Ransomware - Understanding what it is

One of the hot topics in security lately is Ransomware, and it doesn’t appear to be going away. In fact, new styles and versions are popping up almost every day. In case you haven’t heard too much about it, Ransomware is a type of malware that uses various encryption methods to prevent access to your own files (documents, pictures, videos, etc.). After your files are encrypted a ransom note, or pop-up window, is displayed requiring payment in order to receive the decryption key so that you can regain access. Typically it is downloaded as a file through spam or from a compromised website and occasionally through a vulnerability in the network or through an existing exploit-kit (another type of malware allowing access to your system).

3
3

The overall goal of Ransomware? Payment. Even though Ransomware seems to have popped up recently, it has been around for a while. It’s simply become easier to use for attackers and has become much more lucrative, causing its increase in popularity.

What does ransomware do?

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware can:

  • Prevent you from accessing Windows.
  • Encrypt files so you can't use them.
  • Stop certain apps from running (like your web browser).

Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

Early versions of Ransomware would simply lock you out of your operating system and require a wire or mobile payment. These were easy to defeat and not very lucrative.

Ransomware as we know it today is very hard to defeat and with the development of Bitcoin, and other crypto-currencies, it has become one of the easiest ways for a cyber-criminal to make a quick buck. In fact CryptoLocker, one of the first major ransomware campaigns, was estimated to bring in over $3 Million before it was taken down. CryptoWall, another version that has popped up since CryptoLocker, is estimated to have accrued more than 20 Million at this time and still growing.

Why should you care?

The use and distribution of Ransomware has become much more widespread and popular and it is very difficult to detect and defeat. A good paid Antivirus will only be able to detect the older versions since they are changing so frequently and unless you enjoy spending hundreds to regain access to your data, you need to know what to look for.

CTB-Locker
CTB-Locker

The majority of Ransomware that I have seen has been distributed either through spam email as an attachment or through corrupted downloads. Most of the email attachments are either documents with Macros, see this article, or a java based executable disguised as a program such as Chrome. The corrupted download are usually torrent downloaded files. I highly recommend scanning every download or email attachment with your antivirus before opening or running it on your system.

If you happen to be infected, the encryption used by most of these viruses are very hard to beat. There are only a handful of ransomware viruses that have decrypting software available for them. Without an available decryption program, your only options are to pay the ransom or do a system restore from your last backup. That being said, a frequent backup is ultimately the best defence. Just be sure to back up to an external drive that is not left plugged in to your computer or your network.

Now, unless you are a business owner, I’m not suggesting that you do hourly or even daily backups of your data. But maybe do a backup each time you finish uploading a bunch of videos and pictures from your latest family gathering or after completing and saving some important documents that you’ve been working on. Another good recommendation, as long as you don’t have too many gigabytes of important data to backup, is to keep copies saved to a cloud based storage. Using something like Google Drive for documents is a good idea because in the event you are hit by Ransomware, you can still access them anywhere you can access your Gmail.

Lock screen Ransomware and Encryption Ransomware

Lock screen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

  • Visiting unsafe, suspicious, or fake websites.
  • Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
  • Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:

  • Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
  • If you’re ever unsure – don’t click it!
  • Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayPal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunes Customer Service” instead of “iTunes Customer Service”).

Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can back up your files to help protect yourself from ransomware.

All credit to this article goes to the CyberSTAC team. Please visit their page for more information on Cyber Security and Threat awareness.

For more information about Ransomware, please visit the Microsoft website for an in depth analysis on Ransomware.