Ransomware has featured prominently in the news over the last few years. Hospitals, law enforcement agencies and even individuals have been affected by it. Some have paid the ransom and recovered their computer data; others have lost their data forever. What is ransomware and how can you best protect yourself from it?
Ransomware is malicious software that infects a computer similar to a computer virus. A virus may simply destroy all of the data on the computer or use the computer to send unsolicited email. Ransomware takes the attack further by making the data inaccessible by the owner, then demanding payment before returning the data.
Ransomware has a long history, dating back to 19891. Ransomware has varied in the particular method used to prevent access to files from hiding them, replacing them or encrypting them, to simply lying about the files being unavailable. In early versions of ransomware flaws in the malicious software sometimes allowed the victim to recover their files without paying the ransom. File encrypting ransomware rose to prevalence in 2013 with the rise of CryptoLocker2. According to Kapersky Lab “the number of users attacked with encryption ransomware is soaring, with 718, 536 users hit between April 2015 and March 2016: an increase of 5.5 times compared to the same period in 2014-2015."3
A second ransomware family is lock screen ransomware. This version pops up a window or in some other way “locks” the computer or mobile device to prevent its usage. Sometimes the lock message will claim to be from some branch of law enforcement and accuse the user of a crime. Typically the files are not encrypted during this attack. If the lock screen ransomware is removed, the files are typically untouched.
Ransomware initially started gaining popularity among criminals in Russia4. Once it was found to have a lucrative business model, it quickly spread worldwide. Today there are even readymade low-cost ransomware systems that can be purchased for $395. A would-be cyber-criminal doesn’t need experience or a large investment to begin infecting computers.
Ransomware can arrive via several mechanisms. It can be in a malicious email attachment, attached to a phishing email, embedded in a malicious website download , or even a web link that can automatically download the ransomware when it is clicked. Ransomware infections have even been linked to legitimate website advertisements that were poisoned in what is known as a “drive-by” infection6. Some drive-bys require the user to click on something. However if the computer is missing security patches, simply loading an infected advertisement on a web page can start the infection.
Once the file-encrypting ransomware is active on a computer it begins the process of rendering data inaccessible. Unknown to the user, the ransomware encrypts their files. If the user tries to open an encrypted file, the computer will indicate that the file is damaged. Once all of the user’s files are encrypted, the ransomware typically displays a ransom message prominently.
At this point the user is typically given instructions on how to pay the ransom. If the ransom is paid in a timely manner, the criminals say they will provide the user the decryption key necessary to recover their files. The payment is usually some method that is fairly convenient, yet difficult to trace back to the criminals such as wire transfers, pre-paid payment cards, premium cost SMS services or a digital currency such as Bitcoin.
It is important to understand that even if the ransom is paid in the timeframe required, there is no guarantee that the data will be recovered. Some versions of ransomware have flaws that make it impossible to decrypt the data. Others are simply scams where the data is encrypted and the criminals take the money but don’t deliver the decryption key. Yet other versions have “customer service” to provide addtional means to recover the data. Crimnials know if victims don’t believe they will recover their data, they will stop paying the ransom.
Paying the ransom to recover files does not prevent reinfection with the same or different ransomware and the cycle repeating. In the end, the transaction is with a criminal and the outcome is unpredictable.
Be suspicious of a computer that has been infected with ransomware. Even if the data is recovered, other malicious software may be present on the computer.
Even if a computer is infected with ransomware, having current offline backups available means data will not be lost. As a bonus, the backup is also useful if the computer is lost, stolen, or breaks.
1 Wikipedia “Ransomware” Accessed September 8, 2016 https://en.wikipedia.org/wiki/Ransomware
2 Ibid 1
3 Kapersky Lab Accessed September 8, 2016 https://www.kaspersky.com/about/press-releases/2016_crypto-ransomware-attacks-rise-5-fold-to-hit-718-thousand-users-in-one-year
4 Ransom Trojans spreading beyond Russian Heartland Accessed September 8, 2016 http://www.techworld.com/news/security/ransom-trojans-spreading-beyond-russian-heartland-3343528/
5 Security Alert: New and Cheap Stampado Ransomware for Sale on the Dark Web – Heimdal Security Blog Accessed September 9, 2016 https://heimdalsecurity.com/blog/security-alert-stampado-ransomware-on-sale/
6 Ars Technica “Big-name sites hit by rash of ads spreading crypto ransomware” Accessed September 9, 2016 http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
7 Ransomware – Definition – Trend Micro USA Accessed September 9, 2016 http://www.trendmicro.com/vinfo/us/security/definition/ransomware#The_Evolution_to_CryptoLocker_and_Crypto-ransomware