Ransomware
Holding Your Digital Life for Ransom
What is Ransomware? | Preparing for Recovery | Resources | History

What is Ransomware?
Ransomware is a specialized form of malware that encrypts your computer then demands a ransom for the encryption key.
This makes all your files (documents, financial data, letters, photos, music, etc.) inaccessible, then displays a message with the promise to provide a recovery key once you pay the ransom.
Payment specifies Bitcoin or other crypto-currencies so the transaction is untraceable. If the recovery key doesn't work, there are no refunds.
How It Spreads
Organized crime and “state actors” (foreign governments) use their huge technical and financial resources to develop ransomware then offer it to small-scale criminals (ransomware as a service) to ensure rapid distribution.
Like all malware, you can get infected from many sources including:
- visiting an infected website;
- clicking on a malicious advertisement (even on an otherwise safe site);
- opening a phishing email with a malicious attachment or links;
- inserting an infected USB drive into your computer; or
- downloading a malicious file.
If your security software isn't up to the task, your computer will become useless and your data will be encrypted.
Ransomware Facts
Some facts about ransomware:
- Ransomware is a special sort of malware infection that encrypts your entire computer then holds it for ransom.
- Attempting recovery without paying the ransom can destroy the encryption key.
- Most recent security suites include some sort of ransomware protection.
- Paying the ransom is no guarantee of recovery.
The good news is that ransomware files can be decrypted:The bad news is that decryption often doesn't work, so the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process.
- Tools (paid or free) can be obtained to decrypt ransomware.
- Ransomware recovery specialists can be hired to perform the decryption and system recovery.
— eSecurity Planet
Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later — which is why you need to protect against ransomware.
— Acronis
Computers are infected automatically, with viruses that spread over the internet.Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.
Customer service is important; people need to know they'll get their files back once they pay.
— Bruce Schneier
DON'T Pay the Ransom
Paying the ransom should be your last option.
Studies indicate that paying the ransom demonstrates that you aren't prepared, making you a prime target in the future.
A successful ransomware attack isn't one that encrypts your files, but one where the attacker gets paid.That means the best thing you as an individual, but especially big corporations, can do to stem the spread of ransomware is keep your wallets closed.
It will be painful, but we cannot trust crooks to return access to our systems and data, nor can we keep rewarding them for their crimes.
— PCMag
The prevailing wisdom from cybersecurity experts is that trying to negotiate with ransomware hackers is a bad idea, but on December 30, 2020, one victim broke the rules and gave it a shot.After agreeing on an expedited payment, the hackers accepted the offer -- a stunning 94.7% reduction from their initial demand.
— PCMag
Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.
Payment Doesn't Guarantee Anything
There is no guarantee that you'll get your data back even after paying.
[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back.
— Forbes
If your confidential data was taken in a data breach which was masked by the ransomware attack, paying the ransom won't resolve the fact that your data was leaked.
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
— ZDNet
- How ransomware attackers are doubling their extortion tactics.
- Why paying the crooks can actually cost you more in the long run.
- To pay or not to pay is not the only question.
- Ransomware attacks hitting a 93% increase year over year.
- Ransomware risks for consumers vs. businesses, and how to avoid them.
Costs to Businesses
The costs to businesses are very high.
The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report.
— TechRepublic
[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business.
— TechRepublic
Tighten Security
As inconvenient as it is, your best bet is to tighten your security (educate yourself and your employees about the warning signs) and be prepared to restore your files from a secure backup.
In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky
The Economic Realities
It is unfortunate that many corporate boards fail to adequately finance their security staff. Much like avoiding insurance payments, this is false economy. When disaster strikes, the blame should be put where it belongs: in the corporate boardroom.
- Ransomware is on the rise: 10 steps for defending your business.
- “It's not in the budget.”
- Ransomwhere tracks ransomware payments.
- Top 5 ransomware operators by income.
Governments Attractive Targets
Cities, hospitals and other government services are prime targets for ransomware.
Even though government tax bases have been hit hard by the COVID-19 crisis, they are now facing the threat of confidential information being released.
There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game.
— Erich Kron
These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).
Ransomware-as-a-Service
Ransomware-as-a-service is a commercial product sourced on the dark web making ransomware available to virtually anyone to use.
This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine.
— TechRepublic
The criminal organization provides support for payments, decryptions, etc. in return for a cut of the proceeds.
Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of businesses are likely to pay up — and how to collect the money without being caught.
— Phillip Hallam-Baker
Preparing for Recovery
Prevention isn't easy and the only you can be sure you're safe is to wipe your hard drive then recover your files via a RECENT secure backup.
In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky
Prevention
Preventing a ransomware attack is a combination of knowledge and education backed up by security software.
- Avoid any risky behaviour
- Maintain your backups and prepare for recovery.
- Restrict access to your computers and devices.
You and everyone with access to your computer(s) needs to learn to recognize the signs of malware and phishing:
- Learn security basics so you can recognize a threat.
- Stop and think before acting. Keep calm and don't panic.
- Protecting devices from physical access by unauthorized users.
- Denying access to your network by unauthorized users.
- Use effective passwords to prevent unauthorized access to your computer or device as well as for all your online accounts.
- Ensure you can recognize attempts at phishing scams and identity theft.
- Be wary of phone calls requesting computer access or personal information.
Securing your computers and networks includes ensuring that no one can commit identity theft or gain access via the “forgot my password” recovery methods.
ZDNet's 11 Steps
These 11 suggestions will help to prepare:
- Make sure your antivirus software is up to date
- Understand what's happening across the network
- Scan and filter emails before they reach your users
- Have a plan for how to respond to a ransomware attack, and test it
- Think very long and hard before you pay a ransom
- Understand what your most important data is and create an effective backup strategy
- Understand what's connected to your network
- Make it harder to roam across your networks
- Train staff to recognise suspicious emails
- Change default passwords across all access points
- Apply software patches to keep systems up to date
- — ZDNet
- Ransomware risks for consumers vs. businesses, and how to avoid them.
- Ransomware: 11 steps you should take to protect against disaster.
Preventing Physical Threats
The first step is to ensure the physical safety of your computers, equipment and data. Develop policies regarding employee and guest access.
- Limit who has physical access to computers and files.
- Lock computers with a password when not in use or away.
- Physically lock laptops and similar portable equipment to prevent theft.
- Restrict access to data on a need-to-know basis.
- Protect both devices and software with strong, unique passwords.
- Change the default passwords on critical equipment like your router.
- Lock away backups and critical recovery devices when not in use.
- Limit repair and recovery work to authorized personnel or contractors.
- Limit administrator privileges to those that need it.
- Ensure all computer(s) are fully patched as quickly as possible.
While there are sneaky methods for getting around even “air-gapped” computers, most users will not be the focus for such attacks.
Preventing External Threats
Once you've ensured that your hardware and data is as secure as possible, train your employees to recognize and respond appropriately to any threat.
- Most attacks come in the form of a phishing email or a fraudulent phone call.
- Don't open email attachments or downloads without scanning them first.
- Be wary of social media. Facebook is famous for obscuring the destination of links on their site which encourages fake news.
When in Doubt
If you have any doubts about an email, don't click on any links. Report it to your IT department or support resource.
Be cautious of sensitive instructions received via email, especially if it involved large financial transactions. Call the department head to verify legitimacy.
Managing Outside Users
The use of the company network and Internet should be restricted to company business.
- Don't use company computers or networks for personal use including logging onto external networks, downloading files or posting on social media.
- Don't use personal devices for company business.
- If you must allow a “guest” access, keep it unconnected from your network (use a guest WiFi account).
Home Offices
If you have a home office, don't allow people to use your computer unsupervised. The rules for company computers also apply.
- Lock your computer with a password when not in use.
- Don't allow anyone to download and install software except for your tech support resource.
- Don't allow your children to have access.
Because this office is in your home, other family members and visitors may not respect the need for security like they would in a regular office.
Backup Your Data
Other than prevention, reliable backups are one of your best defenses in case something goes wrong, including ransomware attacks.
- Backups can become corrupt or accidentally erased.
- Incomplete backups result in lost data.
- Technical issues during the restoring of data can result in the loss of data.
Verify Backups on Safe Media
Ransomware now attacks backup software and devices to ensure you don't have that recovery option.
You want to ensure that you have all your files backed up onto safe media and continuously verify the integrity of those backups before you need them.
As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly….
— TechRepublic
Always-connected Devices Vulnerable
Internal drives or always-connected USB drives (such as Western Digital My Book drives) are subject to being infected at the same time as your computer.
If a backup device is connected to the infected computer or its network, it is likely that the backups on that drive will be corrupted if infected with ransomware.
If you are using external drives that are continually connected, ensure that they are powered off when not actively backing up your data. If there is no power switch, unplug the USB cable or power supply.
Cloud Backups Vulnerable
Cloud-based storage provides an excellent recovery option in case physical backup drives are damaged or stolen.
However, cloud services like OneDrive, iCloud and DropBox can be hacked (strong passwords are essential).
Avoid using an automatic login to your cloud service because this makes it easy for either ransomware or anyone with access to your computer to damage or delete your backups.
Keep Backups Current
Any data that is changed or created after your last backup is unrecoverable unless you make other arrangements.
Take precautions like saving changed or new files onto a thumb drive as soon as changes are made to them. These files can overwrite older versions once the backup is restored.
Preparing for Recovery
Don't delay. Once you've been hit by ransomware, your options are limited and it is unlikely that you or your business will recover unscathed.
It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.
— eSecurity Planet
Here's some keys to preparing your computer(s) and data for recovery:
- Ensure that your computer(s) are fully patched before restoring data to avoid zero-day threats.
- Create and maintain regular scheduled backups of your critical data files (irreplaceable documents, photos, media, downloads, etc.).
- Maintain a series of backups to provide redundancy in case of any failure.
- Use a removable device normally disconnected from the computer, storing that drive in a secure location when not backing up or restoring files.
- Do not use your computer during backups.
Increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.
Restoring Data After a Ransomware Attack
Before you restore your data, you need to ensure that your recovery is not corrupted by remaining security issues.
Preparing Your Computer
As with any malware infection, leaving any residual of the malware will defeat the next steps. If you're unsure, get professional help in ensuring your computer is clean.
How your proceed depends upon which is more critical: speed or security.
- If getting the computer up and running quickly is the priority, restore the data and programs (including settings) once the operating system is capable of restoring from the backups.
- If the security of the restored computer and its data is more critical, install all programs and manually configure settings before restoring the data.
The More Secure Install
- When installing the operating system (Windows, macOS, Linux, etc.), it is recommended that you delete all partitions, then let the operating system create new ones then format them.
- Once the operating system is reinstalled, be sure to install all the available security updates to ensure that your computers are fully patched to avoid infection by known zero-day threats.
- Install your security software and be sure it is both current and all updates are installed.
- Run a security scan on your system to ensure there are no remaining threats.
- Reinstall all programs rather than restoring them via a backup. This won't restore settings, but will provide a better experience because old program remnants are not reintroduced.
Performing the Restore
Once your computer has been prepared and you're sure it is secure, proceed with restoring the data from the backups. Only restore program settings if you're certain they are not compromised.
Do not use your computer during the restore process to avoid external threats that can compromise the data being restored.
Run a Security Scan
Once the restore process is complete, run a full security scan to ensure that no malware or other threats remain on your computer.
This process may determine that some of the restored files are corrupt. If your security software cannot repair these infections, delete the files.
Winning the War on Ransomware
See Trustwave's Winning the War on Ransomware infographic (below). Pay attention to the checklist for resistance, rescue and recovery.
Ransomware Resources
These additional resources can help you develop policies to prevent ransomware (prevention is best) or seek out recovery solutions.
Canadian Government
The Canadian government provides some guidance on preventing ransomware from gaining a foothold in your business but the information can also be useful for individuals.
- Canadian Centre for Cyber Security ransomware guidance.
- Reporting a cyber incident helps the Cyber Centre keep Canada and Canadians safe online.
- The Canadian Cyber Security Tool is a virtual self-assessment tool developed by Public Safety Canada.
- Cyber & Infrastructure Resilience Assessments are aimed at larger enterprises and critical infrastructure.
Prevention
It is better to prevent ransomware in the first place.
- The best ransomware protection provides an excellent overview of ransomware as well as assessing various solutions.
- Protect yourself from ransomware — Mozilla blog.
Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. It detected all our real-world ransomware samples, though its recovery system missed some files.
— PCMag
Recovery
You can try these recovery tools but it would be advisable to bring in expert help than to muddle through a process you don't understand.
- No More Ransom lists some decryption tools.
Older Ransomware
These recovery tools relate to older ransomware variants. Modern ransomware is not so easy to recover from.
- How to protect yourself from the global ransomware attack (2017).
- WannaCry ransomware code errors could give victims a chance to get files back.
- Locky Ransomware.
- "Locky" ransomware -– what you need to know.
- 11 things you can do to protect against ransomware, including Cryptolocker.
- CryptoLocker. 13 versions listed. Removal included.
- CoinVault ransomware decryptor has some decryption keys you can try with sample infected files.
- TorrentLocker (fake CryptoLocker) ransomware information guide and FAQ.