What Is Ransomware?
Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.
There are many different variants; some are designed to attack windows PCs while other strains infect Macs and even mobile devices. This type of malware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom.
September 2013 is when ransomware went pro. It typically gets installed on a user’s workstation (PC or Mac) using a social engineering attack where the user gets tricked in clicking on a link or opening an attachment. Once the malware is on the machine, it starts to encrypt all data files it can find on the machine itself and on any network shares the PC has access to.
Next, when a user wants to access one of these files they are blocked, and the system admin who gets alerted by the user finds two files in the directory that indicate the files are taken ransom, and how to pay the ransom to decrypt the files. New strains and variants come and go as new cyber mafias muscle into the "business". Techniques the cybercriminals are using are constantly evolving to get past traditional defenses. Some major strains are CryptoLocker, CryptoWall, Locky and Cerber. This is a very successful criminal business model. As an illustration, CryptoWall has generated over 320 million dollars in revenue.
Once these files are encrypted, the only way to get them back is to restore a recent backup or pay the ransom. Problem is, backups often fail. Storage Magazine reports that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.
Paying the criminals is usually an amount of about $500 within the first deadline, and when that deadline expires, the ransom increases They require to be paid in untraceable crypto-currencies like Bitcoin and Monero.
Many more strains are expected. This is only the early days, and as we said, it’s a very successful criminal business model with many copycats. New strains regularly get spotted in the wild, cybercrime is furiously innovating in both the technical and social engineering areas.
The best way to prevent an infection is to not rely on just one solution, but to use multiple, layered solutions for the best possible protection.
1. Security Awareness Training
It’s easier to prevent malware infections if you know what to look for. If you understand the latest techniques cyber-criminals are using, the easier it will be to avoid. Know your enemy! Take an active approach to educating yourself by taking a security awareness training course.
2. Internet Security Products
There are many commercial products that will help you avoid all malware infections, but understand that none of them are 100% effective. The cyber criminals are always looking for weaknesses in security products and promptly take advantage of them.
3. Antivirus Software
While antivirus is highly recommended, you should have multiple layers of protection in place. It is not wise to solely rely on antivirus software to keep your PC secure, as it cannot prevent infections from zero-day or newly emerging threats.
4. AntiMalware Software
Most anti-malware software like MalwareBytes is designed to run alongside Antivirus products, and it’s recommended you have both in place.
5. Whitelisting Software
Whitelisting offers the best protection against malware and virus attacks. Whitelisting software allows only known good software that you approve to run or execute on your system. All other applications are prevented from running or executing.
6. Backup Solutions
In the event of a catastrophic attack or complete system failure, it’s essential to have your data backed up. Many have been able to quickly and fully recover from an attack because their data was backed up and safe.
Because all strains are different, there isn’t one set of removal instructions that works across the board. Below are steps to take to begin the removal process from a Windows PC, which may work completely for some but not all if you have a really nasty infection. However, if you don't remove it, you will be unable to decrypt your encrypted files so they will be gone forever!
1. Malware Scan. It’s recommended to use MalwareBytes to detect and remove the malware. First download the free version of MalwareBytes. If you are unable to run a MalwareBytes scan, restart your PC in safe mode and try to run the MalwareBytes scan this way.
To enter safe mode: as your computer restarts but before Windows launches, press F8. Use the arrow keys to highlight the appropriate safe mode option, then press ENTER.
2. System Restore. Some strains will prevent you from entering Windows or running programs, if this is the case you can try to use System Restore to roll Windows back in time before the infection. Restore your system using the System Restore settings by restarting your PC and hitting the F8 key when the PC begins to boot up.
3. Recovery Disk. Use your Windows disc to access recovery tools by selecting “Repair your Computer” on the main menu. If you don’t have your Windows disc, you can create one from another PC running the same version of Windows.
4. Antivirus Rescue Disc. If a system restore doesn’t help and you still can’t access Windows, try running a virus scan from a bootable disc or USB drive. You could try using creating a Bitdefender Rescue CD.
5. Factory Restore. If the above steps have not worked, the last resort is a Factory Restore. PC World has comprehensive instructions for performing a factory restore.
If you manage to remove the infection from your PC using any of the steps above (except the factory restore) your next task will be to recover your files.
If you are lucky, hopefully your data didn't get encrypted but instead hid your icons, shortcuts, and files, you can easily show hidden files: Open Computer, navigate to C:\Users\, and open the folder of your Windows account name. Then right-click each folder that’s hidden, open Properties, uncheck the Hidden attribute, and click OK. You should be good to go from here.
If you followed the steps above to unhide your files and this didn’t work and you still can’t find any of your data, this means that your files have been malware-encrypted. This is not good. Unfortunately it isn’t possible to decrypt or unlock your hostage files, because the decryption key is typically stored on the cybercriminal’s server. From here you have 2 options:
Option 1: Restore your files from a backup. If you have a backup system in place, and they haven’t been encrypted as well, you should be able to restore all your files this way. If you don’t have a backup system in place, you might be able to recover some of your files from Shadow Volume Copies, but most definitely not all your personal files. To use shadow volume copies, right-click Select files/folders and open Properties to view the Previous Versions list, or use a program called Shadow Explorer.
Option 2: Pay the Ransom. Most authors will deliver the decryption key and return your files once you pay, but keep in mind, there is no guarantee. You may pay the ransom and get nothing in return, after all you are dealing with thieves.