make a good business better

Resource Center better insights

Print Divider Print Divider Branding

Ransomware: What to do when your files are held hostage



Social Logo Social Logo Social Logo Social Logo

By Jessica Mantz

Imagine working at a financial institution when suddenly your computer stops working and a message appears demanding hundreds of thousands of dollars to regain access to the company’s proprietary files. Or think about a hospital targeted by hackers who shut down its network and demand vast sums of money in exchange for handing back sensitive patient data.

These situations, known as ransomware infections, are not only real, they’re a rapidly increasing threat. New data from Kaspersky Lab finds a fivefold increase in ransomware attempts in the last year alone, to more than 700,000.

Ransomware is malicious software (malware) that restricts or denies the use of an infected system and demands a ransom be paid in order to regain full access to the system and its data. This leaves the victim with useless files locked away while criminals dangle a decryption key out of reach for a fee of about $500 or more per infected machine.

Ransomware not only encrypts files on a single system but can also affect data stored on removable drives or network file shares that are connected to an infected system. That means it doesn’t take long to infect numerous files, bringing critical business operations to a halt. Newer strains of ransomware may even delete files, slowly in intervals until time runs out, until no files remain or until a ransom is paid.

Many of today’s ransomware variants are distributed through a mass circulation of spam emails, known as a spam campaign. Threat actors try to trick victims into opening a malicious email attachment that downloads malware and launches the infection process. These emails appear legitimate and falsely claim to require action in response to an attached invoice, online order or other seemingly important document.

The attachments often come in the form of a .zip file that downloads malware once opened or a Microsoft Office document that includes malicious background code embedded in a macro. Macros are a programming feature in Microsoft Office files that allow for the automation of tasks. Upon opening a malicious macro-enabled Microsoft Office document, victims typically see scrambled text and a prompt to enable macros if the data encoding is incorrect. Files become encrypted and ransom notes suddenly appear on computer screens across the victim’s entire system.

Another tactic attackers use to distribute ransomware is malvertising, which works by placing malicious advertisements on valid websites. The advertisements prey on visitors with out-of-date, vulnerable software that allows attackers silent access to a person’s system.

A click is not required for a malicious advertisement to do its job. Once the advertisement loads on the webpage, the user is redirected to a separate website that hosts an exploit kit, capable of scanning the current browser to identify any out-of-date plugins or software vulnerable to attack, such as an old version of Internet Explorer and unpatched Java or Adobe Flash Player plug-ins. Once the program has spotted a vulnerability, the exploit kit seizes the opportunity to download malware to the victim’s machine. In the case of ransomware, files are locked and a ransom note appears with instructions on how to pay to regain access to your data.

There are many ways to mitigate the threat of ransomware in your IT environment. Here are some key steps to take:

Backup your data

Ultimately, one of the best things you can do is ensure that your organization has a robust and proven data backup process. Performing regular backups guarantees that a current backup of your data will be ready at a moment’s notice. Additionally, regularly testing backups is an important step in confirming that the backup will provide a successful recovery from a ransomware event. It’s also wise to store your backup data off-line in a secure location and to have multiple copies.

Keep patches current

Another way to guard against ransomware includes having an established vulnerability and patch-management process. Regularly scanning and patching vulnerable systems will protect your assets from falling victim to the kinds of exploit kits hiding in malvertising campaigns.

Educate users

You should also make certain that users are educated about the dangers of phishing emails, particularly the dangers of downloading attachments from suspicious external sources. If an email seems unwarranted and includes an attachment or link, it’s best to not click on anything. If possible, call the sender and verify that the email is safe and legitimate before opening or enabling any content.

Use an intrusion detection/prevention system

You can add another layer of security by employing an Intrusion Detection/Prevention System (IDS or IPS) with threat intelligence. These systems detect events in real time, enabling a quicker response from your team, thus limiting the time that ransomware has to spread.

Restrict user privileges

Because ransomware has the ability to encrypt data on mapped network drives, offering the least amount of access to users can help curtail data loss. By limiting user privileges, you will also limit what the ransomware is able to encrypt.

Lastly, it is strongly recommended that you never pay a ransom. For one thing, this funds cybercriminals and provides them with motive to continue to improve and distribute ransomware. It also does not guarantee that you will safely recover your files.

Jessica Mantz is a security engineer in the Information Security Practice at LBMC, a premier Tennessee-based professional services firm. Contact Jessica at

Ransomware Preparation Checklist

For the detailed steps your organization can take, download our “Ransomware Defense Checklist” developed by LBMC Information Security’s Managed Security Services analysts.