Ransomware part 1: The ever increasing threat of ransomware
Posted on 25 July 2016
What is ransomware?
Ransomware is a type of malware that, once infected, holds a user’s computer to ransom until a sum of money is paid to release it. This can be by either restricting access to the computer or encrypting files. The most common of these are encryption based which silently encrypts all local files and mapped network drives and sends the encryption key back to the hacker. Once completed, the user will be presented with a ransom screen containing details of how to make payment. If payment is made the user will then receive a small decrypting program which they can run to decrypt files.
One of the first to surface in September 2013 was called CryptoLocker and was the trailblazer for this form of attack, paving the way for many similar viruses to flood the internet. Cryptolocker was finally tracked down and removed 8 months later during May 2014. Even in this short time it is believed that millions of dollars had already been extorted from victims of the virus.
Now in 2016 there are many clones of the original CryptoLocker where hackers have taken the concept and created upgraded versions with increased encryption and anonymity. The ransom demanded from these viruses normally rages from $200 to $400, to be paid to a Bitcoin wallet which cannot easily be traced by authorities.
How does it get on your computer?
There are many ways in which your computer can be infected but most ransomware infections originate from spam emails which pretend to be from a legitimate source, also known as phishing. Some advanced malware even has the ability to look up the victim’s location and pretend to be local law enforcement such as MOD or FBI in an attempt to seem genuine.
What can you do if you get infected?
Once infected the users are left with 2 options:
1. Pay the ransom.
2. Restore from backup.
As a business, restoring from backup is not normally an issue except maybe losing up to a day’s worth of work. Some of the more advanced ransomware can even encrypt the backups so it’s important to hold off-network backups. However, most home users do not hold backups and even then, they are rarely kept off-network. For many people their library of photos or videos is irreplaceable to them and well worth the $300 payment to get them back.
There are some 3rd party decryption software packages which claim to be able to decrypt files after a ransomware attack without having to pay $300. However these rarely work due to the ever increasing levels of encryption used by the viruses and often have subscription fees of their own.
How can I prevent infection?
It is impossible to be 100% bulletproof when it comes to ransomware attacks however, there are steps you can take to reduce the risk significantly, such as:
• Make sure you have comprehensive security software installed.
• Keep your operating system up to date with the latest security patches.
• Regularly back up files and hold them off-network.
• Use email filtering to remove virus containing emails before they reach you.
• Keep regular recovery points, in case you need to do a system restore.
No matter how valuable the data you have lost, I would strongly advise that you do not pay the ransom. Paying the criminals may get your personal data back but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behaviour! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to fulfil their promise. They can take your money and provide nothing in return.
“An ounce of prevention is worth a pound of cure.” ― Benjamin Franklin