A few days ago, I got a call from one of our clients stating they think they have a virus and it has encrypted all of their files.
“All of our files won’t open”
“Is there anything I can do about it?”
My first thought was: ” hope he has a data backup.” So I had to ask:
“Do you have a backup?”
I could literally feel his mood change as he said “no.”
This scenario is unfolding right now somewhere in the world. Maybe even in your city or neighborhood.
In this very moment, someone is clicking a link in a spam email or activating macros in a malicious document.
In a few seconds, all their data will be encrypted and they’ll have just a few days to pay hundreds of dollars to get it back. Unless they have a backup, which most people don’t.
Ransomware creators and other cyber criminals involved in the malware economy are remorseless. They’ve automated their attacks to the point of targeting anyone and everyone.
Take this story from the New York Times:
MY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever.
I hope you’re just reading this post to be prepared for a ransomware attack. Prevention is absolutely the best security strategy in this case.
This guide is packed with concrete information on:
- What ransomware is
- How it evolved
- Who ransomware creators target most frequently
- How ransomware spreads via the web
- How ransomware infections happen
- Why ransomware often goes undetected by antivirus
- The most notorious ransomware families
- How to set up the best protection against ransomware
- How to decrypt your data without paying the ransom
You shouldn’t feel helpless when thinking of the crushing effects of ransomware. There are a lot of practical provisions you can take to block or limit the impact of cyber attacks on your data. And I’m about to show you just what to do.
What is ransomware?
Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files.
There are two types of ransomware in circulation:
- Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
- Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examplesinclude the police-themed ransomware or Winlocker.
- Another version pertaining to this type is the Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen. Examples include Satana and Petyaransomware.
However, the most widespread type of ransomware is crypto-ransomware or encrypting ransomware, which I’ll focus on in this guide. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment.
Ransomware has some key characteristics that set it apart from other malware:
- It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
- It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
- It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
- It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
- It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
- It requests payment in Bitcoins, because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
- Usually, the ransom payments has a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
- It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
- It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
- It can spread to other PCs connected in a local network, creating further damage;
- It frequently features data exfiltration capabilities, which means that ransomware can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals;
- It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
The inventory of things that ransomware can do keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.
As ransomware families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles.
Encrypting ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cyber criminals a huge amount of money. We’re talking millions!
If you’re curious how it all started, it’s time to go over:
A quick history of ransomware
It may be difficult to imagine, but the first ransomware in history emerged in 1989 (that’s 27 years ago). It was called the AIDS Trojan, whose modus operandi seems crude nowadays. It spread via floppy disks and involved sending $189 to a post office box in Panama to pay the ransom.
How times have changed!
As cyber criminals moved from cyber vandalism to cyber crime as a business, ransomware emerged as the go-to malware to feed the money-making machine.
The advent of Bitcoin and evolution of encryption algorithms favored made the context ripe for ransomware development too.
This graph shows just how many types of encrypting malware researchers have discovered in the past 10 years.
Image source: CERT-RO
And keep in mind 3 things, so you can get a sense of how big the issue really is:
- There are numerous variants for each type (for example, CrytpoWall is on its 4th version);
- No one can map all the existing ransomware out there (because most ransomware attacks go unreported);
- New ransomware is coming out in volumes at an ever-increasing pace.
If you’re curious to see which key moments made ransomware history, here’s a great list of them.
As you can see for yourself, things escalated quickly and the trend continues to grow.
Cyber criminals are not just malicious hackers who want public recognition and are driven by their quest for cyber mischief. They’re business-oriented and seek to cash out on their efforts.
Top targets for ransomware creators and distributors
Clearly, ethics or morality have no weight in today’s money-hungry cyber crime business. “There is honor among thieves” was tossed out the window a long time ago.
That leaves us with to dig out the reasons why online criminals choose to target various types of Internet users. This may help you better understand why things happen as they do right now.
Why ransomware creators and distributors target home users:
- Because they don’t have data backups;
- Because they have little or no cyber security education, which means they’ll click on almost anything;
- Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
- Because they lack even baseline cyber protection;
- Because they don’t keep their software up to date (even if specialists always nag them to);
- Because they fail to invest in need-to-have cyber security solutions;
- Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
- Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
- Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).
Why ransomware creators and distributors target businesses:
- Because that’s where the money is;
- Because attackers know that ransomware can cause major business disruptions, which will increase their chances of getting paid;
- Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
- Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
- Because ransomware can affect not only computers, but also servers and cloud-based file-sharing systems, going deep into a business’s core;
- Because cyber criminals know that business would rather not report ransomware attacks for fears of legal or reputation-related consequences;
- Because small businesses are often unprepared to deal with advanced cyber attacks (which ransomware is) and have a lax BYOD (bring your own device) policy.
Why ransomware creators and distributors target public institutions:
- Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
- Because these institutions ofttimes lack appropriate cyber defenses that can protect them against ransomware;
- Because the staff is not trained to spot and avoid cyber attacks (ransomware often leverages the human factor weakness to trigger the infection);
- Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
- Because ransomware has a big impact on conducting usual activities, causing huge disruptions;
- Because successfully attacking public institutions feeds the cyber criminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).
In terms of platforms and devices, ransomware doesn’t discriminate either. We have ransomware tailor-made for personal computers (too many types to count, but more on that in “The most notorious ransomware families” section), mobile devices (with Android as the main victim and a staggering growth) and servers.
Fig. 12: The number of users encountering mobile ransomware at least once in the period April 2014 to March 2016
Source: KSN Report: Mobile ransomware in 2014-2016
When it comes to servers, the attack is downright vicious:
Some groups do this by infiltrating the target server and patching the software so that the stored data is in an encrypted format where only the cybercriminals have the key to decrypt the data.
The premise of this attack is to silently encrypt all data held on a critical server, along with all of the backups of the data.
This process may take some time, depending on the organization, so it requires patience for the cybercriminals to carry it out successfully.
Once a suitable number of backups are encrypted, the cybercriminals remove the decryption key and then make their ransom demands known, which could be in the order of tens of thousands of dollars.