaking that code.
How to remove ransomware
Yes, ransomware and other malicious code can be removed from a system, but it might require powerful software to do the job. The most important step is to have anti-ransomware software installed throughout an IT infrastructure, from host systems to endpoints.
Suitable measures must be in place to prevent ransomware code from entering a network. Firewalls as well as intrusion detection system (IDS) and intrusion prevention system (IPS) technologies present the first barrier. Each device should continuously scan incoming and outgoing data packets and analyze them against known malware code signatures. When a hit is detected, the systems issue an alarm, log the event, and attempt to contain and quarantine the malware for further analysis. Much of the subsequent activity is typically displayed on a dashboard, enabling a security team to monitor progress.
Anti-ransomware software works with existing cybersecurity resources to further address the suspicious code. If the malware somehow bypasses the initial screens, such as entering through edge devices, anti-ransomware software acts quickly to minimize further damage through the following actions:
Detection and analysis. Anti-ransomware tools increasingly use AI and machine learning (ML) to analyze system operations. They attempt to identify unusual activities, such as mass file encryption or unauthorized file access. AI/ML capabilities use behavioral analysis and predefined algorithms to detect ransomware signatures. Progress is displayed on a system dashboard, and activities are recorded for subsequent analysis and audit.
Blocking and containment. Assuming the suspected ransomware code has been detected, the software isolates the infected files, systems and/or processes. This prevents further damage. The software could employ techniques such as cutting off the malware’s access to the rest of the system or quarantining the infected files. With the ransomware code contained, removal efforts can begin. Further tests by the security software should be performed to ensure there is no lingering or hidden code.
Decrypting locked files. On the assumption that attackers have successfully locked systems and/or files and delivered their ransom message, it is time for the anti-ransomware software to try to decrypt the malware lock. The in-use software might have powerful decryption tools, or it might be necessary to use an alternate decryption tool, possibly from an experienced cybersecurity professional. If a decryption tool is successful, an organization might be able to recover the assets. Still, the files should be carefully checked to ensure they are intact. On the chance that all decryption efforts fail, recent backups will save the day.
Real-time protection. Anti-ransomware software will likely have its own real-time monitoring capabilities, which can prevent ransomware from executing and attaching itself to various assets. It can block suspicious files, links or downloads. To be effective, this software must be activated as soon as possible.
System and file recovery. When files have been successfully decrypted, anti-ransomware tools should include recovery features that help restore encrypted files so they can be used again.
Notification and reporting. While cybersecurity systems address a ransomware attack, progress is typically monitored in real time and displayed on a dashboard. This is also where AI/ML technology is effective: It provides greater detail on exactly how the ransomware was handled and its characteristics. It should generate reports for subsequent review and audit.
Post-event support. An important attribute of cybersecurity systems — especially those that incorporate AI — is their ability to log event details and make use of forensic tools to analyze the attack and identify vulnerabilities. This information can be merged with other functions, such as the ability to analyze past attacks for comparisons, to help improve security measures for future incidents.
Anti-ransomware software performs multiple functions, including an initial shield alongside existing cybersecurity defenses, a first responder to mitigate damage during an attack, and a protector that establishes and refines defensive measures moving forward.
There are six key steps in a malware recovery plan.
How to detect a ransomware attack
A defense-in-depth cybersecurity strategy is perhaps the best way to detect, prevent and — if needed — eliminate ransomware. Attacks can come from many directions, such as someone clicking on an email attachment or URL, or malware entering a network at its front end. Effective detection comes from a combination of tools, processes and vigilance, as noted below:
Behavioral analysis. Cybersecurity systems must go beyond searching for code anomalies. It is important that they identify abnormal behaviors, such as unexpected mass file encryption, changes to file extensions or abnormal network activity.
Signature-based detection. Access to known ransomware signatures can help identify malicious software, assuming the signature databases are kept up to date. Be sure your security team stays current with patching and rule updating so that systems can detect newer strains of ransomware.
Active, real-time scanning and monitoring. All points within a network infrastructure must be continually scanned and monitored for suspicious activity. Endpoint detection and response (EDR) and extended detection and response (XDR) tools extend the reach of cybersecurity products to every point in a network. This is how ransomware can be detected and addressed before it does damage.
Firewalls and IDS/IPS. Typically the first line in a defense-in-depth security strategy, IDSes and IPSes examine incoming and outgoing network traffic, identify anomalies or patterns consistent with ransomware attacks, flag them for further action and prevent them from causing damage.
Examining access control logs. Access logs are essential detection tools. They can reveal unauthorized access attempts or changes to sensitive files, which could be indicators of ransomware activity.
Active monitoring of file integrity. File-monitoring capabilities detect unauthorized modifications to files or directories. Those modifications could be indications of ransomware activity.
Advanced threat detection using AI/ML. Today’s anti-ransomware tools use AI and ML resources to identify ransomware through powerful behavior analytics that can identify new and unknown variants.
Real-time, active anomaly alerts. Cybersecurity tools can deliver ransomware detection alerts via dashboards, text messages, phone calls and even audible signals.
Employee knowledge. Anyone can be targeted in a cyberattack. Organizations should conduct routine training so that every employee knows how to spot a potential ransomware attempt. Be sure everyone knows to watch for phishing schemes, suspicious email attachments and viruses.
Best practices on recovering from and preventing future attacks
The same preventive measures used in broader cybersecurity practices can be applied to ransomware, including the following:
Avoid connecting devices to an infected or suspicious network.
Avoid accessing websites that appear suspicious.
Refrain from opening attachments on suspicious emails, unless their identity can be verified.
Avoid clicking on links in emails, posts on social media or other potentially hazardous messages.
Never install pirated or unknown software and content without first having the code tested for malware.
Install anti-ransomware software on the system and keep it up to date.
Ensure that all security software is regularly patched.
Configure firewalls with strong security settings and regularly updated rules.
Deploy IDS/IPS and keep their rules and settings current.
Deploy EDR and XDR technologies.
Look for anti-ransomware tools that incorporate AI features to provide faster detection and resolution.
Back up files, applications and OSes in secure locations, such as cloud-based facilities, so they can be used to recover critical services following an attack.
Store files in separate external drives, such as solid-state flash drives, RAID storage arrays and network-attached storage, which can be integrated with cloud storage into hybrid configurations.
Continually monitor network traffic to identify and flag suspicious code patterns.
Establish technology disaster recovery (DR) plans to minimize damage from an attack once it has occurred.
Establish a process to ensure the recovery and retrieval of assets that might have been affected by ransomware.
Provide regular educational briefings on ransomware, including how to spot it, respond to it and prevent it from spreading.
Regularly test data backups and DR resources.
Ransomware tools
Numerous ransomware tools are available. Be sure to carefully examine their features and decryption capabilities. Products in the anti-ransomware market include Acronis Cyber Protect, Bitdefender, Comodo AEP, Malwarebytes Anti-Ransomware, ManageEngine Ransomware Protection Plus, SentinelOne, Trend Micro, Webroot, ZoneAlarm Anti-Ransomware and Zscaler.
Even the most powerful decryption tools might not be able to crack every locked file or system. That’s why backups of critical systems and files are essential.
When trying to unlock a ransomware-encrypted asset, a decryption tool can be useful. Ransomware decryption tools include Kaspersky, Emsisoft Ransomware, Trend Micro Ransomware File Decryptor, AVG, No More Ransom Project and 360 Total Security.
Remember that even the most powerful decryption tools might not be able to crack every locked file or system. That’s why backups of critical systems and files are essential.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
