Ransomware: How to prevent and recover (ITSAP.00.099)

Alternate format: How to prevent and recover from ransomware (ITSAP.00.099) (PDF, 334 KB)

 

Ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. is a type of malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. that denies a user’s access to files or systems until a sum of money is paid. Ransomware can infect your network and spread to all connected devices. Threat actors can deny your access to organizational files by encrypting your data, blocking your ability to log into organizational devices and using extortion methods to coerce you into paying the ransom to avoid your data being leaked.

Threat actors can purchase ransomware from the dark web. The malicious code for the attack is already written, eliminating the need for them to know how to write the code themselves. This is known as ransomware-as-a-service (RaaS). In addition, generative AI tools can help threat actors, with little or no coding experience, write functional ransomware. This publication provides tips to help your organization prepare for and recover from ransomware.

On this page

How ransomware infects devices

Ransomware can infect devices through malicious links or attachments found on unsecure websites, in phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. emails and in social media applications. Threat actors often scout your networks for information they can exfiltrate and monitor your communication methods prior to deploying the ransomware.

If your device is infected with ransomware, you will receive a ransom notice on your screen indicating your files have been encrypted and are inaccessible until the ransom is paid. Threat actors will often threaten to permanently destroy or leak your data publicly if you do not pay the ransom in the time limit requested. They’ll often request payment in the form of digital currency, like bitcoin since the transfer would be difficult to trace. They may also request prepaid credit cards or gift cards.

Prepare your organization

Review the following steps to help prepare your organization to stay ahead of ransomware attacks.

Plan ahead

Develop an incident response plan to address how your organization will monitor, detect, and respond to an incident. Your plan should also include backup, recovery, and communications plans. Your incident response plan should designate roles for your employees and provide them with detailed instructions in the event of an incident. Your plan should be available offline in the event your systems are unavailable.

Prepare for recovery

Your organization should have a recovery plan in place. In conjunction with your incident response plan, you should test your recovery plan by conducting simulations or walk-through exercises. The scenario should test the effectiveness of your response and highlight areas requiring improvement.

Provide security awareness training for employees

Provide employees with tailored cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. and device management training to ensure they don’t fall victim to malicious activities such as phishing emails and infected downloads.

Offer tailored cyber security training to your employees (ITSAP.10.093)

Consider cyber insurance

Research cyber insurance providers and policy details to determine whether it would benefit your organization.

Protect your organization from ransomware attacks

Use the following guidance to protect your organization from ransomware attacks.

Enforce strong authentication methods

Activate phishing resistant multi-factor authentication Multi-factor authenticationA tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication. as well as strong and unique passphrases or passwords on all devices and for every account. Consider using a password manager to create and store passphrases and passwords.

Backup your data

Implement a backup plan for your organization. A backup is a copy of your data and systems that can be restored and provide you with access to your critical systems in the event of an incident. Backups should be done frequently to ensure your data is as close to real time as possible. Create many security barriers between your production systems and your backups and ensure your backups are encrypted and stored offline without connection to the Internet or local networks. Threat actors can infect your backups with ransomware if they are connected to your networks, which will hinder your efforts to recover. Testing your backup process is also crucial to a quick and effective recovery.

Practice the principle of least privilege

Manage and monitor user accounts and access by applying the principle of least privilege Least privilegeThe principle of giving an individual only the set of privileges that are essential to performing authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system. . Provide employees with access to only the functions and privileges necessary to complete their tasks.

Implement a Zero Trust security model

Use a Zero Trust (ZT) security model to protect data and infrastructure from unauthorized access. ZT security models work on the principle of applying zero trust to all users, applications, and devices unless they have authentication AuthenticationA process or measure used to verify a users identity. and authorization AuthorizationAccess privileges granted to a user, program, or process. . Authentication and authorization are reassessed continuously and verified each time access is requested to a new resource.

Zero Trust security model (ITSAP.10.008)

Restrict administrative privileges

Implement required confirmation for any actions that need elevated access rights and permissions and limit the number of users with administrative accounts and privileges. Ensure administrative functions are conducted from a dedicated administrative workstation. Consider implementing two-person integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. (TPI) or dual authentication to validate and verify sensitive administrative tasks.

Managing and controlling administrative privileges (ITSAP.10.094)

Update and patch systems and devices

Check for updates and patches to repair known bugs and vulnerabilities in your software, firmware, and operating systems. Threat actors can exploit unpatched or unsupported systems and devices easily.

How updates secure your device (ITSAP.10.096)

Deactivate macros

Ensure you deactivate macros as your default to reduce the risk of ransomware being spread through Microsoft Office attachments. Newer versions of Microsoft will deactivate macros from the Internet by default.

Segment networks

Divide your network into several smaller components. This makes it more difficult for ransomware to spread across the entire network.

Top 10 IT security actions: No. 5 segment and separate information (ITSM.10.092)

Set up security tools

Install anti-malware and anti-virus software Anti-virus softwareSoftware that defends against viruses, Trojans, worms, and spyware. Anti-virus software uses a scanner to identify programs that may be malicious. Scanners can detect known viruses, previously unknown viruses, and suspicious files. on your devices to detect malicious activity and secure your network with a firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. to protect connected devices. Consider installing Domain Name System (DNS) filtering on your mobile devices to block out malicious websites and filter harmful content. You can also implement Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication and reporting system that helps to protect your organization’s domains from spoofing, phishing, and other malicious activities. Ensure users access your network using your virtual private network Virtual private networkA private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN. (VPN VPNSee virtual private network. ).

Seek professional cyber security assistance

Engaging with a cyber security professional early on may allow you to recover your systems and data more quickly than relying on your internal IT staff when facing a cyber incident Cyber incidentAny unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. .

How to recover from a ransomware attack

Consider the following steps to help remove and reduce the spread of ransomware.

  • Isolate the device immediately: Take your devices offline to stop the ransomware from spreading to other connected devices. Some strains of ransomware are designed to stay dormant on a device and quietly spread to other network‑connected devices before encrypting the files. In these cases, you may not be able to stop the ransomware from spreading.
  • Report the incident: Report the ransomware attack to local law enforcement, the Canadian Anti-Fraud Centre and the Canadian Centre for Cyber Security. Communicate the incident to the employees who are listed in your incident response plan and give them clear direction as to their roles and responsibilities to help manage the incident.
  • Change passwords: Reset credentials including passwords on all systems, devices, and accounts. Threat actors often save this information for future attacks. Consider using passphrases on your devices as they are more secure and easier to remember.
  • Identify the type of ransomware: Use the information in the ransom note (such as listed URLs) and the new file extensions your encrypted files inherited, to research possible reoccurring attacks and identify the ransomware.
  • if you locate a decryption tool online, or law enforcement is able to provide you with one, proceed to the next step
  • if there is no decryption tool available online for your strain of ransomware, safely wipe your device and reinstall the operating system
  • Remediate the point of entry: Before connecting your systems and devices back to your network or internet, identify how the threat actor entered your network, systems or devices and apply security measures to prevent a repeat attack.
  • Restore from your backup: Analyze your backup files and ensure they are free of ransomware or any other malware. Store your backups offline to mitigate the chance of ransomware infecting your backup files. Once you are confident, restore your systems and devices from your secure backup.
  • Update and patch: Apply any available updates to your devices, hardware, and software. Patch your operating system and ensure all anti-virus, anti-malware, and firewall software is up to date.
  • Review the incident and provide ongoing training: Review the incident with your employees and provide ongoing training that addresses preventative actions against ransomware attacks, such as learning how to identify suspicious emails and attachments. Use common threat examples and past occurrences to keep up to date and prepared for the future.

Risks of paying the ransom

The decision to pay a cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actor to release your files or devices is difficult and you may feel pressured to give in to the demands of the threat actor. Before you pay, contact your local police department and report the cybercrime. Paying the ransom is not usually advised, due to the following:

  • it will not guarantee you access to your files as threat actors may demand more money despite receiving the first ransom payment
  • it encourages threat actors to continue infecting your devices or those of other organizations with ransomware as they assume you will continue to pay with each attack
  • threat actors can use wiper malware that masquerades as ransomware to alter or permanently delete your files once the ransom is paid, making them unrecoverable
  • your data has likely been copied and the threat actor can leak it for profit or use it to continue to extort you
  • your payment may be used to support other ransomware attacks or terrorist organizations

Learn more

Consult the following guidance to learn more about the key points we have identified:

Date modified: