AvosLocker is the name of a type of ransomware and is also the name of the team behind the ransomware and stands out from most other ransomware strains due to their stance as ransomware for hire. The group advertises their services on the darkweb as well as providing pre-packaged solutions for off the shelf purchase. Their services include consultancy services for clients to assist with use of their product, as well as services to customize the ransomware for specific use cases and attack vectors. They also provide for-hire hackers to assist with network reconnaissance and payload deployment. The group charges in bitcoin and are fast becoming a criminal enterprise.

Currently most of the talk about AvosLocker is related to recent targets in against infrastructure. Reports from multiple sources indicate that North America, Europe, Middle East, and Asia-Pacific targets have been attacked, with the most popular attack vector being Microsoft exchange server. Indicators that a machine and/or network has been compromised include the following.

1. Modified Windows Registry "Run" Registry keys.
2. Encoded PowerShell scripts
3. A false PuTTY Secure Copy client tool “pscp.exe”
4. Rclone
5. A false AnyDesk appearing (If its not normally used on the network)
6. A false Advanced IP Scanner
7. WinLister

The main difficulty with the above forms of attack is often people are unaware of the strange deployment as many updates often add applications of this type without notice. A trend we think should be discouraged in favour of user notice and acceptance. Common Exchange Server vulnerabilities used to breach a target network include the following ProxyShell vulnerabilities:

• CVE-2021-31207 - Flaw within Mailbox export service, allows for malicious file uploads to the server.
• CVE-2021-34523 - Flaw within Powershell that allows execution of Powershell commands without access validation
• CVE-2021-34473 - Utilizes the Autodiscover service to scrape user information
• CVE-2021-26855 - Allows an unauthorized user admin access to the server

An additional note regarding the attacks themselves is there have been noted cases of victims receiving phone calls from the AvosLocker attacker pressuring the victim org to go to the Avos .onion site to pay the ransom. also text files named GET_YOUR_FILES_BACK.txt are created in every directory of the affected machines leaving a note and the .onion payment site, below is an example of such a message. Note that to access .onion pages requires the use of Tor or similar.

AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Thoughts and Recommendations Our recommendations regarding mitigation of this attack is pretty much the standard for preventing ransomware attacks. Harden your organizations network and all devices on it. Enforce social engineering training requirements for all employees. Maintain and enforce a disaster recovery plan, including items such as off site, and offline data backups. also Having a general network security policy is also key, so a security baseline is kept. I would like to emphasize that it appears that since the team behind AvosLocker has made such a well thought out "customer experience", that they may mostly be the hacker for hire types, largely attacking who they are paid to, so if they were paid the correct sum to attack Microsoft, they would, there is no reason to believe that any org is safe so precaution is key.

Gh0stCringe is what is referred to as a remote access trojan. remote access trojans are used to remotely take control of a desired target device. The delivery method for this type of malware varies. While there has not yet been a documented infection vector, it is my belief, due to the nature of the targets, , namely SQL and MySQL databases without strong login credentials and weak security, it is only a matter of time before its use is widespread.

When deployed, Gh0stCringe runs its initial program in the background to infect registry keys and obfuscate itself into sqlserver.exe, mysqld.exe, and mysqld-nt.exe. Once the malware has fully infected the machine it can then communicate with a predetermined control node via remote execution to exfiltrate data, act as a keylogger, execute commands, or even remotely install other malware. As an example, reports indicate that Gh0stCringe is being used to install cryptominers onto exploited servers.

Thoughts and recommendations

Gh0stCringe appears to be designed to target low hanging fruit on servers that aren't secured well, or where IT specialists are not well versed in SQL security. Immediate implementation of strong password and prevention of non local access should be implemented. Increased network and equipment security for connected devices to the SQL servers is paramount to preventing various types of attacks on SQL systems.

Iranian hacking group Blackshadow succeeded in penetrating the infrastructure of Israeli webhosting firm Cyberserve and proceeded to leak confidential client data on Telegram as proof of the breach. Blackshadow had posted a 1 million USD bounty as the ransom, stipulating a 48 hour time limit for payment. Cyberserve chose not to make the payment, and in response the group started leaking more documents to the public. The leak included 290000 medical records, as reported by i24news.tv, from the Machon Mor medical institute. It appears that of the known affected clients from Cyberserve, are Israeli based companies; Blackshadow has been known to use ransomware in the past against Israeli firms, and there is a strong suspicion that these companies are now at risk.

Jerusalem Post reported that Israeli authorities have pushed search engines and ISPs to block access to content related to Blackshadow and its posted/leaked documents. The secure message service from Telegram unsuccessfully blocked the group, and despite deleting Blackshadows Telegram account, the group made a new account and leaked even more captured data in response. The new leaked data included personal information from a Cyberserve travel agency client.

After researching Cyberserve, I have found that Cyberserve uses Tucows as their DNS registrar, and Cloudflare is their cloud services provider. This is important because Cloudflare has a history of being breached, with one of their most highly publicized events being the Cloudbleed vulnerability in 2017. To quote Tavis Ormandy of Googles Security Team at the time.Project Zero

"We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users."

Why this attack matters: this is just another example of what happens when providers do not implement and maintain minimum security controls and/or training to assist in mitigation of the timeframes an attack vector is available. As this was a ransomware attack, concerns and diligence needs to be maintained as social engineering attacks are likely from the released data, emphasizing the importance of strong social engineering awareness training every organization, big or small, should undertake on a regular schedule.

The above quote also raises concerns towards the security of Cloudflare. If a 3rd party cloud provider using virtually pooled resources such as virtual machines, containers or dockers either fails to protect confidential information within their own ecosystem as a prior article explains for Microsoft Azure and OMIGOD, or if data is leaked externally, like the issues faced on Cloudflare with Cloudbleed using a shared connection such as a reverse proxy, then organizations should think twice before using shared services when hosting sensitive data.

We recommend where the data is sensitive in nature, dedicated hardware is engaged in a secure cloud environment.

Social engineering is "the art of manipulating people in ways that result in them giving up confidential information. There are many different types of social engineering scams and schemes, but one area that is often overlooked is the helpdesk, or first contact assistance (as in a lawyer or accountant being engaged on a query).

The first step in such an attack is usually for the attacker to gather information about the organization that they are targeting. Information freely available on the Internet, and repeated in a way to engage the operator into releasing more. The attacker will usually use the information freely available on the internet to gain trust from the operator through the use of key words that link certain queues that connect the operator to release information as to who in the organization controls or handles the query type. They then continue the manipulation to figure out who within the organization is most likely to have elevated permissions or access sensitive information. An attacker can often get the freely available queues through a simple Google search or by querying business-oriented social networks such as LinkedIn or business Facebook accounts.

Once an attacker identifies a user whose credentials they want to steal, they can often obtain the email accounts from the business websites which connects them to the most common username possibility, the staff members email address. In the helpdesk situation an attacker may engage the operator by claiming they are the person from the organization and they cannot connect to the organization's Active Directory environment. Often an operator (especially when the helpdesk is a third party contractor) will tell you if you that the username is incorrect and provide the username information. This provides the attacker with a win for 50% of the battle.

When entered, the attacker will then say it is still not working, and a password reset may be initiated. If the attacker is sophisticated enough, they may have already obtained information from a leaked database and already have access to the email server where the password reset will be sent. Other options may include simply saying they never got the email and have the operator send it to their chosen phone number.

In several organizations security questions are used to combat the above scenario. However, it has been reported that security questions are largely ineffective. An experienced attacker can easily acquire the answers to security questions from any number of different sources. The Dark Web for instance, contains entire databases of answers to potential security questions and we know end-users often divulge way too much personal information on social media that provide the exact answers to security questions they use.

Some organizations have historically used caller ID information as a tool for verifying a user's identity. However, this method has also proven unreliable because cloud-based PBX systems make it simple for an attacker to spoof caller ID information.

Social engineering attacks are not theoretical attack vectors, they are happening in the real world regularly. Earlier this year, Electronic Arts was infiltrated by hackers who stole a large amount of data (including source code for the company's FIFA 21 soccer game), by tricking the company's IT support staff into giving them access to the company's network.

The key to preventing social engineering attacks against the frontline staff and in the helpdesk is to make information impossible to gain from these staffed areas to knowingly or unknowingly aid in such an attack.

Consider the earlier example in which an attacker contacts an organization's helpdesk pretending to be an employee who needs their password reset. Several things could conceivably happen during that conversation. Some possible outcomes include:

1. The attacker answers the security question using stolen information sourced from social media or from the Dark Web.

2. The attacker tries to gain the staff members trust through friendly conversation to gain favor in the hope that they will overlook the rules and go ahead and reset the password, even in the absence of the required security information. In some situations, the attacker might also try to make the staff member feel sorry for them.

3. The attacker might try to intimidate the staff member by posing as a person in authority who is extremely upset that they cannot log in. When the staff member asks a security question, the attacker might scream that they do not have time to answer a bunch of stupid questions, and demand that the password be reset right now (this technique has succeeded many times).

Ultimately, the staff members discretion is the only thing standing between the attacker and exploitation that determines whether the information requested or password reset is going to happen.

The best way to prevent such an attack is to:

1. limit information on social media to information that is not used in any security question information
2. Use security questions that are not related to personal information like pets, birth place and so on.
3. If it is a network issue (helpdesk) make call backs to the internal contact of the staff member mandatory for password resets.
4. Have operators confirm other current information as a security check.
5. Do not use for confirmation or verification anything that was sent via email.
6. Don't put all your eggs in one basket. I.e. don't use devices or authenticators from the same organization that controls your Active Directory for example as a compromise will give that information out and the authenticator can be spoofed or cloned. Use SMS if you have google accounts rather than google authenticator for example.
7. Make 2 factor Authentication to non email options mandatory.

These are just a few tips to add to security at the front lines.

Ransomware attacks have been rampant, with many companies battling to stay in operation after experiencing downtime and loss of reputation in the hands of attackers. Ransomware serves as a lucrative method for earning some extra cash or cryptocurrency for the attackers, and poses serious threats to anyone holding client information.

In this post we will be explaining in-depth current trends in ransomware malware – what is it, how it works, various types of ransomware, and how to take some tested approaches to protecting yourself.

Contents 1) What is Ransomware? 2) How does a Ransomware Attack Work? 3) Current known types of Ransomware 4) How Is a Ransomware Attack Generally Done? 5) What Is The Possible Impact of Ransomware? 6) How do I Know if My System Has Been Attacked By Ransomware? 7) Can You Remove Ransomware? 8) Should I Pay Ransom? 9) Ransomware: Some tips on how to minimize the risk of Ransomware attacks & secure Data

(1) What is Ransomware? It is important to understand that ransomware is mainly staged for the purpose of obtaining money. Attackers target the most important information of an organization to force them to meet a ransom demand. Ransomware is a malware, and it is used by threat actors to encrypt files after infiltrating a target device, and request an amount (mostly in Bitcoin) to provide the decryption key to unlock the files.

(2) How does a Ransomware Attack Work? Ransomware is a threat actors approach to install their malware into the device of the victim and encrypt (lock) the files. The malware searches for information or assets on the device and locks it down through encryption. In other words, the malware denies users access to information on the basis that users need it. Most ransomware exfiltrates data back to the attacker before encryption, but not all.

Ransomware is a computer virus or a malware that gets installed in your computer without your knowledge and your system in this condition can only be unlocked by receiving a decryption key, usually obtained by paying out a ransom to the attackers. The term ‘ransomware’ has been derived from the terms ‘ransom’ meaning ‘holding hostage against a demanded amount’ and ‘ware’ which basically came from the term malware.

Although both ransomware and computer virus come under the same umbrella ‘malware’, their modus operandi is a lot different. Where ransomware demands a ransom to unlock an attacker-locked computer system (enters the system during activation and encrypts the files on the infected system), on a computer viruses infects a system, corrupts data and replicates itself for further infections, like biological virus of sorts, in the aim of using a system in a botnet, or replicating some form of execution. This leaves Ransomware more in the malware camp, than a virus.

3) Current known types of Ransomware

The types of ransomware depend on the type of attack they hold. There are two main types of ransomware namely: Crypto ransomware and Locker ransomware.

Locker Ransomware

Locker Ransomware is one of the types of Ransomware that does not lock files or valuable resources on a device, instead it acts to encrypt the device itself. This Ransomware does not allow access to the interface of the device, it instead, locks the user out of the device and gives limited functions to the user for the purpose of paying the Ransom only. The only way users get back access to the device is to pay for the decryption key. A well known locker ransomware is Locky.

Crypto Ransomware

The Crypto Ransomware operates a little differently from the Locker Ransomware. This Ransomware only locks down valuable resources or important information on a device, leaving the rest of the device in tact to taunt the user into payment of the ransom before an unlock key is provided and the needed files released. This Ransomware is popular to attack network storage devices like NAS drives which often hold company client files. The malware is designed to search through the device for the information it deems worthy, doc files for example, and after successful identification, proceeds to encryption. A ransom note pops up on the infected device when accessed asking the victim to make payment to a provided BTC address to get the decryption key. Some notes even provide a comprehensive guide on how to buy Bitcoin online, just in case the victim has no idea of how. Some well known Crypto Ransomwares are WannaCry, Ryuk, and Petya.

4) How Is a Ransomware Attack Generally Done?

Ransomware attacks work in various ways and are spread by threat actors convincing targets to engage in a set activity that may involve clicking on a malicious link or visiting a malicious website. There are a number of ways this is achieved and some of them are:

Drive-By Download

This is a very potent and common method used by threat actors. The attacker uses deceptive means to convince targets to visit a website, and after visiting these compromised websites, the ransomware begins to install on the computer; find valuable information and encrypt it, or lock down the device. Example of this can be seen in Bundleware applications where you download what is considered legitimate software that has an addon you authorize for some other service thinking its the legitimate one. Attackers can hijack legitimate software and bundle their malicious software alongside then reupload to source forge and others for example. This has become more popular with the Google AdWords exploit as reported in LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell.

Malicious Links Through Emails or Social Media

This is another common method of infecting devices with Ransomware. The threat actors target the weakest link of the security chain which is the employees, convince them to click on a malicious link or attachment, and begin to execute the malware on the device. Most of these links are sent to targets with an interesting message about a job offer, global event, Tax issue, or any other sensitive issue while posing as a legitimate sender. Others even impersonate service providers and banks to lure targets into clicking on the malicious link or open a malicious attachment. An example is Zero day MSHTML exploit.

Pay Per Install

This is another common way Ransomware is distributed. Many computers are already compromised and part of a botnet. Some have been added through bitcoin software Are Bitcoin miners really malware for dark web?, while others are added through malware and virus attacks. In this case, they have already been compromised, and threat actors or cybercriminals will pay the botnet controller to get access to these devices to install Ransomware on them.

Another mode of infection that the malicious software attackers use is to contact unsuspecting people and advise they are a law enforcement official or agency, or support operator. They mention that the persons device has been infected, and they need the user to undertake an action to defend the system, which is usually a delivery method for the malicious software. This has the desired result of the victim refraining from reporting the attack to the authorities.

Why Is Ransomware So Effective And Frequent?

Ransomware attackers instigate fear and panic into their victims and trigger them into action on a specific link to click or application to activate which results in them paying. Ransomware atatcks often scare victims by displaying some intimidating messages:

“All the files on your computer have been encrypted. To regain access to your website you must pay this ransom within 72 hours.”

“Your computer has been infected with a virus. Click here to resolve the issue.”

“Your computer has been used to visit various websites having illicit content. For unlocking your computer you must pay a fine of $100”.*

5) What Is The Possible Impact of Ransomware?

Ransomware targets users of various categories and for various reasons. Residential users, businesses, finance, legal and more have been reported over the years, leading to negative aftermath that includes:

• Disruptions to the regular operations
• Harm to reputation
• Financial losses that have been incurred to restore the systems and the files
• Permanent or temporary loss of proprietary or sensitive data
• Increase to insurance premiums, or denial of insurance
• Loss of business

6) How Do I Know if My System Has Been Attacked By Ransomware?

There are several signs that indicate that your system has undergone a Ransomware attack such as:

• Your desktop or web browser is locked and a message (as stated above) is displayed
• A file or folder accessed bears a ransom note file which is usually in .txt format
• All of the files in your system will have a new file extension which, when opened, is encrypted like – .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky. Or may include a 6-7 length extension consisting of random characters.

Most Popular & Malicious Ransomware Variants Experienced In 2020

Ransomware variants:

*1) Sodinokibi*

Sodinokibi ransomware targets Windows systems and encrypts the important files on the local drives and asks for a particular ransom to decrypt them. The targeted files bear the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.

The very first thing that the user sees is usually a ‘ransom note’ after the completion of the encryption. The ransom information bearing the instructions are also visible on the desktop.

*2) Ryuk*

Ryuk is a variant of Crypto-Ransomware that utilizes the encryption method to block access to the system, its files, and other devices until the demanded ransom is paid. Often, it is dropped by malware, such as the TrickBot, or gains access through the remote desktop services. It uses a second RSA public key and demands ransom in the form of Bitcoin (BTC) cryptocurrency.

*3) Phobos*

Phobos is a malicious Ransomware program that encrypts or locks files on the system. It demands ransom for decryption and in the ransom demand, the cybercriminals mention that the victim needs to contact them through the ottoZimmerman@protonmail.ch, cadillac.407@aol.com, or various other email addresses citing the encryption ID. The demand includes a notice for the victim to pay out the ransom as soon as possible to avoid expedite charges. All the files that get encrypted by the phobos malware possess a .phobos extension along with the unique ID of the victim. The other most popular extension provided by Phobos are:

“.[decryptbox@airmail.cc].Adair” “.[hanesworth.fabian@aol.com].deal” “.[restorebackup@qq.com].Caley”, “.barak”, “.zax”, “.BANKS”, “.banjo” “.[lockhelp@qq.com].acute”, “.1500dollars” “.[danger@countermail.com].blend” “.[helpteam38@protonmail.com].adage” “.[helpyourdata@qq.com].phobos” “.[ramsey_frederick@aol.com].phobos” “.[wallyredd@aol.com].phoenix” “.[elizabeth67bysthompson@aol.com].phobos” “.[Job2019@tutanota.com] .phobos” “.[Cadillac.407@aol.com].phobos” “.[beltoro905073@aol.com].phobos” “.[matrixBTC@keemail.me].phobos”

*4) Dharma*

The Dharma Ransomware is a crypto-virus that was first seen back in 2016 and is constantly reappearing in new versions. The extensions that the infected files exhibit are: .bip, .adobe, .cezar, .combo, .java, .ETH, .love$, .LOL, .BANG, and .payB. Some of the other file extensions seen are: .base, .R3f5s, .bad, .HCK, .hlpp, .FRM, .WCH, .club, .PGP, .well, .space, .BOMBO. The malware utilizes the AES encryption algorithm for encrypting the data and then displays the ransom notes called either Info.hta or FILES ENCRYPTED.txt.

*5) Mamba*

Mamba is high-risk Ransomware and is an updated version of Phobos. The malware encrypts the stored files and alters the filenames adding “.mamba” to the extension along with the victim’s unique ID and developer’s email address. As soon as the files get encrypted, they become unusable. The “info.txt” file is placed on the desktop and displays an extensive pop-up window (“info.hta” HTML application) to elicit payment.

*6) GlobeImposter*

GlobeImposter is a Ransomware application that encrypts the files on the machine of the victim and demands a payment to unlock the information. This malware is also known as “Fake Globe” as the structure mimics the Globe Ransomware family. This Ransomware may be distributed via a malicious spam campaign that is only recognizable with the poorly executed message content along with an attached ZIP file. This sort of spam is termed as “blank slate”. GlobeImposter is also spread through malicious advertising, exploits, repacked infected installers and fake updates.

*7) Snatch* 

Snatch is a high risk Ransomware developed by cybercriminals and creates a ransom message within a text file named “Readme_Restore_Files.txt”. It alters the file names by adding extensions such as “.snatch” and updated variants often change the file extension to “.jimm”, “.googl”, “.dglnl”, “.ohwqg”, “.wvtr0”, and “.hceem”.

*8) IEncrypt*

IEncrypt was first discovered by S!Ri, and is a Ransomware-type virus that is designed to encrypt the files utilizing AES cryptography. While in the process of encryption, the malware alters the file names with the extension such as “PCname_of_company”, and has been known to targets various organizations rather than individuals. Some of the other extensions in use are: “.kraussmfz”, “.midwestsurinc”, “.0riz0n”, “.n3xtpharma”, “.grupothermot3k” and “.cmsnwned”. For each encrypted file, this ransomware generates an identical text file, each having unique names and bearing an identical ransom message.

*9) .777*

This is a file-encrypting Ransomware virus that uses the asymmetric encryption. While in encryption, the ransomware generates two keys – a public key to encrypt the files and private key for decryption. The decryption of the files without this decryption key is impossible. The ransom is demanded in exchange for this private key. It adds the extension to teh end of the encrypted file “[email protected]$.777” making it easier to determine which of the files have been encrypted.

*10) MedusaLocker*

MedusaLocker is a malicious Ransomware that operates by encrypting the files and making them inaccessible. While in encryption, all the files are renamed with the extension “.encrypted”. An HTML file (“HOW_TO_RECOVER_DATA.html”) is installed on the desktop with the ransom message. Some of the extensions used by the ransomware are: “.bomber”, “.boroff”, “.breakingbad”, “.locker16”, “.newlock”, “.nlocker”, “.skynet”, “.deadfiles”, “.abstergo”, “.himynameisransom”, “.ReadInstructions”, “.EG”, “.decrypme”, “.ReadTheInstructions”, and “.READINSTRUCTIONS”.

*11) NetWalker*

NetWalker, also known as Mailto, is a sophisticated family related to the Windows Ransomware that targets corporate computer networks. It encrypts files that it finds, and demands cryptocurrency payment as ransom for the safe recovery of the encrypted data. It threatens the victim with publication of sensitive data if the ransom is not paid. It is usually included within emails disguised as something from a very important source.

7) Can You Remove Ransomware?

Yes, you can definitely remove Ransomware in case you fall prey to a malware attack. If you own a system with Windows 10 Operating System (OS), you can attempt to do the following for Ransomware removal.

Reboot your Windows 10 to “Safe Mode”
Run the antivirus and perform a deep scan of  the complete system (in-depth preferred) and find the hidden ransomware program.
Follow all the prompted steps to restore the computer in its original state.

Note – while restoring your computer, you will not be able to decrypt the encrypted files. These files are usually lost as the files have already been modified. If the malware is sophisticated, without the mathematical key that the attacker has in their possession, you would be unable to decrypt the files.

8) Should I Pay Ransom?

Well, ideally you should not pay the ransom, although there are obvious risks associated with or without a ransom payout. While you cannot guarantee that not paying the demanded ransom would demotivate an attacker completely, paying a ransom does not guarantee that the attacker would provide you with the decrypt key or not come back tomorrow for more, keep you hanging, or continue with more sophisticated attack or demand a larger sum.

Often law enforcement agencies urge victims not to pay, as they argue this provokes the attackers to create more ransom malware, probably more high-end ones. Recent research has stated that 66% of the companies said that they would not pay a ransom while practically 65% of the companies actually did pay the ransom when victimized.

So here is some tips to try and help you protect against the need to make the decision.

9) Ransomware: Some tips on how to minimize the risk of Ransomware attacks & secure Data

The main motive of Ransomware is to collect a ransom from the target by crippling network security, so takign pro active approaches to security will assist.

1) Take backups of your data on a regular basis on a good backup infrastructure that snaoshots at least once a day for 7 days or more. This will help you restore the data quickly even if a malware attack is successful.

2) On receiving any suspicious email, unsolicited phone calls or text messages, refrain from providing your personal details or your company details.

3) Do not open attachments or attempt to click on any link (including google ads) or download any files not verified as from the correct URL of the legitimate source. Often the phishers rely on this method posing to be an IT individual gaining your trust. Even if this happens, cross-check the claims by contacting the legitimate individual or department.

4) Do not click on links in social media. Manually enter them into your browser.

5) do not share personal information on social media as this can be used to generate a well crafted phishing email.

6) Always keep your antivirus and application software updated.

7) Do not install third party programs that come with your software. third party antivirus providers often do this as do Adobe. Pay attention to what is asked, don't just click through without reading.

8) Be wary of third party antivirus software. Microsoft includes free antivirus with windows 10 and third party vendors can compromise this security. There are several fake antivirus software that contain ransomware variants. We suggest sticking with Microsoft Defender as it is integrated into the OS and detects Ransomware quickly as well as protecting from memory and screen attacks. As it is integrated, there is no need to pay for another system, or run a risky download.

9) Invest in security awareness training. This will inform your employees to take care and what to watch for, protecting your company’s data from the dangerous elements that might come in your company’s security.

10) Develop a Disaster Recovery Plan (DRP) and have it is a policy set that employees read as part of thier contract.

11) Implement 2 factor authentication on all applications.

12) Change passwords often, and maintain an encrypted password manager.

13) Never save usernames, passwords or use autofill in browsers.

These are our top 13. There are more, and you are welcome to contact us for further advise.

Adonis Technology Gallagher & Co Consultants