The criminals behind ransomware are finding ever more devious ways to lock your files. Wayne Williams explains how to protect your devices from the latest threats, and recover from an attack
Ransomware first hit the headlines a few years ago as one of the nastiest types of malware yet, taking control of a victim’s computer, encrypting their files and extorting money to remove it. Sadly, in recent months, the threat of ransomware has grown worse – much worse, in fact. Not only has it spread from PCs to phones, tablets and Macs, but there has been a massive increase in the number of instances of ransomware detected. Moreover, the methods that hackers use have become more devious and more difficult to deal with.
In this feature, we provide a complete guide to avoiding, detecting, removing and recovering from ransomware.
We explain exactly what ransomware is and what it does. Our Ransomware Survival Guide explains how you can avoid infection, and how best to recover from a ransomware attack. Should you pay the ransom? We cover the pros and cons of that, too.
YOUR RANSOMWARE QUESTIONS ANSWERED
What is it?
Ransomware is a particularly virulent form of malware that locks your computer and encrypts your files so that you can’t access them. The exact details vary, but it may stop you using Windows or certain programs such as your web browser. Once your files are encrypted, the ransomware will ask for payment to unlock them, usually in the untraceable virtual currency Bitcoin. Although removing ransomware is actually quite easy, your files will remain encrypted. There’s also another spiteful trick the malware uses to get you to pay up: if the money is not paid on time, the ransom is doubled.
How do I get infected?
As with most forms of malware, the primary source of infection is an email attachment or malicious link. The senders use con tricks to get you to open the attachment, such as pretending that it’s an invoice for something you’ve bought from a reputable company. This tactic preys on your fear of being charged for an item you didn’t buy, so that you’ll open the invoice without thinking about it.
Where does ransomware come from?
Ransomware originated in Russia and Eastern Europe. Thanks to decentralised digital currencies such as Bitcoin, which make it easy for attackers to demand a ransom and be paid without leaving a trace, ransomware is now so lucrative that it’s become the primary revenue stream for some cybercriminals.
It doesn’t even take much skill to create your own ransomware. Last year, a Turkish security researcher called Utku Sen created a strain of ransomware called Hidden Tear and published the source code online. It was described as being “for educational purposes only” (as were some early viruses) and ostensibly designed to teach security professionals how to defend against such threats. However, it provided a quick way for anyone with average computer skills to get into the ransomware business.
What does it look like?
Once your PC has been infected and your personal files encrypted, a message appears telling you what’s happened and provides info about how – and how much – to pay. The look of this message will vary depending on which ransomware family is behind the attack.
Is it really that common?
Sadly, yes. According to the latest IT Threat Evolution report from Kaspersky, in the first three months of 2016, ransomware attempts were recorded in 114 countries around the world and 372,602 people were targeted, with around 17% in the corporate sector (banks and other businesses). That might not sound like a huge number of victims when you consider that there are probably around a billion or so Windows users, but the figures showed 30% more attacks than recorded in the previous quarter, and this growth is showing no signs of slowing. In March 2016, there were 184,767 recorded attacks, way ahead of the 136,363 attacks in February and the 51,472 in January.
However, Kaspersky warns that “the real number of incidents is several times higher”, because it can’t always distinguish ransomware from other forms of malware.
There have been several high-profile victims, including Lincolnshire County Council which was hit by an unnamed ransomware infection in January that resulted in its computer systems being shut down for four days.
Are only Windows PCs at risk?
Not anymore. Ransomware developers have started targeting Linux, too, because a lot of web servers use that operating system. There have also been attacks on Macs and Android devices.
Why don’t the police stop it?
It’s very difficult for law-enforcement agencies to track down the source of ransomware because the criminals use state-of-the-art encryption and routing tricks to make their location impossible to identify.
What happens if I pay the ransom?
If everything goes to plan, once the ransom has been handed over, a key will be generated that you can use to decrypt your files. But first, you should see what we think about paying up (read below).
How can I be sure I’ll receive this key?
You can’t. Some ransomware, such as KeRanger and CTB-Locker, lets you decrypt one or two files to prove that the key exists and works, but there’s no guarantee that once you’ve paid a ransom all your files will be unlocked.
What happens if I don’t pay?
Your files will remain locked and unusable, unless the encryption has been cracked and there is a program you can use to unlock the files for free. Such tools are rare but they do exist, so you might get lucky.
WORST NEW RANSOMWARE OF 2016
It’s been a terrible year for ransomware so far. Here, we round up some of the nastiest new threats – starting with one that thankfully won’t bother us anymore
Believed to be a derivative of the original CryptoLocker ransomware, TeslaCrypt uses super-strong, “uncrackable” encryption to lock a user’s files. According to Kaspersky’s report, it is by far the number one ransomware family, responsible for 58% of infections. It tends to be spread via phishing and spam emails.
However, there’s some great news for anyone infected by it. In a highly unusual move, the creators behind it have shut down their operations and released a free decryption key on the website that was previously used to accept the ransom in Bitcoin. You can use this key to unlock encrypted files, or download the recently updated TeslaDecoder.
CTB-Locker – aka Onion Ransomware – is, according to Kaspersky, the second-worst ransomware family in existence and responsible for 23.5% of infections. It uses the Tor Project’s anonymous network to evade detection and even offers an affiliate programmer, which lets anyone spreading it take a cut of the profits. A new variant specifically targets web servers.
This ransomware family is the third most prevalent according to Kaspersky, and is typically spread through spam messages. It encrypts files using AES-265 and RSA encryption, which makes it impossible to crack, and it is regularly updated to add new features that make it harder to circumvent. The latest version, CryptoWall 4, renames files as it encrypts them, while another variant encrypts files over several weeks to prevent recovery from backups.
CryptoWall may target outdated versions of Flash Player, so make sure you keep Adobe’s plugin up to date on your PC.
Arguably the most aggressive type of ransomware, Locky encrypts files across any drive, including Bitcoin wallets, and attacks Windows, Mac OS X and Linux. It spreads through macros in Word documents that purport to be invoices, by persuading users to enable the edit function. While Kaspersky only ranks it at number seven in its latest report, Locky has been spreading like wildfire and, in March, infected the IT systems of at least one of three US hospitals hit by ransomware.
Malwarebytes and Bitdefender both offer free anti-ransomware tools that can protect against Locky.
This recently detected ransomware attacks Android phones and is installed via a malicious advert that the victim encounters on the web. It requires no user interaction to install and, once infected, the phone is locked and a ransom request displayed. This is payable not in Bitcoin, but iTunes cards. To remove it, you will need to perform a factory reset of your phone. The process will vary depending on the device type and version of Android that it’s running.
This ransomware mostly targets small companies (primarily in Germany, so far, although it has spread beyond) through fake business offers and job applications. Once it has encrypted the files, it requests a ransom in Bitcoin and, for an extra kicker, threatens to publish the victim’s data online if the demand is not met (there’s no proof it can do this, however). To add insult to injury, the ransom note also invites Chimera’s victims to sign up for its affiliate programme.
At the time of writing, it looks as if Chimera has died out, although a new ransomware threat called Rokku shares similarities with it, suggesting it may come from the same developers.
What sets KeRanger apart from other ransomware is that it targets Apple Macs rather than Windows PCs. It encrypts files on a Mac three days after infecting it and was initially spread via the Transmission BitTorrent client installer for OS X.
Transmission removed the infected files and Apple revoked the certificate that allowed the malware to bypass its Gatekeeper protection, so Mac users should hopefully now be safe from the KeRanger threat, provided they are using the most up-to-date version of the software.
This ransomware not only demands a fee to unlock encrypted files, but also attempts to copy personal data and steal any Bitcoins stored on a user’s hard drive. It targets both local and connected drives, and to avoid detection, waits a brief while after infection before going to work.
Kaspersky managed to crack CryptXXX very quickly and released a tool that allowed victims to decrypt their files for free. Unfortunately, the ransomware developers have since updated CryptXXX, rendering Kaspersky’s decryption tool useless.
Alpha is a new strain of ransomware that uses AES-256 encryption to lock all the files stored on fixed drives. Oddly, on your system drive (the one with Windows installed), it will only encrypt files on the Desktop and in the My Pictures and Cookies folders. Like Dogspectus, Alpha requests its ransom in iTunes gift cards. A decryptor for Alpha has been developed that you can use to free your files. You can download it from bit.ly/alpha398 using the password ‘false-positive’.
Despite the name, this ransomware has nothing whatsoever to do with BitTorrent and is simply named after a Registry key generated by the earliest versions. TorrentLocker is spread through spam emails and, as well as encrypting files, it attempts to steal email addresses from your system so it can spread. To safeguard your system against TorrentLocker, avoid opening emails from unknown sources, and use an anti-ransomware program.
Protect your PC using Malwarebytes Anti-Ransomware
1 Download and install the latest version from bit.ly/mbransom398. It’s still in beta but very stable, and starts alongside Windows for added protection. Launch the program to protect your system from the likes of CryptoWall 4, CryptoLocker, TeslaCrypt and CTB-Locker. Your system is shown as fully protected.
2 You’ll see protection is enabled. You can turn it off at any time, if the software prevents a safe program from running as intended. Make sure it’s definitely safe before you disable the protection, and re-enable it immediately afterwards. The banner at the top will warn you that your system is at risk when protection is turned off.
3 The Quarantine area contains any threats found and disinfected by the program (thankfully, none in this instance). Quarantined files pose no threat but you can restore or delete them. The Exclusions tab lets you add files that you want excluded from detection as ransomware.
Protect your Android phone using Avast Ransomware Removal
1 If your phone has been infected and locked, installing an anti-ransomware app on it might seem impossible, but there is a simple solution. On your PC, go to the Avast Ransomware Removal page on Google Play (bit.ly/avastransom398) and click Install. Select your device in the drop-down menu and, again, click Install.
2 When the app arrives on your phone, it appears in the notifications bar at the top of the screen. Tap the message, then tap the app name. Avast Ransomware Removal will scan your system for apps and then files. You’ll need to wait for this process to complete.
3 If ransomware is detected, you’ll see a message telling you that your device is infected, and you’ll be able to use the app to remove the infection and restore access to your data. If your device is reported as being clean, you’ll need to uninstall the app before you can use your phone again.
RANSOMWARE SURVIVAL GUIDE
Although the threats in the previous section sound scary, there are simple steps you can take to avoid and defeat them. Read on to find out how
Lock your PC against ransomware
The best way to steer clear of ransomware is to use common sense; don’t open email attachments from senders you don’t recognise, even if they look very convincing, avoid clicking links on dubious-looking websites, and install security software that can prevent an infection from encrypting files on your PC.
You should also make sure that all your software, including installed plugins, is up to date, because hackers use these vulnerabilities to attack your PC. If you receive a document from an unknown source, don’t open it, or at the very least, don’t enable editing in Word as this will allow macros to run, which can be used to download the ransomware.
Most importantly of all, make sure you regularly back up all your personal files to the cloud and/or another drive not connected to your PC or on the network. The best advice is to follow the 3-2-1 rule – have at least three copies of your personal files stored in two different formats, with one copy stored “off-site” (so, not on your PC or hard drive).
Creating regular images of your drive that you can install in the event of an attack is also worth doing. Beware of using a backup that’s too recent though, in case it contains a copy of the ransomware that attacked the system in the first place.
Install anti-ransomware software
There are several free programs from major software security firms that can protect your device from the most common type of ransomware. Bear in mind that they need to be run manually because they don’t safeguard your system in real time.
The following programs target different types of malware, so it’s worth installing at least one:
• Bitdefender Anti-Ransomware (bit.ly/bdransom398)
• Malwarebytes Anti-Ransomware (bit.ly/mbransom398)
• Trend Micro Anti-Ransomware Tool (bit.ly/trendransom398)
• CryptoPrevent (bit.ly/crypto398)
• Avast Ransomware Removal for Android (bit.ly/avastransom398)
If your PC has been infected
First and foremost, don’t panic. Being hit by ransomware is a frightening experience, but you can survive it. Disconnect the locked PC from your network to prevent the ransomware from spreading. You should probably do the same with your other devices, in case they are already infected.
Next, find out what type of ransomware you’ve picked up. You might be able to discover this from the message on screen, or by searching for the exact message contents on Google. You can also upload a ransom note or encrypted file to ID Ransomware (bit.ly/idransom398).
Once you know what’s hit you, you can search the web for possible solutions. You’ll find some answers from Malwarebytes (bit.ly/mbforum398) and MalwareTips (bit.ly/mwtips398).
Should I pay the ransom?
The short answer – and the answer given by every security firm (even the FBI) – is no. The theory is, if people don’t pay, ransomware will become unprofitable and the attackers will move on to something else.
That said, even if only a very small proportion of infected users end up paying, it still makes it worthwhile for the cybercriminals to continue their endeavours.
If you’ve got your personal files backed up online, you don’t need to pay. If, however, the ransomware has encrypted the only versions of your files that you have, you may feel that there’s no alternative but to give in to the criminals’ demands.
A word of warning
Although the files locked by ransomware can sometimes be decrypted, there is no guarantee that in future versions, the attackers won’t fix the flaw that allows this. Just as software gets patched, so does ransomware, because the cybercriminals are always looking for ways to make their malware harder to defeat. One example of this is CryptXXX, which was recently updated to prevent a decryption tool from working. This reiterates the need to remain vigilant about opening emails, clicking links on the web and keeping your security software up to date.
WannaCry: who’s to blame for worst ransomware attack ever?
A nasty strain of ransomware spread across the world on 12 May, infecting networks in more than 100 countries including the UK, where 40 NHS organisations including hospitals and GP surgeries were forced to go offline and cancel appointments. It’s been called, by Avast and others, the worst ransomware outbreak in history (bit.ly/avast424).
The WannaCry ransomware. also known as WannaCrypt and Wanna Decryptor, locked down PCs by encrypting files, showing a message demanding $300 (about £232) in Bitcoin within three days or the data would disappear forever. The ransomware appeared to infect Windows computers via a vulnerability that was hoarded and then leaked by the American National Security Agency. Many reports also pointed out that NHS computers running Windows XP – which hasn’t received security updates from Microsoft for more than three years -were particularly vulnerable to infection.
The rapid spread of WannaCry was at least temporarily halted by a 22-year-old British security researcher, who noticed the ransomware was contacting a website before infecting computers.
That website didn’t actually exist, so the researcher registered the domain – and this turned out to be a built-in ‘kill switch’. The ransomware saw the domain appear, and stopped spreading. That doesn’t mean WannaCry is dead, simply that this version of the threat has been paused – for the moment, at least.
How can it be avoided?
If you’re running Windows XP, it’s well past time to upgrade – either get a new PC or update to Windows 7 at the very least. If you’re running any other version of Windows, make sure the OS is up to date by checking your Windows Update status in ‘System and Security’.
Going forward, make sure you have Automatic Updates switched on – they may be annoying, but they’ll help keep you protected from such attacks. Also make sure you have backups of all key data, so you can still access your files if you’re infected by ransomware.
As ever, help your less tech-savvy friends and family by making sure they’re running an up-to-date operating system and software, and that they too have backups of essential files. And remember the key rule to never open an email attachment – or click a link in a message – from an unknown sender.
Who’s to blame?
Initial evidence suggests that the hackers were based in North Korea, and are believed to be the Lazarus Group – the same criminals behind the attack against Sony Pictures in 2014. But many experts are also blaming Microsoft for failing to provide security for patches for Windows XP unless users pay a fee. Microsoft has since issued a patch for Windows XP. but this came months after the fixes for newer versions of the OS.
Some pin the blame on poor funding for the NHS, while others note that Microsoft did in fact roll out patches for most versions of Windows, but some people – be they individuals or organisations – didn’t bother to install them.
And then there’s the NSA. which knew about the very serious vulnerabilities in Windows, but didn’t tell Microsoft because it wanted to use the holes in the code for its own purposes. However, the weaponised flaws were leaked, and ended up in hackers’ hands.
Will there be more attacks?
Do you really need to ask? Of course there will – this is the second time the hackers have used WannaCry in such an attack and it was hugely successful, so
The $300 ransom is just low enough for some victims to willingly stump up the cash to get their data back.
There’s no guarantee that hackers will unlock your data, but it’s in their best interest to do so, to encourage more people to pay up. After all, it’s the cash they want, not your family photos.
That said, in this particular case, paying the ransom definitely isn’t advisable. At the time of writing, there have been no reports of anyone affected by WannaCry managing to unlock their data by paying the ransom, and security experts examining the code have said there’s no obvious way for the hackers to associate your payment with your data. It’s unclear if they ever intended to decrypt the data or if it’s merely a sloppy mistake, but either way, you’re unlikely to get your files back.
More generally, before paying hackers, try tools such as Kaspersky’s No Ransom (noransom.kaspersky.com) to see if you can get your files back without shelling out.
why should they stop? And if the existing vulnerabilities are fixed, the criminals can simply find new flaws to poke their way in.
Even if the WannaCry hackers are caught and jailed, there are plenty of other criminals out there running ransomware campaigns, and such attacks have risen steadily over recent years.
What do we think?
The extent and speed of this hack highlights how bad we all are at prioritising security. We all know we need to keep our operating systems and software updated, run decent antivirus and back up our data, yet major organisations failed to do so.
We hope Microsoft will do all it can to ensure that poorly funded but essential organisations such as the NHS get as much free help as possible. The company makes enough profit from the rest of us to give hospitals and other bodies we depend on a bit of a pass.
But that’s no excuse for the rest of us – many organisations that don’t suffer the limited funds and IT support of the NHS were also hit by the ransomware. including Telefonica. Renault and FedEx, so it’s not only about money and perceived technical knowledge.
Installing updates can be annoying, but it’s much worse to be hit by ransomware. and even more serious to be one of those who helped it spread. This incident has made the repercussions of such hacks clear: while the hackers made only tens of thousands of dollars from the attack, many people will have lost key work and personal files, and hospitals had to postpone operations and important treatment, and turn away ambulances. WannaCry proves that digital security can have a serious offline impact – let’s sort this out before people lose their lives.