If you’re lucky, you’ve only been hearing a lot about ransomware lately. If you’re not so lucky, you might have experienced it firsthand. Victims of this most insidious form of malware know how devastating it can be to find that suddenly all of your important data – from personal financial information to irreplaceable photos to mission-critical business documents – is inaccessible. It’s not gone (perhaps that would be less frustrating), but it’s sitting there on your drive, encrypted, and you don’t have the key to unlock it. This has been the reality for many ransomware victims and now there is a new type of ransomware to be on the lookout for, one of the nastiest yet.
Ransomware has been in existence for over two decades (the first was the AIDS Trojan in the late 1980s), but there has been an explosion of it in the last few years, and it’s gotten more sophisticated. There are two basic types. In the case of computer locker ransomware, your entire system is locked so you can’t log on. More commonly now, with crypto ransomware, the system is accessible but the data files are encrypted.
Unlike with many viruses and malware, which are often distributed “just for fun” (well, the attacker’s idea of fun), ransomware attackers are in it for the money. They basically hold your files hostage and demand payment, often in bitcoins. Those who do pay up sometimes get their data restored, and sometimes the bad guys take the money and run; they are, after all, criminals and not exactly trustworthy.
Ransomware targets both home users and businesses. Hospitals have been a favorite target recently, since attackers know their files often hold information that is vital to patient care and the healthcare institutions are more likely than some entities to pay the ransom rather than risk disastrous outcomes that could result in much more expensive lawsuits.
Ransomware attack vectors
RAA does have to connect back to its server to get a key that it will use to encrypt the victim’s files. This is a random AES key that’s unique to each victim, so unlike with some early cryptoware, if one person pays up and gets the key, it won’t work on another victim’s files. Only after the files have all been encrypted does the malware reveal itself, in the form of a README file that tells you what happened and where to send money to free your files. The going rate is reportedly approximately $250 USD.
Whether to pay up is a personal or business decision, based on the importance or sensitivity of the lost files, whether you have intact backups, the amount of ransom demanded and whether you can afford it, and what the greater ramifications (such as lawsuits or lost business) might be if you fail to get the files back.
Be aware, though, that even if you pay and the ransomware authors decrypt your files, you should take steps to make sure additional malware isn’t left behind. RAA has been reported to install another Trojan that’s designed to steal your passwords. With these guys, the hits just keep on coming. Personally, I would recommend wiping the system completely after a ransomware infection and reinstalling the operating system.
Another thing you should already be doing is creating real-time backups and periodically saving backups offline (preferably off-site). Malware can’t encrypt files it can’t touch. Removing the malware (or preferably wiping the hard drive) and restoring your data from backups beats paying ransom and still having to wipe the system for fear there’s still malware on it.
Consider blocking scripting. You can use the file associations feature in Windows to have .JS files open in Notepad as harmless text files instead of running in WSH. How to do this depends on the OS version you’re using. Do a search for “Change file associations in Windows <your version>” to find instructions on the web. While you’re at it, don’t enable automatic running of macros. The default setting in recent versions of Word is disabled; leave it that way.
Keep your operating system and applications updated with the latest security patches. Use anti-malware software and keep the definitions up to date. Staying ahead of the malware writers and distributors is a full-time job these days, but being forewarned, informed and prepared is the key to avoiding victimization.