Ransomware

Holding Your Digital Life for Ransom

What is Ransomware? | Preparing for Recovery | Resources | History

What is Ransomware?

Ransomware is a specialized form of malware that encrypts your computer then demands a ransom for the encryption key.

This makes all your files (documents, financial data, letters, photos, music, etc.) inaccessible, then displays a message with the promise to provide a recovery key once you pay the ransom.

Payment specifies Bitcoin or other crypto-currencies so the transaction is untraceable. If the recovery key doesn't work, there are no refunds.

How It Spreads

Organized crime and “state actors” (foreign governments) use their huge technical and financial resources to develop ransomware then offer it to small-scale criminals (ransomware as a service) to ensure rapid distribution.

Like all malware, you can get infected from many sources including:

visiting an infected website;
clicking on a malicious advertisement (even on an otherwise safe site);
opening a phishing email with a malicious attachment or links;
inserting an infected USB drive into your computer; or
downloading a malicious file.

If your security software isn't up to the task, your computer will become useless and your data will be encrypted.

Ransomware Facts

Some facts about ransomware:

Ransomware is a special sort of malware infection that encrypts your entire computer then holds it for ransom.
Attempting recovery without paying the ransom can destroy the encryption key.
Most recent security suites include some sort of ransomware protection.
Paying the ransom is no guarantee of recovery.

The good news is that ransomware files can be decrypted:

Tools (paid or free) can be obtained to decrypt ransomware.

Ransomware recovery specialists can be hired to perform the decryption and system recovery.

The bad news is that decryption often doesn't work, so the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process.
— eSecurity Planet

Nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later — which is why you need to protect against ransomware.
— Acronis

Computers are infected automatically, with viruses that spread over the internet.

Payment is no more difficult than buying something online -- and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.

Customer service is important; people need to know they'll get their files back once they pay.
— Bruce Schneier

DON'T Pay the Ransom

Paying the ransom should be your last option.

Studies indicate that paying the ransom demonstrates that you aren't prepared, making you a prime target in the future.

A successful ransomware attack isn't one that encrypts your files, but one where the attacker gets paid.

That means the best thing you as an individual, but especially big corporations, can do to stem the spread of ransomware is keep your wallets closed.

It will be painful, but we cannot trust crooks to return access to our systems and data, nor can we keep rewarding them for their crimes.
— PCMag

The prevailing wisdom from cybersecurity experts is that trying to negotiate with ransomware hackers is a bad idea, but on December 30, 2020, one victim broke the rules and gave it a shot.

After agreeing on an expedited payment, the hackers accepted the offer -- a stunning 94.7% reduction from their initial demand.
— PCMag

Other than prevention and preparation, your only realistic alternative is to wipe your computer, reinstall everything and restore your data from a reliable (and uninfected) current backup.

Payment Doesn't Guarantee Anything

There is no guarantee that you'll get your data back even after paying.

[E]ven if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don't get all their data back.
— Forbes

If your confidential data was taken in a data breach which was masked by the ransomware attack, paying the ransom won't resolve the fact that your data was leaked.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
— ZDNet

Costs to Businesses

The costs to businesses are very high.

The average cost of a data breach is $3.86 million, a malicious breach cost $4.27 million, and a ransomware attack costs about $4.44 million, according to IBM's 2020 Cost of a Data Breach report.
— TechRepublic

[T]he average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business.
— TechRepublic

Ransomware is on the rise: 10 steps for defending your business.

Tighten Security

As inconvenient as it is, your best bet is to tighten your security (educate yourself and your employees about the warning signs) and be prepared to restore your files from a secure backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky

The Economic Realities

It is unfortunate that many corporate boards fail to adequately finance their security staff. Much like avoiding insurance payments, this is false economy. When disaster strikes, the blame should be put where it belongs: in the corporate boardroom.

Ransomware is on the rise: 10 steps for defending your business.
“It's not in the budget.”
Ransomwhere tracks ransomware payments.
Top 5 ransomware operators by income.

Governments Attractive Targets

Cities, hospitals and other government services are prime targets for ransomware.

Even though government tax bases have been hit hard by the COVID-19 crisis, they are now facing the threat of confidential information being released.

There is no guarantee that this information will not be sold on the dark web and eventually be exposed anyway. In the past, the defense for ransomware was simply to have good backups, however, with the addition of data exfiltration, the ransomware groups have changed the game.
— Erich Kron

These are favoured targets because these services are both unprepared (their security and often their hardware is sub-standard) and motivated (because of the confidential and often critical nature of their data).

How ransomware attackers are doubling their extortion tactics.

Ransomware-as-a-Service

Ransomware-as-a-service is a commercial product sourced on the dark web making ransomware available to virtually anyone to use.

This ransomware can alter your master boot records, change partitions tables and encrypt files. That means it can do real damage to your machine.
— TechRepublic

The criminal organization provides support for payments, decryptions, etc. in return for a cut of the proceeds.

Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and they know which types of businesses are likely to pay up — and how to collect the money without being caught.
— Phillip Hallam-Baker

Return to top

Preparing for Recovery

Prevention isn't easy and the only you can be sure you're safe is to wipe your hard drive then recover your files via a RECENT secure backup.

In short, your security comes down to the same three words: backup, protection, awareness. All three need to be in place, and when they are, you can confidently say you're employing optimal antiransomware security strategy.
— Kaspersky

Prevention

Preventing a ransomware attack is a combination of knowledge and education backed up by security software.

Avoid any risky behaviour
Maintain your backups and prepare for recovery.
Restrict access to your computers and devices.

You and everyone with access to your computer(s) needs to learn to recognize the signs of malware and phishing:

Learn security basics so you can recognize a threat.
Stop and think before acting. Keep calm and don't panic.
Protecting devices from physical access by unauthorized users.
Denying access to your network by unauthorized users.
Use effective passwords to prevent unauthorized access to your computer or device as well as for all your online accounts.
Ensure you can recognize attempts at phishing scams and identity theft.
Be wary of phone calls requesting computer access or personal information.

Securing your computers and networks includes ensuring that no one can commit identity theft or gain access via the “forgot my password” recovery methods.

ZDNet's 11 Steps

These 11 suggestions will help to prepare:

Make sure your antivirus software is up to date

Understand what's happening across the network

Scan and filter emails before they reach your users

Have a plan for how to respond to a ransomware attack, and test it

Think very long and hard before you pay a ransom

Understand what your most important data is and create an effective backup strategy

Understand what's connected to your network

Make it harder to roam across your networks

Train staff to recognise suspicious emails

Change default passwords across all access points

Apply software patches to keep systems up to date

— ZDNet

Preventing Physical Threats

The first step is to ensure the physical safety of your computers, equipment and data. Develop policies regarding employee and guest access.

Limit who has physical access to computers and files.
Lock computers with a password when not in use or away.
Physically lock laptops and similar portable equipment to prevent theft.
Restrict access to data on a need-to-know basis.
Protect both devices and software with strong, unique passwords.
Change the default passwords on critical equipment like your router.
Lock away backups and critical recovery devices when not in use.
Limit repair and recovery work to authorized personnel or contractors.
Limit administrator privileges to those that need it.
Ensure all computer(s) are fully patched as quickly as possible.

While there are sneaky methods for getting around even “air-gapped” computers, most users will not be the focus for such attacks.

Preventing External Threats

Once you've ensured that your hardware and data is as secure as possible, train your employees to recognize and respond appropriately to any threat.

Most attacks come in the form of a phishing email or a fraudulent phone call.
Don't open email attachments or downloads without scanning them first.
Be wary of social media. Facebook is famous for obscuring the destination of links on their site which encourages fake news.

When in Doubt

If you have any doubts about an email, don't click on any links. Report it to your IT department or support resource.

Be cautious of sensitive instructions received via email, especially if it involved large financial transactions. Call the department head to verify legitimacy.

Managing Outside Users

The use of the company network and Internet should be restricted to company business.

Don't use company computers or networks for personal use including logging onto external networks, downloading files or posting on social media.
Don't use personal devices for company business.
If you must allow a “guest” access, keep it unconnected from your network (use a guest WiFi account).

Home Offices

If you have a home office, don't allow people to use your computer unsupervised. The rules for company computers also apply.

Lock your computer with a password when not in use.
Don't allow anyone to download and install software except for your tech support resource.
Don't allow your children to have access.

Because this office is in your home, other family members and visitors may not respect the need for security like they would in a regular office.

Backup Your Data

Other than prevention, reliable backups are one of your best defenses in case something goes wrong, including ransomware attacks.

Backups can become corrupt or accidentally erased.
Incomplete backups result in lost data.
Technical issues during the restoring of data can result in the loss of data.

Verify Backups on Safe Media

Ransomware now attacks backup software and devices to ensure you don't have that recovery option.

You want to ensure that you have all your files backed up onto safe media and continuously verify the integrity of those backups before you need them.

As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly….
— TechRepublic

Always-connected Devices Vulnerable

Internal drives or always-connected USB drives (such as Western Digital My Book drives) are subject to being infected at the same time as your computer.

If a backup device is connected to the infected computer or its network, it is likely that the backups on that drive will be corrupted if infected with ransomware.

If you are using external drives that are continually connected, ensure that they are powered off when not actively backing up your data. If there is no power switch, unplug the USB cable or power supply.

Cloud Backups Vulnerable

Cloud-based storage provides an excellent recovery option in case physical backup drives are damaged or stolen.

However, cloud services like OneDrive, iCloud and DropBox can be hacked (strong passwords are essential).

Avoid using an automatic login to your cloud service because this makes it easy for either ransomware or anyone with access to your computer to damage or delete your backups.

Keep Backups Current

Any data that is changed or created after your last backup is unrecoverable unless you make other arrangements.

Take precautions like saving changed or new files onto a thumb drive as soon as changes are made to them. These files can overwrite older versions once the backup is restored.

Preparing for Recovery

Don't delay. Once you've been hit by ransomware, your options are limited and it is unlikely that you or your business will recover unscathed.

It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.
— eSecurity Planet

Here's some keys to preparing your computer(s) and data for recovery:

Ensure that your computer(s) are fully patched before restoring data to avoid zero-day threats.
Create and maintain regular scheduled backups of your critical data files (irreplaceable documents, photos, media, downloads, etc.).
Maintain a series of backups to provide redundancy in case of any failure.
Use a removable device normally disconnected from the computer, storing that drive in a secure location when not backing up or restoring files.
Do not use your computer during backups.

Increase your security budget and train your employees on how to spot and avoid risky behaviour. The cost is far less than a successful ransomware attack.

How to decrypt ransomware files — and what to do when that fails.

Restoring Data After a Ransomware Attack

Before you restore your data, you need to ensure that your recovery is not corrupted by remaining security issues.

Preparing Your Computer

As with any malware infection, leaving any residual of the malware will defeat the next steps. If you're unsure, get professional help in ensuring your computer is clean.

How your proceed depends upon which is more critical: speed or security.

If getting the computer up and running quickly is the priority, restore the data and programs (including settings) once the operating system is capable of restoring from the backups.
If the security of the restored computer and its data is more critical, install all programs and manually configure settings before restoring the data.

The More Secure Install

When installing the operating system (Windows, macOS, Linux, etc.), it is recommended that you delete all partitions, then let the operating system create new ones then format them.
Once the operating system is reinstalled, be sure to install all the available security updates to ensure that your computers are fully patched to avoid infection by known zero-day threats.
Install your security software and be sure it is both current and all updates are installed.
Run a security scan on your system to ensure there are no remaining threats.
Reinstall all programs rather than restoring them via a backup. This won't restore settings, but will provide a better experience because old program remnants are not reintroduced.

Performing the Restore

Once your computer has been prepared and you're sure it is secure, proceed with restoring the data from the backups. Only restore program settings if you're certain they are not compromised.

Do not use your computer during the restore process to avoid external threats that can compromise the data being restored.

Run a Security Scan

Once the restore process is complete, run a full security scan to ensure that no malware or other threats remain on your computer.

This process may determine that some of the restored files are corrupt. If your security software cannot repair these infections, delete the files.

Winning the War on Ransomware

See Trustwave's Winning the War on Ransomware infographic (below). Pay attention to the checklist for resistance, rescue and recovery.

Ransomware Resources

These additional resources can help you develop policies to prevent ransomware (prevention is best) or seek out recovery solutions.

Canadian Government

The Canadian government provides some guidance on preventing ransomware from gaining a foothold in your business but the information can also be useful for individuals.

Canadian Centre for Cyber Security ransomware guidance.
Reporting a cyber incident helps the Cyber Centre keep Canada and Canadians safe online.
The Canadian Cyber Security Tool is a virtual self-assessment tool developed by Public Safety Canada.
Cyber & Infrastructure Resilience Assessments are aimed at larger enterprises and critical infrastructure.

Prevention

It is better to prevent ransomware in the first place.

The best ransomware protection provides an excellent overview of ransomware as well as assessing various solutions.
Protect yourself from ransomware — Mozilla blog.

Check Point ZoneAlarm Anti-Ransomware remains one of the most effective ransomware-specific security tools we've tested. It detected all our real-world ransomware samples, though its recovery system missed some files.
— PCMag

Recovery

You can try these recovery tools but it would be advisable to bring in expert help than to muddle through a process you don't understand.

No More Ransom lists some decryption tools.

Older Ransomware

These recovery tools relate to older ransomware variants. Modern ransomware is not so easy to recover from.

How to protect yourself from the global ransomware attack (2017).
WannaCry ransomware code errors could give victims a chance to get files back.
Locky Ransomware.
"Locky" ransomware -– what you need to know.
11 things you can do to protect against ransomware, including Cryptolocker.
CryptoLocker. 13 versions listed. Removal included.
CoinVault ransomware decryptor has some decryption keys you can try with sample infected files.
TorrentLocker (fake CryptoLocker) ransomware information guide and FAQ.

Ransomware History

Ransomware was largely made possible by the development of crypto-currencies that allow untraceable payments.

CryptoLocker Started it All

CryptoLocker, released in 2013, demanded a significant ransom fee in BitCoins payable within 72 hours or the encryption key (the file needed for recovery) is destroyed.

CryptoLocker spread through ad networks but other ransomware was spread via email or TOR networks.

Newer Variations

While the botnets distributing CryptoLocker have been stopped, it has since morphed into newer variations (CryptoWall, CoinVault, TorrentLocker and Cerber) which don't respond to CryptoLocker solutions.

Bad Rabbit

Bad Rabbit moved ransomware into the low-rent district.

Access to a Windows XP machine can be purchased for $3; a Windows 10 machine for $9.

The hacker regains over 30 times his investment on the first sale.

The 0.05 bitcoin ransom (approx. $3,200) increases after a deadline.

Evolving Ransomware

Ransomware has evolved over time.

Locky Ransomware

The Locky Ransomware was initially distributed via malicious emails. Attached “invoices” used macros that initiated the ransomware download which encrypted your files.

It later used fake Adobe Flash updates to spread its payload.

We Were Unprepared

Microsoft patched the vulnerabilities that permitted WannaCry ransomware in advance of the attack (even for XP)

Still there were disasters. One in Europe looked like an update to a popular accounting software.

Testing Delays

Many organizations engaged in lengthy tests to ensure that a patch won't create issues in their networks.

Ransomware is evolving so quickly we no longer have that luxury.

The Weakest Link

Any weakness in the network or the equipment attached can be exploited.

People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP.
— SC Media

Vulnerable software (especially on legacy Windows computers or vulnerable personal devices) can be the pathway in which other computers on your network are infected.

Legacy systems need to be disconnected from the Internet as well as networks.

Digital CoronaVirus

The pandemic brought a resurgence of ransomware. People were working from home, away from their technical support, often on home equipment unprepared for the business world.

The Digital CoronaVirus sent out emails promising pandemic relief from the from the U.S. Federal Reserve or similar institutions.

Instead, the user installs both ransomware and Infostealer, a program that grabs passwords from browsers, installed games (e.g., Steam), communication software (e.g., Skype), FTP and VPN credentials.

Like most ransomware, the threat attempts to delete local backups and shadow files before encrypting the users data, emphasizing the need for offline backups.

IoT and Ransomware

Criminals are starting to look at cloud services for future ransomware attacks because data is moving to the cloud — because that's where the “money” is.

The future of ransomware could be even grimmer with the Internet of Things (IoT).

Manufacturers have been busy installing Internet-connected microcomputers in everything — baby monitors, cameras, cars, hospital equipment, smart TVs and much more. They have failed to provide security in order to keep costs down.

Forbes predicts that by 2025, we'll have over 80 billion smart devices on the internet. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk.
— IoT for All

It's only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.
— Bruce Schneier

No Plans for IoT Security

Security has not even been considered in the rapidly expanding list of IoT products and is probably not even possible to implement post-manufacturer.

Learning More

Trend Micro's Ransomware page includes more on the history.

Related Resources

On this site:

Return to top
RussHarvey.bc.ca/resources/ransomware.html
Updated: August 19, 2023