Ransomware is a type of malicious software (malware) used for cybercrime which attempts to prevent user access to something they value, usually digital information on their computer. It will then demand that a ransom be paid so that the user can regain access. In most cases, ransomware will encrypt all of the information on a computer's writable drives, and change the bootloader so that when the computer is started, the malware is launched. It will state the demands, and explain how the ransom can be paid. In some cases, it will claim to be from law enforcement, or claim that the operating system license has expired. In any case, it will demand payment to regain access to the system and/or files. Once paid, the ransomware publisher promises to send the user a decryption key, which can be entered to decrypt the drive(s). However, in some cases, the publisher takes the money without providing the promised key.
Before a shift in 2013, ransomware was a method of attack against corporations. The ransom would be very high, since the company targeted would have significant assets. To resume necessary business processes, the corporation may be willing to pay the exorbitant fee. However, modern ransomware now usually charges much less, but is carried by a worm, virus, or trojan so that it can infect many computers worldwide. Although most individual users have no way of paying $100,000, they may be willing to pay $500 to recover their photographs, documents, or other files which are locked on their computer.
Ransomware became very prevalent in 2016. It was estimated that over 4,000 ransomware attacks took place every day in 2016, which was over a 300% increase from 2015. In the third quarter of 2016 alone, Panda Labs reported detecting about 200,000 new ransomware samples each day. During that same quarter, PhishMe reported that 97.25% of phishing e-mails contained ransomware.
Ransomware packages vary and so do attack vectors, vulnerability exploits, and locking methods. However, most ransomware follows a basic five-step process.
- Delivery - base malware is delivered to the victim, often by e-mail
- Connection - the base malware connects to a "command-and-control" server, which will in this case will provide the ransomware package
- Execution - the newly downloaded ransomware will attempt to exploit a vulnerability and completely infect the system
- Encryption - the targeted information (typically the entire filesystem) will be encrypted quietly
- Notification - the user is now notified that their information is being held hostage, and they must pay a ransom to get the decryption key
There are several types of ransomware. Some lock the device, but do not actually encrypt the data, while others (called Leakware) will not deny access at all. Rather, leakware threatens to publish information from the victim's computer if they do not pay. This is nothing more than a form of blackmail. Probably the most common form of ransomware simply encrypts content, then demands payment for release.
Theses are some of the better known examples of ransomware.
- AIDS Trojan (first known, and was flawed)
- Dharma (delivered using unsolicited emails)
- TeslaCrypt (attacked video games)
- WannaCry / WanaCrypt0r
To avoid ransomware infections, all of the basic safety habits should be practiced. Unknown links should never be clicked, untrusted software should never be installed, e-mail messages from unrecognized senders should never be opened, and so on. Most ransomware is delivered by E-mail, usually as a package delivery notice, or some other legitimate-sounding message. This is true for smartphones, as well as computers—phones are common targets, and in some cases are harder to recover. However, some ransomware is delivered by worm, so even if everything is done right, an infection can still take place.
Usage of anti-malware software can help significantly in preventing an infection. Basic anti-virus and other anti-malware programs can be useful, since they detect known signatures of ransomware (and other malware) and block them. Heuristic (behavior-based) protection can also be helpful, as it can sometimes detect malware which is not otherwise known. Larger computer systems such as those used by corporations also can benefit from the newer defense method of Deception technology. Additionally, networks can be configured to block traffic from suspicious domains and countries. This can stop attacks form these locations quite easily.
When an individual or organization needs to deal with a ransomware infection, backups become vital. Since most ransomware uses encryption, data on targeted devices is often impossible to recover unless the ransomware publisher provides the decryption key. Even with backups, users must be careful during the recovery process.
Computer users should be sure to regularly back up their personal files on external drives. USB Flash drives, external hard drives, and other such devices can be used for this purpose. In between backups, the drive(s) should always be kept disconnected from that computer, and preferably all others as well.
Ideally, the individual will also create complete system backups periodically. This can be done using software such as DriveImage XML. These disk images should be stored on a separate storage device as well, and only connected to the computer at risk when backups are being created. If possible, it is also wise for the individual to keep older images, in case the more recent images were infected, or are for some reason corrupted.
To begin recovering a personal computer from a ransomware infection, users should begin by isolating the effected computer and turning it off. A "soft kill" (standard shutdown) is not always a good idea, either. It should be disconnected from the Internet and any local network. Any flash drives, external hard drives, and other editable storage devices should be disconnected from the computer as well. The following are some possible steps which could be taken.
Using disk image
- Once isolated, try starting up the computer to the recovery CD, DVD, or flashdrive bootable device. For example, if DriveImage XML was used to create the image, use a boot CD such as Hiren's BootCD or UBCD4Win. (Note: the users should ensure they can boot to the external media before connecting their backup drive. In Hiren's, simply start up, then connect the drive. In UBCD, boot up, then shut down, connect the backup drive, then start the boot disk again.)
- If the ransomware prevents this, the user will need to "flash" (rewrite) their BIOS or replace their motherboard before proceeding. This is a fairly rare issue.
- Open the program (on the boot disk) used for imaging, and go through the restore initialization process. Users should always take their time and be cautious during this process. A mistake at this point could make them loose everything.
- Once the restore is complete, shut down the boot disk system, and disconnect all external storage devices.
- Try starting the computer normally. If all goes well, the system should be exactly as it was when the disk image was taken.
- If any other drives were effected by the ransomware, users should either use the same restore process from backups (using a boot disk with the internal drive disconnected), wipe the disk(s) entirely (again, using only a boot disk), or keep the devices as they are without connecting them to any computer, in case a flaw in the ransomware is later found, permitting data recovery.
- If the ransomware comes back, it is probably on another storage device, such as a flashdrive, or in the BIOS. If it is in the BIOS, the user must either attempt to "flash" (rewrite) the BIOS, or simply replace the motherboard, then restore their drive contents again.
Using file backups only
Without a full backup, a new operating system is needed. Even if the system seems usable, it is infected and should not be trusted. Therefore, users will probably need to do something along these lines:
- Insert an operating install disk, and boot to it, with all external storage devices disconnected. (If this is blocked by the ransomware, then the BIOS will need to be "flashed," or replaced by replacing the motherboard)
- Format the drive (using NTFS format)
- Go through the install process, which will take some time to complete
- Once done, start the newly installed system, and configure it as desired. Then, copy on the file backups, as desired. When possible, some users prefer to put off entering their OS license key as long as possible, in case the ransomware infects the new system.
If a user has no backups, recovering the data can be very difficult, if not impossible. Some ransomware contains flaws, permitting data recovery without paying the ransom. Doing some web searches (using an uninfected device) may be wise, to see if a solution has been found. Also, some security companies will sometimes buy release keys and publish them for free, to cost the malware publisher money. Looking for such a key could also be advantageous.
Users may also want to try using a boot disk and see if data is truly encrypted, or just "locked." In some cases, ransomware does not encrypt the data, so the files can be copied onto an external storage device using the boot disk.
Sometimes, although ethically questionable, the pragmatic solution is to simply pay the ransom. Unfortunately, once the ransom is paid, the publisher has little incentive to provide the key. Sometimes, they may do exactly what they promise. Other times, they may not provide the key, may demand more money, or provide a key which temporally released the data, but then locks it again. If the data is released, there is no guarantee that the computer is not still spreading the ransomware to other computers, either. If the ransom is paid and an unlock key is provided, it is often advised that users immediately back up their data using a boot disk, before using their computer further. Also, wiping the affected drives and reinstalling the operating system may be wise, to ensure that the ransomware is gone.
- If any memory devices are infected, then connected to a clean system, they can infect that system. Therefore, users should be careful to only access clean devices on clean systems. If a storage device is in question, the computer's hard drives can be disconnected, and using a boot disk alone, the user can attempt to verify that the device is clean (or not). If the ransomware attacks the BIOS, however, even this may not be safe to attempt.
- RAID backups (drive mirroring/striping) probably will not help in the recovery from a ransomware infection. Since RAID backups are updated almost in real time, the backup will usually be encrypted as well.
- http://www.pandasecurity.com/mediacenter/pandalabs/pandalabs-q3/ Retrieved 9/26/2017