You boot up your desktop one day after work expecting to enjoy your evening gaming or browsing social media but instead a red screen flashes onto your monitor.
It tells you that you need to pay some money or bitcoins to an unknown company in the next 24-48 hours or else you can kiss your hard drive goodbye. Everything on the system will be erased forever!
That might sound like a dystopian nightmare but ransomware, like I describe above, is a very real threat that affects people and even companies every day!
Ransomware is a particular type of malware that will encrypt your hard drive essentially holding it ‘ransom.’ If you pay up in time then the shady people behind the virus will give you the encryption key, thus letting you back into your computer.
Hackers started resorting to more and more creative ways of extorting money from average users as antivirus programs get stronger and stronger.
Types of Ransomware
Ransomware popped up for the first time towards the end of 2013. The first one was called ‘Cryptolocker’ and took the internet by storm. In a very short period of time online forums got absolutely flooded with unfortunate victims reporting that an unknown virus of some sort had locked down their hard drives.
Cryptolocker took control of any valuable looking files and folders and demanded an extortion payment to return what they took. Since ransomware was still unheard of it had no problem spreading like fire through thousands of computers through phishing web links and suspicious downloads.
Security-savvy users banded together and tried everything they could think of to stop the attack including system resets, installing new hard drives and even flashing the BIOS but nothing seemed to work. All they could see is the attacker’s popup with a timer telling them how long they had left.
The worst part was that reports starting filtering in that the people who made Cryptolocker would actually make good on their promise. If you paid up they would remove the virus.
While that sounds like a good thing it quickly turned into a bad situation. Desperate people would pay the ransom instead of looking for alternative solutions.
When the money started flooding in hackers all over knew they had a new way of making a quick buck. This would lead to ransomware spreading and growing even to this day.
Worse still this was probably the most reliable way for hackers to make money. If you install a key logger onto a computer you have to wait and hope that they type in their credit card number. With ransomware, you’ve almost assured a consistent payday.
Ransomware that made News
Cryptolocker may have pioneered the industry but as Datto points out, the botnet spreading the virus was shut down in 2014 so it’s largely cooled down since then. The hackers managed to make more than $3 million before it was shut down and to this day many people use ‘Ransomware’ and ‘Cryptolocker’ interchangeably.
When Cryptolocker was largely shut down Cryptowall stood up to take its place on the throne. It works in largely the same way, locking down your hard drive till you pay up.
CTB-Locker took a more enterprising approach to its virus distribution. Instead of trying to infect as many people as possible they outsource it to partners who then get a cut of the profits. This has contributed to one of the fastest infection rates among any ransomware!
Another that got headlines recently, Locky gets sent out as an invoice via email and when someone activates it they get a nasty surprise.
KeRanger is a far less popular type of ransomware but it’s worth noting because as Ars Technica pointed out, it’s the first capable of locking down Macintosh computers.
How does Ransomware spread?
Ransomware is spread through social engineering - basically tricking a user into doing something they think is safe, but is actually a trap. Here are a few common ways Ransomware spreads:
Opening Malicious PDF Attachments:
Hackers can pose as legitimate sources like a bank or mail delivery company to try to get you to open their attachment. Another tricky method they use is asking you to confirm a shipment or purchase, and when you open up the attachment they hit you with the virus!
Infected Word Documents:
Another email-based attack, hackers can send word documents to unaware users and ask them to enable macros when they open it up. If they do the hackers win and it’ll install the ransomware.
Not every attack has to be email based though, one of the carrier ones is hackers can Compromise a Website and simply visiting the site will infect your system!
Who creates Ransomware?
Viruses in general are created by a variety of hackers and criminals. Many viruses, especially back a decade or two, were created by bored cyber security students as a prank or to boost their self-esteem.
Unfortunately, ransomware isn’t the same story. Hackers that create polished, well-programed ransomware are in it for the money.
Malware and virus creation is big business for talented programmers and many are willing to resort to criminal activities to get a quick (sometimes quite large) payday.
What to do if my computer is infected?
Ransomware isn’t the big scary monster under the bed that it used to be when it first came out. But that doesn’t mean that every type can be treated. The very best protection against ransomware is prevention and keeping backups, the very best protection is avoidance. We’ll get to both later, but for now, let’s say you already got infected, what now?
Techworld recently put together a list of a few different programs that can fight ransomware, they fall into three categories.
The first type of tools are for disinfection - essentially they certify a PC is clean so you can use it again. These are mostly targeted at businesses, as you are expected to remove the ransomware on your own.
A less common type of anti-ransomware tool, clean-up tools try to un-encrypt the files the ransomware took over. These have limited success and tend to sprout up after police took down the criminals and the encryption keys were found:
Last but not least you have protection tools that try to detect behavior ransomware takes to stop it before it takes over your system in the first place.
Before attempting to remove any ransomware from your system, take a look at the message the ransomware displays. It should show you a bitcoin wallet address and a file list. Write these down! A couple programs can use them.
- Trend Micro Anti-Ransomware: This program can be installed onto a computer through safe mode or onto a USB flash drive. It fights off the ransomware and is the choice of many support engineers.
- BitDefender Anti-CryptoWall /CTB-Locker Vaccine: This program is a preventative measure. It offers real-time protection against CryptoWall, a specific type of ransomware that is by far the most popular right now.
- Kaspersky Lab CoinVault Decryptor: This program might be able to fight off ransomware after it’s infected your computer. When the ransomware CoinVault was shut down the authorities managed to take some of the encryption keys so Kaspersky made an anti-ransomware program out of it. As I had mentioned above, you will need the bitcoin wallet address and file list for this one, both should be displayed on the ransomware notice.
- Talos decryptor for TeslaCrypt: TeslaCrypt had it’s heyday during 2015 but there’s a silver lining to anyone infected - many of the computers infected have the key to decrypt them right in the virus file! Talos put together a program that can scan the ransomware and may be able to give you the key. It’s not guaranteed but it’s worth a try!
- HitmanPro.Alert: Another preventative measure, this product is by SurfRight, a subsidiary of well-known antivirus company Sophos, and can help detect ransomware before it starts to encrypt your files.
- MalwareBytes recently launched beta for preventing ransomware, early testing provided some very positive results.
Take a second look through the list above and tell me if you see a theme. Did you notice that all of the most effective programs are only preventative measures?
It’s a sad truth that many types of ransomware simply can’t be removed from your computer after they’ve taken hold. It’s all about encryption, you may have heard of it recently as governments and police want less of it. Encryption is extremely hard, some would say near impossible, to break without the encryption key.
Certain types of ransomware can be cracked if the police bust the hackers and manage to take the keys but this is few and far in-between, as a general rule of thumb if you get hit with ransomware it’s probably too late.
That’s a pretty doom and gloom statement, isn’t it? So there’s nothing we can do, the bad guys win? Well not quite. While yes removing ransomware may be impossible preventing it is a very different story.
Remember ransomware mostly spreads through malicious emails and shortened website links. Keeping a healthy suspicion about unknown emails goes a long way! Naked Security, by Sophos, had a few good tips about avoiding ransomware:
- Backup your files: Off-computer backups can protect you from ransomware, fires, theft and more. There are dedicated backup software systems like Crashplan or you can use cloud services like Google Drive or Dropbox.
- Don’t Enable Macros: Remember a good chuck of ransomware is spread by tricking users into opening word documents and enabling macros to see what’s on the document. If you aren’t sure about the email sender and the word document wants to enable macros, don’t do it!
- Consider downloading Microsoft Viewers: You can find them here, they can view documents but don’t have support for macros so the ransomware can’t infect your computer!
- Be Careful With Email Attachments: Infecting PDFs and other attachments is the go-to system for infecting computers. If you get an email from Fedex or a bank out of the blue, take a second look at the email.
- Keep Programs Up To Date: This is a good security habit overall, similar to other viruses ransomware can occasionally find an out-of-date program and infect your system that way. Keep all of your programs up to date! It might be a pain to install a new version every week or so but it’s better than getting your system locked down until you pay hackers!
- Keep Your firewall Turned On: Even if it’s the standard windows firewall, be sure to keep it turned on and active at all times!
Ransomware is one of the most frightening viruses to crop up in recent years. Unfortunately, because it’s so effective and so profitable it isn’t likely to go away anytime soon.
While cleaning up an infected system is close to impossible, the good news is that preventing ransomware from doing anything isn’t all that difficult.
There are a few programs designed to detect ransomware before it can take root and encrypt your system, and a few good security habits can go a long way in keeping you protected!
Always remember to backup your files as well! Even if it’s only the most important files on your system, remember to back them up at least every week if not more often!
With good security habits in place, an anti-ransomware program and continuos backups you don’t need to lose any sleep over ransomware!