Ransomware? What’s that? am I at risk?
Short answer: Yes – and you should be taking precautions.
The latest spin on a ransom note isn’t composed of letters clipped out of a newspaper. Increasingly, criminals are unleashing brash attacks on your PC and its data through a type of malicious software called ransomware.
It’s exasperating enough when your computer is sluggish because of a virus, but what if the virus installs embarrassing pornography on your screen or encrypts your data so you can’t read it? Ransomware attacks often use these tactics to demand you pay a ransom to remove the pornography or to access your files.
Attackers may use one of several different approaches to extort money from their victims:
- After a victim discovers he cannot open a file, he/she receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.
- The victim is duped into believing he is the subject of an police inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
- The malware surreptitiously encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.
To protect against data kidnapping, we urge that our clients look to a reputable off-site backup and antivirus solution – Remember, the likes of Google Drive, or OneDrive, or Dropbox are useless if the data within them is encrypted. These are cloud storage/collaborative tools and not disaster recovery or disaster prevention mechanisms!
How Ransomware Works
Ransomware usually enters devices as a Trojan, masquerading as a normal file that is downloaded intentionally or unintentionally by the user. Upon execution, ransomware begins encrypting the files on an infected device and typically displays a message informing the victim that their files can only be decrypted if a ransom is paid to the attackers. The user is goaded into paying the operators, who may or may not supply a code or program to decrypt the files. Failure to pay the ransom within the time frame provided can result in an increased ransom amount or deletion of the encrypted files. The most effective and dangerous types ransomware are those where only the creators of the program have access to the decryption key. Ransoms are typically paid in Bitcoin or other digital currencies that are difficult to trace.
You may notice all of your files have unusual extensions – such as .locky or .lloocckkeedd – but an attacker can opt to give any file name extensions, often in an attempt to confuse the victim when research is done as to what exactly has done this to their files.
Common Types Of Ransomware Strains
There are a hundreds, if not thousands of ransomware strains – however there are some common ones which we see pop up regularly.
CryptoLocker was discovered on September 15, 2013 and is considered to be the first modern strain of ransomware. It was distributed through email attachments and botnets in order to encrypt files on Windows computers and any mounted drives. Even though CryptoLocker itself was easy to remove from infected devices, the files remained encrypted, and the only feasible way to access files was to pay the ransom requested by the cybercriminals. Payment for the decryption key was taken through Bitcoin or pre-paid cash vouchers. In May 2014, CryptoLocker was taken down by a team of government agencies, security companies, and researchers in Operation Tovar, which recovered the private encryption key used for decryption and rendered further distribution of the ransomware useless. It is estimated that a combined $3 million was extorted through the CryptoLocker attacks.
CryptoWall was discovered on June 19, 2014 and is not related to CryptoLocker in any way. It has gone through numerous releases with different names and has not yet been isolated. It was initially distributed through exploit kits and emails but has recently been connected with malicious ads and compromised websites as well. CryptoWall encrypts files and deletes any VSS or shadow copies to prevent data recovery. After infection, the computer displays a web page or text document that provides payment directions to the user.
Discovered on February 16, 2016, Locky is one of the newest ransomware strains. Like most, it is distributed through malicious email attachments, encrypts files on the main computer and mounted devices, deletes shadow copies of original files, and demands a ransom in return for the decryption key. However, Locky is easily distinguishable from other types of ransomware because it renames all files with the .locky extension when it encrypts them (though it does not touch the C: drive). It also changes the computer’s desktop wallpaper to an image file displaying the ransom message that is impossible to overlook.
If you’ve been hit
Have you been hit? As you well know, this information is all great on hindsight – if you’ve been hit with Ransomware – get in touch with Astrofox today on 0800 098 8871 to see if we can help! The last thing you should do is pay an attacker as there is no garauntee that your files will be decrypted.