Ransomware: What is it? What to do? Where to turn to?

Updated on Monday, May 16, 2016


Ransomware is a type of malicious software (malware) that holds your data hostage. While a lot of malware is “silent” in that it does not give you any cues or clues that it is surreptitiously lurking in the background, ransomware is quite vocal.  After your system has been infected with ransomware, your computer display will show a notice which demands that you pay a certain amount of money in exchange for having access to your computer restored.  Ransomware actually encrypts your files (and, sometimes, the filenames and extensions).  What is more, your computer is often significantly locked down, save for interacting with the ransomware program.  (Please note: While terms such as “computer” and “system” are used here, ransomware has been reported to infect mobile devices and networked devices.)

Ransomware is not new—PC Cyborg is reported to be the first type of ransomware in 1989. However, with cybercrime on the rise during the last five years, ransomware has prominently been on the scene.  More recent variants of ransomware include CryptoWall and CryptoLocker.  The victims of ransomware have not just been consumers, but businesses of all kinds—even hospitals. 

How computers become infected with ransomware depends upon the ransomware variant. A computer can become infected just by clicking on a compromised website, as in the case of Reveton. Other types of ransomware, such as CryptoLocker, infects the victim’s computer with an infected e-mail attachment.  Still other types of ransomware work by malvertising.  Your computer could become infected with this type of ransomware just by browsing a page with a malicious ad or by way of a pop-up with malicious content.  Other types of ransomware may infect your computer if it has outdated software or plug-ins.  So, updating your software and plug-ins and using ad blocking software are some ways to help prevent a ransomware infection.  Also, keeping your operating system software and firmware current may help as well.  (Your IT department may even disable certain plug-ins to eliminate certain risks.)  Yet other types of ransomware are

Additionally, the ransom demanded by the ransomware is not necessarily trivial. The ransom could be a few-hundred dollars or thousands of dollars (or possibly more) (and, it may be demanded in the form of Bitcoin).  And, the ransom may increase as time goes on.  You may think: “This can never happen to me.”  But, the reality is that ransomware is not necessarily “low tech”—it can exploit a vulnerability which is not known at the time to the software manufacturer.  You may also think: “My anti-virus software is up to date.  I have no worries.”  But, again, there are new variants of ransomware coming out all of the time which anti-virus software might not be able to detect and quarantine.

So, what can your organization do to help prevent or mitigate the effects of ransomware? Some of these measures include the following:

  1. Keep your operating systems, applications, plug-ins, and extensions current.  Apply patches and upgrades as soon as they are available.
  2. Don’t catch that phish.
  3. Segment your network.
  4. Conduct regular risk assessments and minimize your vulnerabilities.
  5. Make regular backups of your data. Verify the backups. Regularly test your disaster recovery plan.

Note: The key is to ensure that your backups are not accessible to a computer process.  Modern versions of ransomware will seek out your data, wherever it may be, to the extent it is technically feasible to do so.  If you make your backups to an external drive, only connect it when backing up and verifying the data; disconnect the drive at other times.  If you make your backups to the cloud, make sure that the cloud resource is not accessible, except when you are backing up and verifying your data.  Another option is to back up your data off-site. 

  1. Conduct mock exercises—do not wait until disaster occurs to test your plan.
  2. For every security incident that you have, think about the lessons learned and how your organization can become more resilient with people, processes, and technology. Be sure to address the gaps. 
  3. ** Be sure to make sure that third party systems that connect to your systems and networks have a robust security program in place.  Cyber adversaries may be able to gain entry into your systems and networks via compromised third parties.  Be sure to conduct adequate due diligence as to these third parties.

Additionally, take advantage of cyber threat information sharing sources which are out there. Exchange information with your peers and others in your trusted network.  Reach across to others to meaningfully exchange information to stay ahead of the threat.  Join the HIMSS Healthcare Cybersecurity Community.  Read the HIMSS Healthcare Cybersecurity Environmental Scan Reports.  Other helpful resources include those which may be found at the Internet Crime Complaint Center.

What do you do if your computer is infected with ransomware?

If you are in the situation in which your computer is infected by ransomware, a first step would be to call the helpdesk at your organization. External resources, such as law enforcement and forensic experts, may be pulled in by your organization to address the situation.  (To contact the FBI, the best method to speak with a person who may be able to assist is a person from your local Field Office.)  Other measures may be taken as well to ensure that the ransomware infection does not spread.  Your organization may activate its contingency plan, in case you are not able to access the computer system or the data itself.  To that end, it is quintessential to have recent and verified backups of your data and applications.