One of the more recent types of malware is known as ransomware. Ransomware is a particularly nasty type of malware as it goes through and encrypts every file on your computer, then shows you a ransom note. To unlock your device, you need to pay the ransom to then receive an unlock code. Historically most ransomware campaigns do actually decrypt the files once the ransom is paid, as publicity about the hackers upholding their end of the bargain is an important part of persuading people to pay up.
Note: It’s generally recommended that you do not pay the ransom. Doing so continues to prove that ransomware can be profitable, it also doesn’t guarantee that you will get access to your data again.
Tip: Encryption is a process of scrambling data with an encryption cipher and key. The encrypted data can only be decrypted through the use of the decryption key.
How does it work?
Like any malware, ransomware needs to get on your computer to run. There are many potential infection methods, but some of the most common methods are, infected downloads on webpages, malvertising, and malicious email attachments.
Tip: Malvertising is the practice of delivering malicious software through advertising networks.
Once downloaded to your computer, the ransomware will start encrypting files in the background. Some variants will do so as fast as possible, you may notice this affecting your system performance, but then have little time to do anything about it. Some ransomware variants will encrypt data slowly, in order to reduce the chance that it’s noticed in action. A few ransomware variants lay dormant for weeks or months in order to be included in any backups that could be used to restore the system.
Tip: Ransomware typically avoids encrypting critical system files. Windows should still work, but all personal files, etc will be encrypted.
Once the ransomware has encrypted everything on the computer, its final act is to create a ransom note, typically on the desktop. The ransom note generally explains what has happened, provides instructions as to how to pay the ransom and what will happen if you don’t. A time limit is generally also set, with the threat of a price increase or the deletion of the key used to urge people to pay.
A number of ransomware variants provide a feature that allows you to decrypt a small number of files as a “goodwill” gesture to prove that your files can be decrypted. The payment method will typically be bitcoin or various other cryptocurrencies. The ransom note generally provides a range of links to sites where you can buy the relevant cryptocurrencies, in an effort to make it easier for people to pay them.
Once you provide payment, or sometimes proof of payment, you will generally be provided with a decryption key that you can use to decrypt your data. Unfortunately, there are some variants that never decrypt, even if you pay – in other words, you should NOT pay, but look for other solutions.
The encryption process on your computer is generally performed with a randomly generated symmetric encryption key. This encryption key is then encrypted with an asymmetric encryption key, for which the ransomware creator has the matching decryption key. This means only the ransomware creator can decrypt the password you need to decrypt your computer.
Tip: There are two types of encryption algorithms, symmetrical end asymmetrical. Symmetric encryption uses the same encryption key to both encrypt and decrypt the data, whereas asymmetrical encryption uses a different key to encrypt and decrypt data. Asymmetrical encryption allows one person to give multiple people the same encryption key while retaining the only decryption key.
Some ransomware variants also include support features that allow you to contact the person running the scam. This is designed to help walk you through the payment process, however, some people have had success using it to try to bargain the price down.
Tip: In some cases, ransomware will be deployed as a secondary infection to attempt to cover up the existence of another virus that may have been stealing other data covertly. The intent, in this case, is primarily to encrypt the log files and make the incident response and forensics process more difficult. This type of attack is generally only used in highly targeted attacks against businesses rather than general computer users.
How to protect yourself
You can reduce the chances of you being infected by ransomware and other malware by being careful on the internet. You shouldn’t open email attachments you weren’t expecting, even if you trust the sender. You should never enable macros in office documents, especially if the document was downloaded from the internet. Office document macros are a common method of infection.
An ad-blocker, such as uBlock Origin, can be a good tool to protect against malvertising. You should also ensure that you only download files from legitimate and trustworthy websites, as malware can often be hidden in infected downloads masquerading as free versions of paid software.
Having and using an anti-virus or anti-malware software is generally a good back-stop defence against malware that manages to get past your first line of defence.
Help, I’m infected!
If you do find yourself in the position that ransomware has taken over your computer, you may be able to unlock the ransomware for free. A fair number of ransomware schemes were poorly designed and/or have been taken down by law enforcement agencies already.
In these cases, it’s possible that the master decryption key has been identified and is available. Europol’s EC3 (European Cybercrime Centre) has a tool called “Crypto Sheriff” that can be used to identify the type of ransomware you have, and then link you to the correct decryption tool if one exists.
One of the best protections you can have against ransomware is good backups. These backups should be stored on a hard drive not connected to the computer or the same network as the computer to prevent them from being infected too. The backup should only be connected to the affected computer once the ransomware has been removed, otherwise, it too will be encrypted.