Ransomware Infection and Countermeasures: Including Case Studies

In recent years, many companies have suffered damage from ransomware attacks. Even well-known large corporations can be infected with ransomware and suffer damage, so many people are considering ransomware対策 for their own companies.

As a countermeasure against ransomware, it is most important to understand its characteristics and prepare in advance.

This article will explain in detail the latest trends in ransomware, countermeasures against it, and what to do if you are infected.

Table of Contents

1. What is ransomware?
2. How does ransomware infect?
3. 2-1. Infection from websites
4. 2-2. Infection from email
5. What happens when you are infected with ransomware? Introducing case studies
6. What are the measures to avoid ransomware infection?
7. 4-1. Install security software
8. 4-2. Always update your OS and software to the latest version
9. 4-3. Provide security education to employees
10. What to do if you get infected with ransomware
11. 5-1. Do not pay the ransom
12. 5-2. Isolate the infected computer from the network
13. 5-3. Do not turn off the infected computer
14. 5-4. Disable email addresses and passwords
15. 5-5. Consult with the police’s cybercrime consultation service
16. Conclusion

1. What is ransomware?

Ransomware is a coined word combining “Ransom,” which means ransom, and “Software,” and is a type of computer virus.

It is characterized by infecting computers and making them unusable, and then demanding money in exchange for returning them to their original state. Alternatively, some ransomware involves threats such as “disclosing personal information on the computer on the Internet.”

If you are infected with ransomware, there is no guarantee that you will be returned to your original state even if you pay the ransom. Therefore, it is important to thoroughly implement security measures to prevent ransomware infection.

2. How does ransomware infect?

The main infection routes for ransomware are “infection from websites” and “infection from email.”

2-1. Infection from websites

Infection from websites involves opening files downloaded from websites or browsing malicious advertisements on tampered websites. In particular, damage from websites has been increasing recently.

2-2. Infection from email

Spam emails or impersonation emails are sent to targets, and ransomware infects when they access links in the email or open attached files.

Traditional ransomware typically used methods such as sending emails targeting an unspecified number of users, but since around 2020, the methods have changed to targeting specific individuals, companies, and organizations.

3. What happens when you are infected with ransomware? Introducing case studies

Computers infected with ransomware experience the following phenomena:

• First, it becomes impossible to operate freely by disabling specific functions.
• Next, the data files stored in the computer are encrypted.
• Then, a ransom demand screen for file recovery is displayed.
• If payment is not confirmed within the time limit, the data will be erased or made public on the Internet.

Here are two recent examples of actual ransomware damage.

Case 1) 2020, Capcom infected with ransomware, data leaked

In November 2020, Capcom, a major Japanese game company, was attacked by ransomware. Capcom did not respond to the ransom demand of $11 million (approximately 1.25 billion yen), and the personal information of 390,000 users, business partners, etc. was stolen and leaked on the Internet.

Quoted from: https://www.capcom.co.jp/ir/news/html/210413.html

Case 2) 2018, Tama Toshi Monorail Co., Ltd. infected with ransomware

In July 2018, all files stored on the file server and backup server used by Tama Toshi Monorail Co., Ltd. became inaccessible. Subsequent investigation revealed that it was caused by ransomware.

Quoted from: https://www.tama-monorail.co.jp/info/list/mt_img/180713%20press.pdf

4. What are the measures to avoid ransomware infection?

In order to avoid ransomware infection, or to minimize damage even if infected, it is important to take measures from normal times.

The following items can be mentioned as measures to prevent damage from ransomware:

4-1. Install security software

Installing security software and updating its definition files to keep it up to date can greatly reduce the risk of ransomware infection. Security software is also effective against phishing sites and impersonation, and can protect you from general Internet threats.

4-2. Always update your OS and software to the latest version

Some types of ransomware target vulnerabilities in OS and software, so always update your OS and software to the latest version. In addition, cases have been confirmed in which vulnerabilities in network devices used by companies are exploited. Apply update files and patches to VPN devices, etc. to eliminate vulnerabilities.

4-3. Provide security education to employees

Creating a corporate security policy and providing security education to employees is also effective as a ransomware countermeasure. Particularly important for ransomware対策 is “appropriate management of authentication information” and “appropriate handling of email.”

・Appropriate management of authentication information

If you use a simple password that is often used, it will be easily logged in illegally. Also, if you reuse your password, it will be easily accessed illegally on other devices. Use a complex password and avoid reusing it.

・Appropriate handling of email

Most ransomware infections are caused by opening malicious files attached to spam emails. It is important to thoroughly avoid opening emails from unknown senders, even if they arrive.

5. Even so, what if you get infected with ransomware?

No matter what measures you take, it is impossible to eliminate the risk of ransomware infection. Here, we will introduce what you should do if you get infected.

Depending on the response method, it may be possible to restore data without paying a ransom even if you are infected.

5-1. Do not pay the ransom

Never respond to criminals’ demands for ransom payments. There is no guarantee that you will be restored to your original state if you pay the ransom. If you pay money to criminals, they may escalate and demand more money.

5-2. Isolate the infected computer from the network

If ransomware infection is detected, first disconnect the computer from the network immediately. By isolating the infected computer, you can prevent the spread of damage to other computers.

5-3. Do not turn off the infected computer

Rebooting after ransomware infection may worsen the symptoms,

Do not turn off the computer.

5-4. Disable email addresses and passwords

Email addresses and passwords used on computers suspected of being infected should be temporarily disabled. This is because email addresses and passwords on infected computers may have already been leaked.

5-5. Consult with the police’s cybercrime consultation service

Contact the cybercrime consultation service of the police that has jurisdiction over your company to get advice on future対策. Contacting the cybercrime consultation service will also help prevent the spread of similar damage to other companies.

Conclusion

Ransomware is becoming more sophisticated every year, and security対策 to protect computer data is important.

To remove ransomware that has invaded your computer, there are only two ways: pay the ransom and get the decryption key, or wait for the developer to release the decryption key. However, both methods are quite uncertain, with the condition that you can reliably obtain the key. As a countermeasure against ransomware, it is best to prevent it in advance.

Ransomware is expected to become even more malicious in the future. Take sufficient measures to avoid losing not only your company’s important information and money, but also your social credibility.

Please refer to the対策 and countermeasures against ransomware introduced in this article to prepare for ransomware.

For further assistance, contact globalsupport@jiran.com