The criminals behind ransomware are finding ever more devious ways to lock your files. Wayne Williams explains how to protect your devices from the latest threats, and recover from an attack
Ransomware first hit the headlines a few years ago as one of the nastiest types of malware yet, taking control of a victim’s computer, encrypting their files and extorting money to remove it. Sadly, in recent months, the threat of ransomware has grown worse – much worse, in fact. Not only has it spread from PCs to phones, tablets and Macs, but there has been a massive increase in the number of instances of ransomware detected. Moreover, the methods that hackers use have become more devious and more difficult to deal with.
In this feature, we provide a complete guide to avoiding, detecting, removing and recovering from ransomware.
Over the following six pages, we explain exactly what ransomware is and what it does, and we take a look at the worst new examples of 2016. Our Ransomware Survival Guide explains how you can avoid infection, and how best to recover from a ransomware attack. Should you pay the ransom? We cover the pros and cons of that, too.
YOUR RANSOMWARE QUESTIONS ANSWERED
What is it?
Ransomware is a particularly virulent form of malware that locks your computer and encrypts your files so that you can’t access them. The exact details vary, but it may stop you using Windows or certain programs such as your web browser. Once your files are encrypted, the ransomware will ask for payment to unlock them, usually in the untraceable virtual currency Bitcoin. Although removing ransomware is actually quite easy, your files will remain encrypted. There’s also another spiteful trick the malware uses to get you to pay up: if the money is not paid on time, the ransom is doubled.
How do I get infected?
As with most forms of malware, the primary source of infection is an email attachment or malicious link. The senders use con tricks to get you to open the attachment, such as pretending that it’s an invoice for something you’ve bought from a reputable company. This tactic preys on your fear of being charged for an item you didn’t buy, so that you’ll open the invoice without thinking about it.
Where does ransomware come from?
Ransomware originated in Russia and Eastern Europe. Thanks to decentralised digital currencies such as Bitcoin, which make it easy for attackers to demand a ransom and be paid without leaving a trace, ransomware is now so lucrative that it’s become the primary revenue stream for some cybercriminals.
It doesn’t even take much skill to create your own ransomware. Last year, a Turkish security researcher called Utku Sen created a strain of ransomware called Hidden Tear and published the source code online. It was described as being “for educational purposes only” (as were some early viruses) and ostensibly designed to teach security professionals how to defend against such threats. However, it provided a quick way for anyone with average computer skills to get into the ransomware business.
What does it look like?
Once your PC has been infected and your personal files encrypted, a message appears telling you what’s happened and provides info about how – and how much – to pay. The look of this message will vary depending on which ransomware family is behind the attack.
Is it really that common?
Sadly, yes. According to the latest IT Threat Evolution report from Kaspersky (bit.ly/itevolution398), in the first three months of 2016, ransomware attempts were recorded in 114 countries around the world and 372,602 people were targeted, with around 17% in the corporate sector (banks and other businesses). That might not sound like a huge number of victims when you consider that there are probably around a billion or so Windows users, but the figures showed 30% more attacks than recorded in the previous quarter, and this growth is showing no signs of slowing. In March 2016, there were 184,767 recorded attacks, way ahead of the 136,363 attacks in February and the 51,472 in January.
However, Kaspersky warns that “the real number of incidents is several times higher”, because it can’t always distinguish ransomware from other forms of malware.
There have been several high-profile victims, including Lincolnshire County Council which was hit by an unnamed ransomware infection in January that resulted in its computer systems being shut down for four days (bit.ly/lincsransom398).
Are only Windows PCs at risk?
Not anymore. Ransomware developers have started targeting Linux, too, because a lot of web servers use that operating system. There have also been attacks on Macs and Android devices.
Why don’t the police stop it?
It’s very difficult for law-enforcement agencies to track down the source of ransomware because the criminals use state-of-the-art encryption and routing tricks to make their location impossible to identify.
What happens if I pay the ransom?
If everything goes to plan, once the ransom has been handed over, a key will be generated that you can use to decrypt your files. But first, you should see what we think about paying up (read below).
How can I be sure I’ll receive this key?
You can’t. Some ransomware, such as KeRanger and CTB-Locker, lets you decrypt one or two files to prove that the key exists and works, but there’s no guarantee that once you’ve paid a ransom all your files will be unlocked.
What happens if I don’t pay?
Your files will remain locked and unusable, unless the encryption has been cracked and there is a program you can use to unlock the files for free. Such tools are rare but they do exist, so you might get lucky.
WORST NEW RANSOMWARE OF 2016
It’s been a terrible year for ransomware so far. Here, we round up some of the nastiest new threats – starting with one that thankfully won’t bother us anymore
TeslaCrypt
Believed to be a derivative of the original CryptoLocker ransomware, TeslaCrypt uses super-strong, “uncrackable” encryption to lock a user’s files. According to Kaspersky’s report, it is by far the number one ransomware family, responsible for 58% of infections. It tends to be spread via phishing and spam emails.
However, there’s some great news for anyone infected by it. In a highly unusual move, the creators behind it have shut down their operations and released a free decryption key on the website that was previously used to accept the ransom in Bitcoin. You can use this key to unlock encrypted files, or download the recently updated TeslaDecoder (bit.ly/teslacrypt398).
CTB-Locker
CTB-Locker – aka Onion Ransomware – is, according to Kaspersky, the second-worst ransomware family in existence and responsible for 23.5% of infections. It uses the Tor Project’s anonymous network to evade detection and even offers an affiliate programme, which lets anyone spreading it take a cut of the profits. A new variant specifically targets web servers.
CryptoWall
This ransomware family is the third most prevalent according to Kaspersky, and is typically spread through spam messages. It encrypts files using AES-265 and RSA encryption, which makes it impossible to crack, and it is regularly updated to add new features that make it harder to circumvent. The latest version, CryptoWall 4, renames files as it encrypts them, while another variant encrypts files over several weeks to prevent recovery from backups.
CryptoWall may target outdated versions of Flash Player, so make sure you keep Adobe’s plugin up to date on your PC.
Locky
Arguably the most aggressive type of ransomware, Locky encrypts files across any drive, including Bitcoin wallets, and attacks Windows, Mac OS X and Linux. It spreads through macros in Word documents that purport to be invoices, by persuading users to enable the edit function. While Kaspersky only ranks it at number seven in its latest report, Locky has been spreading like wildfire and, in March, infected the IT systems of at least one of three US hospitals hit by ransomware (bit.ly/hospitals398).
Malwarebytes and Bitdefender both offer free anti-ransomware tools that can protect against Locky.
Dogspectus
This recently detected ransomware attacks Android phones and is installed via a malicious advert that the victim encounters on the web. It requires no user interaction to install and, once infected, the phone is locked and a ransom request displayed. This is payable not in Bitcoin, but iTunes cards. To remove it, you will need to perform a factory reset of your phone. The process will vary depending on the device type and version of Android that it’s running.
Chimera
This ransomware mostly targets small companies (primarily in Germany, so far, although it has spread beyond) through fake business offers and job applications. Once it has encrypted the files, it requests a ransom in Bitcoin and, for an extra kicker, threatens to publish the victim’s data online if the demand is not met (there’s no proof it can do this, however). To add insult to injury, the ransom note also invites Chimera’s victims to sign up for its affiliate programme.
At the time of writing, it looks as if Chimera has died out, although a new ransomware threat called Rokku shares similarities with it, suggesting it may come from the same developers.
KeRanger
What sets KeRanger apart from other ransomware is that it targets Apple Macs rather than Windows PCs. It encrypts files on a Mac three days after infecting it and was initially spread via the Transmission BitTorrent client installer for OS X.
Transmission removed the infected files and Apple revoked the certificate that allowed the malware to bypass its Gatekeeper protection, so Mac users should hopefully now be safe from the KeRanger threat, provided they are using the most up-to-date version of the software.
CryptXXX
This ransomware not only demands a fee to unlock encrypted files, but also attempts to copy personal data and steal any Bitcoins stored on a user’s hard drive. It targets both local and connected drives, and to avoid detection, waits a brief while after infection before going to work.
Kaspersky managed to crack CryptXXX very quickly and released a tool that allowed victims to decrypt their files for free. Unfortunately, the ransomware developers have since updated CryptXXX, rendering Kaspersky’s decryption tool useless.
Alpha
Alpha is a new strain of ransomware that uses AES-256 encryption to lock all the files stored on fixed drives. Oddly, on your system drive (the one with Windows installed), it will only encrypt files on the Desktop and in the My Pictures and Cookies folders. Like Dogspectus, Alpha requests its ransom in iTunes gift cards. A decryptor for Alpha has been developed that you can use to free your files. You can download it from bit.ly/alpha398 using the password ‘false-positive’.
TorrentLocker
Despite the name, this ransomware has nothing whatsoever to do with BitTorrent and is simply named after a Registry key generated by the earliest versions. TorrentLocker is spread through spam emails and, as well as encrypting files, it attempts to steal email addresses from your system so it can spread. To safeguard your system against TorrentLocker, avoid opening emails from unknown sources, and use an anti-ransomware program.
Protect your PC using Malwarebytes Anti-Ransomware
1 Download and install the latest version from bit.ly/mbransom398. It’s still in beta but very stable, and starts alongside Windows for added protection. Launch the program to protect your system from the likes of CryptoWall 4, CryptoLocker, TeslaCrypt and CTB-Locker. Your system is shown as fully protected.
2 You’ll see protection is enabled. You can turn it off at any time, if the software prevents a safe program from running as intended. Make sure it’s definitely safe before you disable the protection, and re-enable it immediately afterwards. The banner at the top will warn you that your system is at risk when protection is turned off.
3 The Quarantine area contains any threats found and disinfected by the program (thankfully, none in this instance). Quarantined files pose no threat but you can restore or delete them. The Exclusions tab lets you add files that you want excluded from detection as ransomware.
Protect your Android phone using Avast Ransomware Removal
1 If your phone has been infected and locked, installing an anti-ransomware app on it might seem impossible, but there is a simple solution. On your PC, go to the Avast Ransomware Removal page on Google Play (bit.ly/avastransom398) and click Install. Select your device in the drop-down menu and, again, click Install.
2 When the app arrives on your phone, it appears in the notifications bar at the top of the screen. Tap the message, then tap the app name. Avast Ransomware Removal will scan your system for apps and then files. You’ll need to wait for this process to complete.
3 If ransomware is detected, you’ll see a message telling you that your device is infected, and you’ll be able to use the app to remove the infection and restore access to your data. If your device is reported as being clean, you’ll need to uninstall the app before you can use your phone again.
RANSOMWARE SURVIVAL GUIDE
Although the threats in the previous section sound scary, there are simple steps you can take to avoid and defeat them. Read on to find out how
Lock your PC against ransomware
The best way to steer clear of ransomware is to use common sense; don’t open email attachments from senders you don’t recognise, even if they look very convincing, avoid clicking links on dubious-looking websites, and install security software that can prevent an infection from encrypting files on your PC.
You should also make sure that all your software, including installed plugins, is up to date, because hackers use these vulnerabilities to attack your PC. If you receive a document from an unknown source, don’t open it, or at the very least, don’t enable editing in Word as this will allow macros to run, which can be used to download the ransomware.
Most importantly of all, make sure you regularly back up all your personal files to the cloud and/or another drive not connected to your PC or on the network. The best advice is to follow the 3-2-1 rule – have at least three copies of your personal files stored in two different formats, with one copy stored “off-site” (so, not on your PC or hard drive). Creating regular images of your drive that you can install in the event of an attack is also worth doing. Beware of using a backup that’s too recent though, in case it contains a copy of the ransomware that attacked the system in the first place.
Install anti-ransomware software
There are several free programs from major software security firms that can protect your device from the most common type of ransomware. Bear in mind that they need to be run manually because they don’t safeguard your system in real time.
The following programs target different types of malware, so it’s worth installing at least one:
• Bitdefender Anti-Ransomware (bit.ly/bdransom398)
• Malwarebytes Anti-Ransomware (bit.ly/mbransom398)
• Trend Micro Anti-Ransomware Tool (bit.ly/trendransom398)
• CryptoPrevent (bit.ly/crypto398)
• Avast Ransomware Removal for Android (bit.ly/avastransom398)
If your PC has been infected
First and foremost, don’t panic. Being hit by ransomware is a frightening experience, but you can survive it. Disconnect the locked PC from your network to prevent the ransomware from spreading. You should probably do the same with your other devices, in case they are already infected.
Next, find out what type of ransomware you’ve picked up. You might be able to discover this from the message on screen, or by searching for the exact message contents on Google. You can also upload a ransom note or encrypted file to ID Ransomware (bit.ly/idransom398).
Once you know what’s hit you, you can search the web for possible solutions. You’ll find some answers from Malwarebytes (bit.ly/mbforum398) and MalwareTips (bit.ly/mwtips398).
Should I pay the ransom?
The short answer – and the answer given by every security firm (even the FBI) – is no. The theory is, if people don’t pay, ransomware will become unprofitable and the attackers will move on to something else.
That said, even if only a very small proportion of infected users end up paying, it still makes it worthwhile for the cybercriminals to continue their endeavours.
If you’ve got your personal files backed up online, you don’t need to pay. If, however, the ransomware has encrypted the only versions of your files that you have, you may feel that there’s no alternative but to give in to the criminals’ demands.
A word of warning
Although the files locked by ransomware can sometimes be decrypted, there is no guarantee that in future versions, the attackers won’t fix the flaw that allows this. Just as software gets patched, so does ransomware, because the cybercriminals are always looking for ways to make their malware harder to defeat. One example of this is CryptXXX, which was recently updated to prevent a decryption tool from working. This reiterates the need to remain vigilant about opening emails, clicking links on the web and keeping your security software up to date.