Frequently asked questions about ransomware

Written by: Tim Anderson

Due to the recent spate of ransomware attacks, NCC Group’s Tim Anderson has summarised from the frequently asked questions that were featured in our eBook ‘Surviving ransomware’. The FAQs below aim to provide some guidance on what ransomware is and what to do to protect yourself from the risks.

The eBook is available here to download and provides more detailed information on prevention tactics.

What is ransomware?

Ransomware is a type of malware that restricts access to systems in some way, often by encrypting files and then demanding a ransom to obtain access.

Other forms of ransomware simply lock systems and display messages to try and persuade the user to part with their cash to regain access. Attackers often use payment mechanisms which are hard to track such as Bitcoin.

Ransomware attacks target both technical and human weaknesses, often combining both to successfully infect a machine.

In the past, the malware writers were sometimes quite careless and there was often a way to retrieve files. However, malware writers have improved their capabilities and data retrieval is usually no longer a possibility.

What can I do to prevent my organisation from being attacked?

Unfortunately there is no silver bullet and there isn’t one piece of software or single solution that can stop this type of attack, despite many vendors’ claims. A successful defence against malicious outsiders trying to gain access to your organisation involves a multi-layered approach, applying robust controls from the strategic to the tactical:

  • Patch and update
  • Use anti-virus and update regularly
  • Test and scan
  • Educate

Can ransomware spread?

Ransomware doesn’t usually spread in the same way as some other malware does but malicious emails could be forwarded unintentionally by users not understanding what the attachment is.

For example, if a user receives an email and then forwards the email to a group, every member of the group who opens the attachment will become infected with the ransomware. The end result could be that many hundreds or thousands of files can become encrypted.

New ransomware variants are appearing regularly and we expect new features to emerge as the developers compete against security products and other malware authors.

Do ransomware removal tools work?

Anti-virus vendors offer tools that can get rid of the malware itself, but these will not usually decrypt your files if they have already been encrypted. For many modern ransomware variants, there is no way to decrypt files without paying the ransom.

Be careful of claims suggesting that a downloadable tool can unencrypt your files. Any tool that claims this could itself be malware and you could end up making the problem worse.

Should I pay?

Paying the ransom to recover data funds further criminal activity and provides a viable market for criminals to operate within. Payment may also leave victims open to future extortion and does not guarantee that data will be recovered.

NCC Group recommends that companies should not pay any ransom.

Microsoft also advises against paying ransoms. It states: “We recommend that you do not pay the ransom. There is no guarantee that paying the ransom will return your PC to a usable state.”

And the UK’s National Crime Agency (NCA) suggests the same thing. It says: “The NCA would never endorse the payment of a ransom to criminals and there is no guarantee that they would honour the payments in any event.”

If I have recovered the files from backup and removed the malware correctly is there anything else I should do?

It is important to remember that sometimes the malware may have been installed elsewhere in the organisation, or perhaps an email has been forwarded onto someone else who may not yet have opened the file (perhaps someone on leave).

Ensuring that there is no further malware on the network is vital for avoiding further outbreaks.

I need help, as I am not fully confident that my team have the expertise to deal with this type of attack.

Our Cyber Defence Operation (CDO) team deals with clients who are in the same situation on a weekly basis.

Simply click the link below to contact us for advice or help.

Published date: 25 July 2017

Originally published at

Like what you read? Give NCC Group a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.