Ransomware Attacks and How to Deal With Them
There’s a lot of talk about ransomware in the news these days. It’s surprising how few people know what it means and what happens if you get attacked.
Here’s a rundown on the measures you can take to protect yourself and what to do if the worst happens.
What is Ransomware?
Ransomware is a category of malware used to try to extract money out of its victims – by holding them to ransom. Most programs are designed to sit silently in your system and slowly encrypt your files. Only after they finish encrypting do they present you with a deadly notice – either pay up or lose your files forever.
No security system is infallible. Malware makes a point of being one step ahead of the game. If and when you do get caught, here are some useful guidelines to help you:
Step 1: Minimise the damage
Firstly, isolate the system that’s been affected, especially if it’s connected to your network so you prevent other systems becoming infected.
If you are an IT administrator and your servers are infected, disconnect all the Ethernet cables.
Do not try to backup by copying files to an external disk. You may think it’s a good idea to save files not yet encrypted, but it can spread the malware. When you insert a disk/USB to the infected computer, the malware can copy itself over again to the newly inserted drive.
When that drive/USB is inserted to some other computer, the malware could infect that system too. Or worst, you could end up with re-infecting your own system after making all the efforts of cleaning it. So, it’s best to just quarantine the affected computer.
Step 2: Identify the type of ransomware
There are various types of ransomware, some more dangerous and difficult to tackle than others. You can use different strategies to get rid of them depending on the type and characteristic of its attack. The most common kinds come under these categories:
- Scareware/Fake antivirus
Scareware, also known as fake antivirus, is a category of malware which tricks users into believing that there is something wrong with their system.
They then need to buy some other software in order to clean it. Of course, there’s nothing wrong with the computer and more often than not, it’s purchasing more software that results in a real infection.
In most cases, it works by showing a popup message announcing problems like a virus being found, the system slowing down or registry issues to be resolved in big bold text in the middle of the screen. It may also contain clickbait that redirects the user to the malware website even when the popup is closed. Here’s an image of one:
Scareware is probably the easiest of all malware to deal with. Simply close your browser tab and the popup will go away. If you are getting pop-up screens in your operating system, you may need to identify the culprit executable file using Task Manager or an advanced process explorer. Then, just delete or uninstall it. If you still have problems, scan with an antivirus or anti-malware program.
- Screen lock ransomware
This category of ransomware does not allow you to run your computer until you pay a ransom. In most cases, a full screen window displays with a warning notice. It may claim to be from the FBI regarding illegal downloading of content online. In other cases, a pornographic image is set as the wallpaper which can’t be changed. It relies on shaming the victim into paying money. More advanced programs track user activity for a few days and display a customised notice making it more believable and intimidating. Here’s an example:
If you are infected by one of these, try to identify the executable that caused it in the first place. In most cases, simply pressing CTRL + ALT + DEL will take you to the Task Manager and the program can be closed.
Even after you delete the executable, it’s a good idea to run a full antivirus scan to remove any remaining traces. If these solutions don’t work, you may need to restore or recover Windows to get it back to a state when the malware wasn’t there or was dormant.
- File-encrypting ransomware
The last and the most dangerous category is those programs that encrypt all your files and renders them unusable unless you pay a ransom to the blackmailers. Typically, they’ll enter the victim’s system and silently start encrypting all files rendering them completely unusable.
When finished, they’ll demand payment to decrypt them back. Nowadays, crypto currencies like bitcoin and the anonymity they provide are a great way for attackers to get payment. This is the image users attacked by Wannacry saw:
It may also be worth understanding exactly how encryption works. This can help you get clues as to how you can decrypt your files back.
Most programs use a combination of symmetric and asymmetric encryption when they run (click here for more information about encryption types). Symmetric encryption is useful because it allows the attacker to encrypt files more quickly than asymmetric. Asymmetric encryption, however, means attackers only have to protect one private key. Otherwise, they would need to maintain and protect symmetric keys for all victims.
Command and control servers (C&C) are generally used for program communication. This is how file-encrypting ransomware uses both symmetric and asymmetric encryption to perform an attack:
- A private-public key is generated on the attacker’s end using any of the many available asymmetric encryption algorithms such as RSA-256.
- Private keys are protected by the attacker whereas public ones are embedded in the ransomware program.
- A new victim system is infected by the ransomware. It sends the information along with the unique system Id or victim Id to the C&C server.
- Using one of the symmetric encryption algorithms (e.g. AES), the server generates and sends the symmetric key specifically for that victim’s system. The symmetric key is then encrypted using the private one.
- The ransomware program uses the embedded public key to decrypt the symmetric one – it then starts encrypting all the files.
Now that you know how exactly the ransomware operates, let’s look at your options when your system is infected
Step 3: Decide on the strategy
We discussed methods for removing the first two categories of ransomware relatively easily above.
File-encrypting programs are more difficult to exclude. First, you’ll have to identify the type of malware you are dealing with. Information may be scarce for more recent programs as new ones are written every day. But in most cases, you should be able to identify it with a little research.
Try to take screenshots of the ransom note and then reverse search the images to identify the exact type of ransomware. You can also search the phrases used in the text of the note.
Decide whether or not you want to pay the ransom. Although it is not recommended you pay attackers as it only encourages them, sometimes your data is too sensitive or important to lose. Use your judgment and do not pay unless it is absolutely necessary.
In the worst-case scenario, of course, you should consider that there is no guarantee you will get your data back even after you do pay.
Step 4: Take action
If you can identify details of the ransomware that infected your computer, look for ways to remove it with a web search. Malware code is always inefficient. The developer may have forgotten to delete the encryption key from the program that fetches it and decrypts the files.
If the ransomware is well-known enough and there are some loopholes, you should be able to find tutorials and guides online to remove it on sites like nomoreransom.org.
Since many ransomware programs simply delete the original files after encrypting their copy, it might be possible to recover them using data recovery software. When you delete a file, it’s not actually deleted physically from the disk unless it is overwritten by another one. It should, therefore, be possible to recover important data using free recovery software.
If none of these are successful, a decision has to be made. Pay the ransom or lose your data. Even if you pay, of course, your data is not guaranteed. It is entirely a judgment call where you are reliant on the good faith of the attackers.
You could also try to negotiate with the attackers using the email address provided in the ransom note. You would be surprised how often this works.
If you decide to not pay the ransom, the next step is to clean your PC but you WILL lose your data forever. If you have a backup on an external disk, DO NOT connect it to your PC before formatting it completely.
The best way to clean ransomware is to hard format your OS. If you don’t want to take such a drastic step, make sure that the ransomware doesn’t infect the boot sector. You’ll find information on this on the Internet.
Next, update your antivirus and do a full deep scan of your system. It is also a good idea to compliment the antivirus with an anti-malware program for full protection. This should remove the ransomware for good.
Step 5: Debrief
Now that you are rid of your ransomware, it’s time to look at why you were attacked in the first place. As a wise man once said: “Prevention is better than cure” and this applies to online security more than anything else. A defence is only as strong as the user and, with the proper protections in place, it is difficult for any malware to attack.
Be vigilant and keep these points in mind:
- Always keep your antivirus up to date
- Always check the URL of the website you are visiting.
- Do not run untrusted programs on your system. Things like cracks, serials, patches etc. are the most common sources of malware.
- Do not allow untrusted sites to run executable content in your browser.
- Keep your Operating System up to date. Malware, including ransomware, is often spread through unpatched security vulnerabilities in older operating systems. A hack, for example, may exploit a bug in the Windows RDP software to gain access to the system connected publicly to the internet and execute malware.