Understanding and Surviving Ransomware

Understanding & Surviving Ransomware

By Professor John Walker

Professor John Walker PGCert FRSA CFIP
Expert Witness, Digital Forensics & Training

What is ransomware?

Ransomware may be defined as:

An adverse logical condition with the inbuilt technological objective of compromising a targeted asset(s) to deny the legitimate user(s)/owner(s) access to the contents stored thereon

There are basically two types of Ransomware Agents, and these are:

  • File Ransomware: This type of agent will encrypt the files but leave access to the host computer.
  • System Level Ransomware: System Level Ransomware will lock the entire system and deny the authorised user access to the host.

How is ransomware delivered?

Email: The most effective method which may be applied is of course delivery of the malicious object via email, presenting a high potential of target hit rate – all it takes now is to encourage the recipient user to be engineered into delivering the last element of the Attack Chain ‘Click’.

USB Based Delivery: Where the organisation allows the introduction of USB Keys to an endpoint asset, there will always be the potential for the introduction of a malicious component, which in this case is of course focusing on Ransomware. As an example of the dangers posed to the integrity of Digital Assets, consider the following real-life event which impacted the entire operations of an Outer-London based SME.

The Event: As users arrived at their place of work early one morning, some individuals noticed a USB key was laying in the car park. However, unbeknown to the multiples of individuals, they are not the only one to make such a discovery. Each USB key had various labels on the outside of the key to act as a Social Engineering Component, marked as, but not limited to:

  • Pay Grades
  • Julie – Pictures from Holiday
  • Executive Salary Increases
  • Sensitive Business Files
  • New Year Promotions


Spam: There are occasions when it is necessary to look back, to understand where we have arrived at. For many years Spam (Unsolicited email) was tolerated as a nuisance – in fact just over ten years ago I presented a paper to the House of Lords Technology Committee on the potentials threats such communications carried. However, at that time, one senior member of the committee stressed with force, that Spam carried no threats, and could be ignored as presenting zero dangers. Again, my counter argument was it was a dangerous conduit into the enterprise. Here we are in 2021 now realizing that the toleration was a mistake, and Spam was more dangerous than was thought!

Network: At the Network level we are faced with many challenges when we focus on Ransomware such as the existent dangers of the mix of PowerShell and Windows Domain Controllers.

Proactive Defense:

The best-practice method of applying defense in any circumstance of adversity is to be in a position of preparedness – so:

Be Proactive [Before the Fact]

  • Ensure that all important files are backed up [not forgetting Home/Mobile Users] at agreed intervals
  • Conduct periodic tests of backups to ensure they are working as expected, and may be recovered
  • Consider using a Write Protected Secure, Encrypted FIPS/140-2 drive – an example of which is the iStorage NCSC Certified Drive range
  • Ensure that all system Updates and Patches are in place
  • Maintain Anti Malware/Virus applications in a current state
  • Self-Training – ‘if I don’t know it, don’t click it’ [NLP Strapline]
  • Ignore those unexpected, unsolicited calls about your ‘detected errors
  • Where possible – deploy USB Controls
  • Educate Users – Build that Human Firewall [again, not forgetting Home/Mobile Workers]
  • Maintain Data Asset Registers – know your Critical and Sensitive Data Assets
  • Deploy Infrastructure based Robust Backup Systems
  • Where practical, create a SOC (Security Operations Centre)
  • Evolve a CSIRT (Computer Incident Response Team (First Responder Team))
  • Ensure that the teams who are expected to respond to such incidents are fully trained, and equipped with an adequate, up-to-date toolset
  • Have up-to-date Policies deployed

Response (Reactive):

In the Reactive Mode, consider the following steps:

First Response reaction [After the Fact]

  • Stop and think – do not be driven to an uncalculated response
  • Do not turn the computer off
  • If you must terminate the Network Connection, pull the cable – not forgetting WiFi
  • Record the displayed screen – [camera, phone etc] – this is a key Artifact
  • Do not respond to, or pay any demands
  • Report the Incident to your IT Team, Service Desk, and CSIRT [await advice]
  • Whilst waiting– assess Data Impact – say PCI-DSS, or GDPR Potentials
  • Confirm the last backup status – and assess the potential for recovery from the held images/files
  • If you have no Service Support – use another off-network system [e.g., PC] to investigate the implication
  • Home User – Report this as an incident to the Police – they may not always be interested, but this incident is a CRIME
  • Business Users – Record this as a Security Incident, and Educate Users – feed into the extended SOC – for purpose of Situational Awareness Alerting


To conclude, it may be an accepted opinion that the threats posed by Ransomware are significant, regular, and, it would seem such threats are able to overcome even the most stringent of supposed Cyber Security Postures. It may also be further concluded that, such is the success and financial gain for the practicing criminal actors, this is not going to be a digital threat that will disappear anytime soon.

The time has come in which all individuals, SME, Corporates, Government Agencies, and any other member of the Digital Generation who seeks Electro nic Survival will have to start to practice a posture of pragmatic and meaningful Defence in Depth to accommodate the desired level of protection. Time has arrived at a digital juncture that is accepting Digital Transformation, and Zero-Trust in an age that is anything but digitally secure. It is time to take Cyber Security and the Ransomware Pandemic seriously at the pragmatic level –  and to move over into a mindset that is focused on security, rather than on buzzwords that infer that a state of total zero-trust is achievable.

Read More:

Assuming responsibility for data protection in the cloud

Assuming responsibility for data protection in the cloudGiven the responsibility to ensure data protection in the cloud, how can organisations encrypt, share and manage data securely?Author: John Michael, CEO iStorage Data protection is of top priority for business leaders and consumers alike. The implementation of GDPR and the extensive media coverage of major data breaches [...]

How can you back up your data securely?

How can you back up your data securely?Everyone has at some point lost data.It could have been a stolen phone, a lost USB flash drive or a result of a computer crash.What exactly is Data Encryption? Backing up your data, that is, copying or archiving files, will give you the assurance of being able to [...]

Can the healthcare sector find treatment for data privacy?

Can the healthcare sector find treatment for data privacy? he healthcare sector has experienced great technological advancement over the years. Remember pagers? We’ve certainly come a long way. Clinical applications used today, such as electronic health records (EHR), mobile health (mHealth), computerised physician order entry (CPOE) and self-service applications, contribute to a more efficient medical [...]

Mitigating cyber risks around cryptocurrency

Mitigating cyber risks around cryptocurrency

Hackers stole 523 million NEM (valued to £385 Million) from the Japanese cryptocurrency exchange – Coinbase in 2018. NEM Foundation president Lon Wong described it as “the biggest single theft in the history of the world.”

Cryptocurrency is currently causing a frenzy across the globe and are rapidly becoming a widely used type of currency. Bitcoin in particular is now stated to be worth up to $53,000 (£38,000) per Bitcoin. Recently, philanthropist and CEO of Tesla & SpaceX – Elon Musk, announced that Tesla would begin taking Bitcoin payments, with Microsoft, Twitch, Lush and Expedia also accepting Bitcoin transactions in the UK.

With this new form of finance beginning to take control across the world, it is crucial that we stop to think about the cyber risk that entails cryptocurrency. In 2020 alone over $1.9 billion (£1.4 billion) was stolen through crypto cyber-attacks, with 122 attacks taking place on cryptocurrency exchanges, blockchain apps and decentralised apps on the Ethereum platform. Considering the inflation of crypto rates, this would be worth around $3.8 billion (£2.7 billion) today.

What is Cryptojacking?

The vulnerability of cryptocurrency is a direct consequence of the currency’s anonymity due to the issue of blockchain technology in cryptocurrency being decentralised, meaning there is no authority who can overview each transaction or crypto activity. Therefore, this structure allows criminals to find the perfect opportunity to thrive. On top of this troubling issue, cryptocurrency is the number one preferred form of exchange during ransomware attacks, meaning companies are at risk of losing corporate data in exchange for a hefty crypto payment. This form of attack is formally acknowledged as cryptojacking.

Golden bitcoins. Cryptocurrency on black background.

How to minimise risk of crypto specific attacks

Despite the financial benefit that cryptocurrency can bring to consumers and businesses alike, due to the clear vulnerabilities in the structure of crypto, it is therefore apparent that any business involved with a form of cryptocurrency is in immediate risk of falling victim to a cyberattack. We do want to assure you however, that despite this threat, there are in fact strategies can be implemented into a personal or organisational structure to ensure you can either minimise risk of attack or are not at risk of losing money or data. Firstly, to minimise risk of a hack, it is essential to remain vigilant when opening any emails, messages or other forms of communication. To access a cryptocurrency account, use suitable security hygiene and create a complicated password with two factor authentication to minimise the risk of an intelligent hacker discovering your password. When storing cryptocurrency , it is highly recommended to store any savings to an encrypted storage solution, preferably with government approved certifications such as FIPS 140-2, to ensure that there is no backdoor access in which a criminal could steal your hard earned savings.

At iStorage, we are already working with cryptocurrency exchange services and decentralised app hosts to provide secure solutions to any crypto specific threats facing their organisation. If you are concerned about cryptocurrency impacting your security, ask an expert today to understand how we can assist you.

Share this blog:

Read more:

datAshur helps Kettering Borough Council meet GDPR regulations.

iStorage helps Kettering Borough Council meet GDPR regulations Case Study: Kettering Borough CouncilEnsuring GDPR compliance with datAshur flash drives from iStorage To effectively provide services to local businesses and residents, Kettering Borough Council need to collect sensitive and confidential personal data. Collecting such data can place local authorities in a vulnerable position, as GDPR regulations [...]

Hybrid Working: 5 Tips to Protect your Data.

5 Tips for protecting your data when hybrid working As the last year has unfolded, the working dynamic has distinctly shifted to a new landscape. With Accenture reporting that 83% of 9,326 workers surveyed saying they prefer a hybrid model; hybrid working is set to become the newfound way of living for millions of employees [...]

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance? Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR [...]