First things first. What is ransomware? Ransomware, aptly described in a roundtable discussion in London as “the endemic of our time”, is malicious software that infects your computer and first either:
- Encrypts your files to prevent you from accessing them
- Locks your computer/device screen
Then, it displays messages demanding a fee to be paid in order to restore access to your data, or avoid having your sensitive files leaked to the public, or have your system work again.
1. How Does Ransomware Get into Your Computer or Device?
Ransomware can be installed on your computer or device through deceptive links in an email message, attachments, or links in instant messages (chat), from an infected hardware device such as a flash drive, or via websites. Ransomware has the ability to lock a computer screen or encrypt important, predetermined files with a password.
There are several ways ransomware can get into a system. One of the most common ways is through phishing emails. Some phishing emails have attachments that masquerade as a file you should trust. Once they’re downloaded and opened, they can take over your computer, especially if they have built-in social engineering tools that can deceive you into allowing administrative access.
Other more aggressive ransomware forms exploit security weaknesses on systems to infect computers without needing to trick users.
2. What Ransomware Does to Your Machine
The most common action ransomware takes once inside your computer is to encrypt some or all of the files in it. The files cannot be decrypted without a mathematical key known only by the attacker. You will be presented with a message explaining that your files are now inaccessible and will only be decrypted if you send an untraceable Bitcoin payment to the attacker.
Scareware is the simplest type of ransomware. It uses scare tactics or intimidation to trick victims into paying up. It can come in the form of fake antivirus software in which a message suddenly appears claiming your computer has been infected with a virus or has other issues, and online payment is necessary to fix them.
In a less common form of ransomware, the attacker might impersonate a law enforcement agency by opening up a page that appears to be from local law enforcement officials. The attacker then claims they are shutting down your computer as it was caught performing illegal activities online. This may include claims of pornography or pirated software found on it. The message then proceeds to demand the payment of a “fine,” perhaps to make you less likely to report the attack to authorities. Files are then encrypted, making it difficult to recover unless the ransom is paid.
Another variation is known as leakware or doxware. Here, the cybercriminal threatens to publicize sensitive data on your hard drive unless you pay a ransom. But because finding and extracting such information is a very tricky proposition for criminals, encryption ransomware is by far the most common type.
Sometimes, you may be bombarded with endless alerts and pop-up messages. Other times, the computer will fail to work at all.
3. Who is a target for ransomware?
The short answer is everyone: Every small, mid-size and large organization is fair game.
Nevertheless, while any entity is a possible ransomware target, some are more likely targets than others. Your vulnerability to a ransomware attack can depend on the following factors:
- How attractive is your data to criminal hackers?
- How critical it is that you respond quickly to a ransom demand? For example, government agencies and medical facilities often need immediate access to their files. Law firms, telecommunications companies holding phone records, medical institutions, investigation entities, and other organizations with sensitive data may be more willing to pay to keep news of a compromise quiet. These organizations therefore may be better targets for leakware attacks.
- How vulnerable are systems? Do you have firewalls or endpoint protection devices? Are your systems patched? Do you have up-to-date antivirus software on all systems on your network? Do you carry out regular systems audits of your systems?
- How well are your staff trained about phishing emails, online security, among other factors?
Now, don’t feel like you’re safe if you do not fit in any of these classifications. Ransomware spreads automatically and indiscriminately across the internet, and sometimes it’s also just a matter of opportunity. For example, attackers may choose to target universities because these institutions typically have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly.
4. Should I Pay Ransom?
You receive the dreaded ransomware message asking you to pay ransom to recover your data or system. The big question is, should you pay the ransom?
Before you begin losing sleep about whether you should pay up, first verify that the message demanding a ransom is not the so-called scareware. Less sophisticated programs just take over your current browser session or computer screen. Therefore, your data may actually not be encrypted as indicated, and you may not need to do anything about it; other than ignore the message, of course. Sometimes, rebooting your machine is sufficient action to remove the malicious file.
Theoretically, most law enforcement agencies urge you not to pay ransomware to attackers as doing so only encourages the growth of the market of such software in the Dark Web, consequently funding the cybercriminals to continue with their attacks.
It is also not advisable to pay the ransom because you have no certainty that the person demanding payment is the original source of the attack. In some cases, the demand note may be from a cybercriminal who just found the code, edited it with his payment details, and sent it. However, in actual fact, he/she does not have the decryption keys to decrypt your data upon receiving payment.
5. Paying the Ransom
Many people choose to pay the ransomware to recover their files. Most experts and companies recommend against paying the ransom because it only encourages the ransomware creators and distributors. Yet quite often, it works. It’s your computer and data, and only you can make the best decision on what to do about it, so it’s up to you whether to pay the ransom.
Should you choose to pay the ransom, it is important to beware that paying the attackers is not a guarantee that you will recover your lost data or access to your system. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the ransomware. But any such ransomware will quickly get a bad reputation and won’t generate revenue, so in most cases, the criminals restore your data. If ransomware didn’t unlock files after the money was paid, everyone would learn that—and ransomware attackers would make less money.
Many businesses that find themselves afflicted by ransomware quickly stop thinking in terms of the “greater good of the business community” and weigh the cost of paying the ransom against the value of losing the data. According to research from Trend Micro:
6. How to regain access to your computer without paying the ransom
You may not get your data back, but you can regain access to your computer it if has been infected with ransomware.
CSO’s Steve Ragan has a great video demonstrating how to do this on a Windows 10 machine https://youtu.be/kJuibb9QaWk The video has all the details, but the important steps are to:
- Reboot Windows 10 to safe mode
- Install antimalware software
- Scan the system to find the ransomware program
- Restore the computer to a previous state
Important: While walking through these steps, you may be able to remove the malware from your computer and restore it to your control. However, it won’t decrypt your files without access to the decryption key/algorithm that the attacker holds. In actual fact, by removing the ransomware, you’ve precluded the possibility of ever restoring your files by paying the attackers the ransom they’ve asked for.
7. How to Regain Access to Your Data without Paying the Ransom
If you had your data backed up and safe, then you can simply reformat/reset your device, apply all critical patches and software, and restore the data from your backup.
Alternatively, you may also opt to use another safe, uninfected computer, and restore your backup.
If you don’t have a clean backup copy of your critical data and you absolutely need the data, you need to find an unlock key. Using another safe, trusted computer, research as much as you can about the particular ransomware variant you have. The screen message presented by the ransomware will help you identify the variant.
If you’re lucky, your ransomware variant may already have been unlocked. Many antimalware vendors have programs to detect and unlock ransomware (if it recognizes the variant and has the unlock key). Cybersecurity experts, such as Kaspersky and Avast, also offer unlocking services, free and commercial, for particular ransomware variants. Run such programs first. It may take an offline scan to get rid of the ransomware.
8. The Cost of Ransomware
Typical attacks ask for ransom ranging from a few hundred to thousands of dollars, payable in Bitcoin, MoneyPak, or other online payment methods. Some may also demand credit card data, adding another level of financial loss. If the attacker knows the data being held hostage can cause a significant direct financial or reputation loss to a company, they will ask for more ransom.
There are often discounts offered for acting fast to encourage victims to pay quickly before thinking too much about it. For instance, you may receive a 50% discount if you pay within three days.
Generally, the ransom price is set so that it’s high enough to be worth the criminal’s time and effort, but low enough that it’s still cheaper than what the victim would have to pay to recover their system or reconstruct the lost data.
While some hackers direct victims to pay through Bitcoin, MoneyPak, or other online methods, attackers could also demand credit card data, adding another level of financial loss.
9. How to Prevent Ransomware
General good security practices improve your defenses from all kinds of attacks including ransomware attacks. Such practices include:
- Invest in a good email security service or antispam solution that will filter your emails before delivery to your mailbox. This will significantly reduce the time and effort spent by every-day users in deciding whether an email is legitimate or ransomware, or another form of junk mail.
- Backup your files regularly and preferably automatically following a resilient backup strategy. Backup is by far one of the most important tools at your disposal to prepare for a ransomware attack. While backup does not stop ransomware attacks on your primary system, it will ensure easy recovery if your data is encrypted or the primary system is locked.
- Keep your eyes peeled!
- Don’t install any software or give it administrative privileges unless it is from a source you trust. This includes the so-called system patches and updates. Be certain the vendors are real; fake patches often contain ransomware.
- Don’t install anything sent to you via email from a source you do not know/trust or offered to you when visiting a website. Install any software you need directly from the legitimate vendor’s website.
- Keep your operating systems patched and regularly updated. Where possible, set your systems to download and update patches automatically. This will reduce the risk of indefinite procrastination of this important exercise.
- Install and update antivirus and antimalware software programs from reputable companies. This will protect your computer and network against the latest ransomware threats. Windows comes with Windows Defender, but there are dozens of commercial or free malware removal options.
- Avoid suspicious websites.
- Be alert when opening any suspicious email messages. Don’t click on any links or attachments on emails whose source you do not trust.
We hope you never become a ransomware victim. The odds of infection, unfortunately, are higher today as ransomware gains popularity and sophistication.
The risks posed by ransomware are immense and can have financial and/or reputational damage for all kinds of businesses, regardless of size.
MailSafi offers a reliable, best-in-class email security service that will filter your emails and block any containing spam, viruses, malware, trojans, ransomware before they ever get to your mailbox. This will significantly reduce the risk that you or your staff will accidentally click on ransomware emails. Get in touch with us today!