Ransomware is a type of malicious software (malware) that restricts access to digital files until the user pays a ransom. It generally functions in one of two ways.
• The first way simply locks the system and attempts to manipulate the user into paying the ransom. In a common manipulation method, the hacker claims to represent a law enforcement agency that declares the user has broken one or more of several (usually bogus) laws. This ransomware type can usually be removed from the computer, without any payment, using a good antivirus program or professional technical assistance.
• The second way however, known as encryption ransomware, encodes the user’s files, making them completely incomprehensible without the decryption key. The hacker then demands payment (hence, the “ransom”) for the key. There are tools that will clean the ransomware off the machine, but the only way to unlock the files is to pay the thieves for the decryption key and hope that they send it to you.
This second type of ransomware cannot be fixed simply by running your antivirus software. With malware such as Cryptolocker (which appeared in 2013) and others like it, having the decryption key is the only way to retrieve your files.
In June 2014, the FBI and a number of other international law enforcement agencies were successful in taking down the GameOver botnet and its associated Cryptolocker ransomware. Alas, the celebrations were short-lived, as, soon afterwards, all the crypto-clones began to appear, such as CryptoWall and TorrentLocker. While each piece has variations, the functions are identical.
How the infection spreads
As with any other malicious software, ransomware spreads through human interaction. Unsafe security practices, such as clicking on malicious email attachments, downloading files from unknown sources, and clicking links on untrusted websites install the software onto a user’s machine. Gone is the “hacking” requirement, since the bad actors simply let the victims do the installation themselves.
The Encryption Process:
Once the ransomware is installed on the victim machine, it usually goes through the following steps:
1) Its first action is to send a communication to its command and control server (C&C) containing information such as the network IP address, location, and system information.
2) The C&C sends back an encryption key—a unique key, created specifically for that network.
3) After downloading that key to the victim machine, the ransomware starts encrypting files. First, it encrypts the files on the local machine.
4) Then – and this is the significant element for many businesses – it travels to any mapped drives and encrypts those files also, including external hard drives, shared network drives, and any plugged-in flash drives. It can even travel to files in the cloud.(See the NOTE below.)
5) Once the encryption process is complete, the ransomware modifies operating system tools to ensure that there is no way to retrieve the files.
6) A message is displayed on the infected computer that explains what happened to the user. At this point, the files are completely inaccessible until the decryption key is obtained.
NOTE: The ransomware is able to encrypt all the files to which the users have administrative rights (meaning that they can create, modify, and save the files). That means that on a shared directory, if the logged-on user can modify all of the files, ALL of them will be encrypted–even those that the user has never accessed and has no need to access.
Because users are more likely to discover the locked files on their own computers, some new ransomware variants start their encryption with the network files, and then go on to encrypt the local ones. This decreases the likelihood that the encryption process will be discovered before it is completed.
Once the files are encrypted, antivirus software may be able to clean the malware off the computer; however it does not help with file access. With ransomware, having the decryption key is the only way to once again access the files. In early CryptoLocker versions, it was sometimes possible to read the key off the local computer and unlock files that way. However, in later versions (“improvements”) of the malware this has been rendered impossible, as the key is stored only on secured servers.
What if you are infected?
If your computer or network gets hit with encryption ransomware you have two choices: pay the fee and hope for the best, or kiss your files goodbye. (Important note here--a backup can save you. See Protections below.) So what’s the answer. Pay or not pay?
Not Pay: For years, security experts and law enforcement agencies have been urging victims not to pay the ransom. First, there is no guarantee that you will actually get the correct encryption key; you may just waste your money. They may even ask for more. Paying the ransom has often been a "crapshoot." You were just as likely to get stiffed. Second, by paying the ransom you incentivize the thieves to continue their practice.
Pay: On the other hand, for many businesses and even individual users simply writing the files off is not an option. If an entire business is at stake, or cherished family photographs, a few hundred dollars may be considered worth it. With the more recent ransomware versions, there appears to have been some emphasis pla
The future of ransomware
The trends suggest that ransomware is not going away any time soon. In fact, the general reluctance to pay the ransom seems to be causing the creators to rethink their business model. There is evidence that the thieves are willing to work with their victims to ensure that both parties are at least somewhat satisfied. Some creators have also become more targeted in their ransom demands, in that the price is based on the data and its value to the owners.
The rise in popularity of bitcoins, and their difficulty to trace, makes them perfect legal tender for remote criminals. So much so that most attacks include detailed instructions in buying and sending the bitcoins. As with recent identity theft, medical data is likely to feature high in future ransomware attacks.
Another, especially frightening, ransomware target is the mobile device. Although the security industry has not yet seen mobile ransomware, all malware eventually makes its way to our smart phones and tablets.
1. Frequently backup your files.
This is the single most important thing you can do to protect yourself from data loss due to ransomware. Ransomware can’t be “cleaned” the way more standard malware can; once you’ve been infected, the only way to get your files back is by paying for the encryption key. And although the bad actors may be more thieves than fraudsters, there’s still no guarantee that they will deliver you the key once you send the ransom.
When you are backing up your files, it’s critical to remember that Cryptolocker and its cousins also infect any mapped drives, such as external hard drives, USB drives, and even network drives if you have mapped them (that is, assigned them a drive letter). So make sure your backups have no connection whatever to your computer. And remember to include your mobile devices in your backup efforts.
2. Make sure your backup files can be successfully restored.
Many organizations that invest in a file backup solution fail to test their restore function. When they need it to work, they find that they cannot restore all the files that they backed up, rendering the backup efforts futile. Periodically restore your files and verify the quality and integrity and still intact.
3. Install your security patches.
Much ransomware- indeed, all malware - takes advantage of vulnerabilities in your operationg system and your browser. It's agood idea to set these programs up to install the updates automatically.
4. Keep your security software up to date.
Your updated antivirus and antispyware will help protect your system from the malicious software that encrypts your files and demands the ransom. Take advantage of security features/addons that work with your browser. Set these to apply updates automatically.
5. Encourage security awareness.
Whether your concern is your company computer or your own home network, the best way to deal with malware is to prevent it from taking hold in the first place. Encourage all users on your network to follow best practices:
· Never click on links in emails from unknown sources
· Never download files from untrusted sites
· Research any files before you install them
· Never release confidential information to unverified individuals