Russ Harvey Consulting - Computer and Internet Services

Ransomware

Holding Your Digital Life for Ransom

What is Ransomware? | Preparing for Recovery | Resources | History

Ransomware encrypts your data and holds it hostage

What is Ransomware?

Ransomware is a form of malware that encrypts your most valuable data files (documents, financial data, letters, photos, music and everything else) then demands a ransom for the encryption key.

These files are inaccessible unless you pay the ransom.

Video: How Not to be a Ransomware Victim

 

Responding to Ransomware

If you are the victim of a ransomware attack, how do you respond?

First of all, do not pay the ransom.

This will only encourage future development of ransomware and more frequent attacks. As inconvenient as it is, your best bet is to tighten your security and restore your files from a recent backup.

Ransomware Facts

Some facts about ransomware:

  • Ransomware is a special sort of malware infection that encrypts your entire computer then holds it for ransom.
  • The encryption key can be destroyed if you attempt recovery without paying the ransom.
  • Paying the ransom is no guarantee of recovery. You're dealing with thieves, not honest businessmen.
  • Microsoft and others recommend NOT paying. Without income, this sort of malware will die off.
  • Other than prevention, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.
  • PC Magazine's The best ransomware protection of 2017 provides an excellent overview of ransomware as well as assessing various solutions.

Ransomware-as-a-Service

The most recent release is called RedBoot, named because, when infected, your computer boots to a red screen with white text that tells you your files have been encrypted with instructions to email an address with your ransom payment.

This was the first of a wave of ransomware-as-a-service, a commercial product that will make it available to virtually anyone to use.

This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine. — TechRepublic

IoT and Ransomware

The future of ransomware could be even grimmer with the Internet of Things (IoT).

Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more.

Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk. — IoT for All
It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working. — Bruce Schneier

No Plans for Security

Security has not even been considered in the rapidly expanding list of products that form the Internet of Things and is probably not even possible to implement post-manufacturer.

If you're fed up with paying to protect your computer, can you imagine if you're faced with the possibility of paying a ransom for your IoT devices or throwing them away?

Return to top

Preparing for Recovery

Prevention isn't easy and the only reliable recovery is to wipe your hard drive and recover files via a RECENT secure offline backup (cloud-based storage and always-connected backup devices can be infected if your computer is compromised).

The main thing is to avoid any risky behaviour and to prepare as best you can to recover.

Here's some keys to preparing your computer(s) and data for recovery:

  • Ensure that your computer(s) are fully patched as quickly as possible to avoid infection where possible.
  • Use secure passwords and change the default passwords for equipment like your router.
  • Create and maintain a regular complete backup of your critical data files (irreplaceable documents, photos, media downloads, etc.).
  • Use a USB-based hard drive not permanently connected to the computer, storing that drive in a secure location when not backing up or restoring files.
  • Regularly backup current (in-use) files on a thumb drive (removing the drive from the computer when backups aren't in process).
  • Be wary of clicking on attachments in emails without scanning them first. If the email is unexpected (e.g. an unexpected “notice” from FedEx) you should delete the email (FedEx likely didn't have your email address, only your phone number).
  • Avoid downloading or watching videos on unknown pages. Facebook is famous for obscuring the destination of links on their site and for fake news links. Don't go there.
  • Ensure that you don't allow people to use your computer unsupervised and particularly don't allow them to download and install software. This is especially true for your children.
  • If you must have a "guest" computer, keep it unconnected from your network and don't provide Administrator privileges to the account they're using.

Winning the War on Ransomware

See Trustwave's Winning the War on Ransomware infographic (below).

Winning the war on ransomware infographic from Trustwave -- click for larger image.

Ransomware Resources

Return to top

Ransomware History

CryptoLocker Started it All

CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.

CryptoLocker spread through ad networks but ransomware can be spread via email or TOR networks.

New Variations

While the botnets distributing CryptoLocker have been stopped, it has since morphed into new variations such as CryptoWall, CoinVault, TorrentLocker and Cerber which don't respond to CryptoLocker solutions.

Bad Rabbit

Bad Rabbit appears to be moving ransomware into the low-rent district. Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9. The initial 0.05 bitcoin ransom (approximately US$285) has a deadline after which the price goes up. The hacker regains over 30 times his investment on the first sale. Where's the incentive to go legit?

Locky Ransomware

The Locky Ransomware is a rapidly evolving ransomware that was initially distributed via infected emails with infected .doc “invoices” attached that included macros that initiated the download of the ransomware and encrypted your files but has also used fake updates for Adobe Flash to spread its payload.

Ransomware has evolved over time.

Computers are infected automatically, with viruses that spread over the internet. Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin. Customer service is important; people need to know they'll get their files back once they pay. — Bruce Schneier

IBM revealed that 70% of businesses infected with ransomware have paid the ransom. Individuals are much less likely to do so except for financial data (i.e. they abandoned their lost data).

The WannaCry ransomware was patched by Microsoft in advance of the attack (even for XP) yet there were disasters. In Europe one infection was released that looked like an update to a popular accounting software.

Many organizations can take a long time testing to ensure that a patch won't create issues in their networks, yet this sort of infection is evolving so quickly there is no longer that luxury.

People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP. — SC Media

Vulnerable software (especially unsupported Windows computers) can be the pathway in which other computers on your network are infected.

Learning More

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!


www.RussHarvey.bc.ca/resources/ransomware.html
Updated: August 20, 2018