A look at the basics and preventive measures
Ransomware is not a new phenomenon, its origins go back to the healthcare industry in 1989. Known as the AIDS Trojan, the malware was spread via floppy disks that were sent to AIDS research organizations and encrypted files after a certain number of system reboots. Meanwhile, targets range from computers to smart TVs and the list gets longer every year. It is now a billion dollar business and all the shady people on the dark side of the Web want a piece of the action. 2016 was a highly successful year for ransomware and saw a massive surge, not only in the number of attacks, but also in their variety. This upward trend has continued on into 2017 with numerous large scale attacks including the WannaCry attack on May 12. This is the largest attack yet, affecting around 200,000 computers in 150 countries in industries ranging from healthcare to public transport. This attack really proves that ransomware has started to take on disturbing and very expensive dimensions.
What is ransomware?
Ransomware is a type of malware that is installed on your system when:
- You go to a website that is untrustworthy and click an "Advertisement" that then silently downloads the malware in the background or the website automatically starts the download as soon as you go to it, otherwise known as a "drive-by download"
- You click on a link in an email or on a website that downloads the ransomware silently.
- Your computer already has some other kind of malware and hackers use that to install the ransomware remotely and in the background.
Depending on the type of attack, the victim can lose access to their file system entirely or only to certain files. The victim then receives a demand for a ransom, sometimes in the form of a popup or a README file. Often, the ransom must be paid in bitcoins since they can be sent and received anonymously, which keeps the identity of the attacker hidden.
The most popular means of spreading ransomware is through malicious websites and links. Even though Windows systems are particularly vulnerable, no device or platform is absolutely safe from ransomware attacks. Although there are many different strains of ransomware out there, they can be broken down into two main categories:
Non-encrypting (screen blocker, locker)
This type of ransomware blocks access to a system, often having the form of an annoying lock screen that appears every time the victim tries to gain access to the system. The malware demands that a ransom be paid to restore access. Typically, blockers are not very sophisticated and are usually pretty easy to get around if you have rescue or backup disks. The ransom for blockers is also often lower than that for cryptors for this reason.
A good example of a recent blocker is Win32/Lamdelim.A, which was so badly written that you could break it simply by entering Alt+F4. Unfortunately, not all ransomware is this easy to thwart.
Encrypting (cryptor, encryptor)
When a computer, laptop, or smartphone has been infected, at some point the files on it will be encrypted by the malware, making their contents unreadable by the user and the device itself. Some variants will only encrypt certain types of files; others will encrypt many types of files in minutes, sometimes even seconds. Once the encryption is complete, the victim receives a demand for ransom to get the decryption key and thus regain access to their files.
WannaCry (or WannaCrypt) crippled over 200,000 computers by overwriting files stored in Desktop, My Documents, or removable disks and then deleting them, thus rendering them unrecoverable. The attack was brought to a halt but has since been modified and is running again under the name Uiwix. There is no way to stop the new strain as of now and many victims have already started to pay the WannaCry ransom of $300 in bitcoins. There is some hope, though. A disk recovery tool might be able to recover lost files if they were not stored in the abovementioned locations.
I've been attacked! What now?
When you realize that you are a victim of WannaCry, Uiwix or other types of ransomware, it may already be too late. However, you can still prevent the infection from spreading even further into your network. But you need to act fast! The first thing you should do is identify the infected machines and remove them from the network immediately. Once you have done that, make sure that all of your critical systems are intact. Then get out your backups and start the restore process, which might take a while.
To pay or not to pay?
If you don't have backups or need your files back immediately, then you're probably asking yourself this very question. On the one hand, you want your files back. On the other hand, you don't want to encourage criminals any further. So should you pay the ransom? The answer to this question heavily depends on your system, how important it is, and how much damage can be done if you choose not to. A hospital, for example, might simply pay the ransom because it is quicker than trying to restore its systems and not be able to treat patients in the meantime.
One thing is certain: paying the ransom is no guarantee that you will get your files back. After all, we are talking about criminals here. Research has shown that 20% of victims do not get their files back after paying the ransom. The attackers might even ask for more money once a ransom has been paid. Or you may not get everything back because often, the attackers have to manually decrypt all of the files on every single infected system and they either don't have the manpower or the time.
What Can You Do to Protect Yourself Against Ransomware?
The key word here is prevention. A few simple, precautionary measures will greatly reduce your risk of becoming a victim of a ransomware attack.
1. Backup backups
This is valid for computers and all other mobile devices and gadgets you may have - create several backups of all of your important data and make sure that they aren't all in the same place. It is also very important to regularly test and monitor your backups so that if you do end up needing them, you can rest assured that they will actually work.
2. Stop clicking
The best way to prevent these types of attacks is education. People who work in IT are usually not heavily affected by these types of attacks for the main reason that they are able to identify suspicious mails and websites before clicking on links. Educating other people in the company about how to do the same will help reduce your susceptibility to these types of attacks. Spam filters, antivirus software, and firewalls help to keep your network safe but they won't prevent a user from circumventing your security. Using Group Policy management and website blacklists and whitelists to regulate what your colleagues can download or install or click is also good practice.
3. Disable macros
Regarding the spread of malware, not all of the tricks in the bag are new. Infections still occur via macros although newer software programs disable them by default. Make sure you keep the default settings and only download macros from verifiable and trustworthy sources. Even then, be cautious.
4. Update frequently and quickly
To stay on top of the game, you should update your operating systems, apps, and other software frequently. Updates often include security-relevant fixes, and you do not want to be missing out on them. You can also save yourself the trouble of actively looking for updates by setting up notifications to let you know when they are available or by setting up automatic downloads.
Many victims of the WannaCry attack were using out-of-date software, such as Windows XP, Server 2003, Windows 7 and Server 2008 and could have avoided the attack had they been using more recent operating systems that were up to date.