With two prominent malware attacks occurring back-to-back during the past two months, you’re likely familiar with the termĀ – “Ransomware” – a cyber-crime gaining worldwide attention. In this article we explore ransomware in depth and offer recommendations and instructions to prevent it from happening and to protect your PC.
Ransomware defined:
You can think of ransomware as “data kidnapping”. It is the result of a malware attack that blocks access to a user’s PC data. Once infected, the attackers try to force you into paying money so you can regain access. In some cases there is a threat to publish or delete the data unless the ransom is paid. Data and access is blocked by using strong file encryption.
Computers can be infected whether at home or in the work environment. This includes PCs on an enterprise network or government agency servers.
Some ways of infecting your PC include:
- Surfing to unsafe or fake websites.
- Opening emails and email attachments from unknown sources.
- Opening malicious links in emails, Facebook, Twitter, and from online chat apps such as Skype.
The two main types of ransomware are: Lockscreen and Encryption.
- Lockscreen ransomware prevents you from accessing your PC or files and instead displays a full-screen message saying you have to pay a ransom to regain access.
- Encryption ransomware prevents you from opening your files by encrypting them. The encryption is very strong (uses an AES-256 “military grade” cipher algorithm), and would take an estimated 3×1051 years to crack. Also, a unique encryption key is generated for each infected computer so you can’t just get someone else’s key.
Note: There are older versions of ransomware that display false messages such as claiming you have performed an illegal activity with your PC. They then state you are being fined by a police force or government agency. We want to stress that these claims are false and can be considered a scare tactic designed to extort money from you.
What is the result of the attack?
While there are various forms of ransomware, all of them prevent you from performing normal PC functions. This includes:
- Getting locked out! Preventing you from accessing your operating system.
- Blocked access to files! Files are now encrypted and you can’t access them.
- Disabled apps! Certain programs (like your web browser), are no longer able to run.
What about the ransom?
Some ransomware attacks involve the victim having to pay money while some make you complete a survey. Payment of money is performed online and sometimes involves the victim having to pay in Internet currency Bitcoins. Due to the nature of those that commit these cybercrimes – there is no guarantee that your data or PC will return to the pre-attack state.
How much do they extort?
Symantec gained access to a malware server in 2012. This provided them first hand insight of the ransoms that were paid out. In a single day 5,700 computers were infected and 2.9% paid the ransom. This comes out to approximately $33,600 for one day.
“Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million dollars a year is being extorted from victims. The real number is, however, likely much higher.”[1]
Recent Ransomware attacks…
WannaCrypt; May 12, 2017:
Many users around the world were victims of the malicious “WannaCrypt” software attack which has been considered one of the worst and most widespread cyber-attacks. More than 230,000 computers in over 150 countries were affected. All files on infected PCs were locked and the demanded ransom was 300 dollars in bitcoins.
Interestingly, people running Windows 10 were not targeted by the attack. Despite this, this attack was serious as evidenced in the steps Microsoft took. They took a highly unusual step in providing a security update for all customers to protect even the Windows platforms that are in custom support only. This includes Windows XP, Windows 8, and Windows Server 2003.
Supported versions of the operating system (Vista, Windows 7, 8.1, 10, etc.), have access to the security update MS17-010. If users have automatic updates enabled or have installed the update, they are protected. Microsoft states[2]: “For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010“. They go on to state that this attack may evolve over time and additional defense strategies are warranted.
Petya; June 27, 2017:
Companies across Europe and the US were affected by the ‘Petya’ ransomware attacks. Infected computers displayed a message demanding a Bitcoin ransom of $300. Victims were unable to unlock their computers even if they paid the ransom.[3] The instructions included sending confirmation of payment to an email address. However, that email address was shut down by the email provider and there was no way to contact the attacker for a decryption key to unlock their computer.
This ransomware attack exploited the same Microsoft exploit as WannaCry – the vulnerability known as EternalBlue. Even with the patch, this cyber-attack has two other ways to spread within an organization focusing on the network administrator’s tools. Experts believe the initial infection is suspected to have been delivered through email (as with WannaCry).
If Infected With Ransomware:
You are a victim of a ransomware infection once you see some form of ransom demand appearing in a dialog window, an app, or a full-screen message. Unfortunately, this demand is displayed after encrypting your files or disabling some part of your PC.
Before you try to recover your files, Microsoft suggests trying to fully clean your PC with Windows Defender Offline. After this you can try to Backup and Restore in Windows.
We fully agree with Microsoft: “Do not pay any money to recover your files. Even if you were to pay the ransom, there is no guarantee that you will regain access to your PC or files.”
If You Already Paid:
If you paid the ransom, contact your bank and local authorities immediately. Your bank may be able to block the transaction and return your funds if you paid with a credit card. Inform your bank if you did submit credit card details to the cyber thieves.
We suggest you also contact the following government agencies that deal with fraud and scam reporting:
- In the United States, go to: On Guard Online.
- In Canada, go to: Canadian Anti-Fraud Centre.
- For other countries: go to this Microsoft site.
Prevention:
There are safe measures you can take to lessen the impact of attacks and failures and there are ways to prevent malicious attacks from crippling your PC and network.
- Keep a current back up of your data files (images, video, documents and music).
- Keep your Windows install up-to-date with the latest Windows security updates.
- Keep your antivirus program up-to-date. We highly recommend a reputable AV program with active subscription (one that keeps up to recent malicious attacks). We invite you to check out the performance and protection offered by CompuClever Antivirus PLUS.
- Do not open email links or files from a sender you do not recognize. In many cases you can recognize a fake email and webpage because they have bad spelling or look unusual.
- Be careful where you surf on the internet especially with less reputable sites. There is a greater chance of contracting a malware virus. Quite often unsafe sites can look convincing and have only subtle differences.
Microsoft states[4]: “Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).”
Stay Safe:
Hundreds of millions of emails that include a ransomware attachment are being sent out every month. Many of these are being blocked and software vendors are working hard to shrink security holes and fix this ongoing cyber-crime.
As can be seen with the information provided here, staying informed, taking precautions, and using safe practices can help prevent you from getting an infection that could save you time and your data. If you require further information on this subject we recommend Microsoft’s Ransomware FAQ page.
[1] http://www.symantec.com
[2] https://blogs.technet.microsoft.com
[3] https://www.theguardian.com
[4] General information on ransomware