How worried should you be about ransomware? This guide breaks down everything you need to know about ransomware, including how to safeguard yourself from a ransomware attack and how to remove it if you get infected.
Cybersecurity is a major concern in today’s world, both at the corporate and personal levels. Our computers, our handheld devices, and our smart home and IoT products are vulnerable to a variety of attacks. In 2017 alone, Avast blocked 35 billion security attacks against PCs and 208 million against Android mobile devices. What was one of the biggest security threats? Ransomware.
Ransomware is a type of malicious software (aka malware) that is designed to take your computer files—and sometimes even your entire computer—hostage.
The malware encrypts your files so that they cannot be opened, or it locks you out of your computer completely to prevent access to all of those important photos, videos, accounting files, workdocuments, etc. The malicious attackers responsible for sending you the malware then contacts you to demand a ransom, promising to decrypt the files after you pay (often in Bitcoin).
Ransomware is not new. The first known attack occurred in 1989 and was spread between computers via floppy disk. In today’s fully network-connected world, the easy access to open-source ransomware software and the strong potential for financial gain have led to a surge in ransomware’s popularity.
Is ransomware a virus?
Most of us are familiar with the term virus, and we use it to refer to all forms of malware. The truth is, a virus is just one specific type of malware. Other common types include worms, Trojan horses, spyware, and ransomware. The goal of each type of malware is different. Worms replicate and bog down your computer’s performance. Viruses are designed to infect your computer, damage your files, and then spread to new hosts. Trojan horses want to gain a secret backdoor to your computer to access and exploit your personal information. There are numerous reasons why cyber criminals would create and distribute these types of malware.
With ransomware, the reason is usually pretty straightforward: the perpetrator wants money. Generally speaking, the goal isn’t to permanently damage or destroy your files or even to steal your identity, but to convince you to pay for the decryption key.
Anyone can be a target of ransomware. The highest profile ransomware attacks in 2017 affected individuals and businesses alike, including major corporations, hospitals, airports, and government agencies.
The PC is still the most popular target for ransomware attacks, as hackers exploit known vulnerabilities particularly in the Windows operating system.
In May 2017, the WannaCry ransomware quickly spread around the globe and ultimately attacked over 100 million users.
WannaCry exploited a known Windows weakness called EternalBlue, which is a bug that allows hackers to execute code remotely through a Windows File and Printer Sharing request. Microsoft had issued a patch for EternalBlue two months before WannaCry hit; unfortunately, many individuals and businesses did not perform the update in time to prevent the attack. EternalBlue goes all the way back to Windows XP, an operating system that Microsoft no longer supports—which is why Windows XP users were hit the hardest by WannaCry.
Ransomware attacks on mobile devices are growing in frequency. Attacks on Android devices grew 50 percent from 2016 to 2017. Oftentimes, the ransomware will make its way onto the Android device through an app from a third-party site; however, we’ve also seen cases where ransomware was successfully hidden within seemingly legitimate apps in the Google Play Store.
Apple fans aren’t in the clear, either. In the past, Mac users were generally less susceptible to malware attacks; however, as Apple products earn a larger share of the market, they also get more attention from malware developers. In 2017 two security firms uncovered ransomware and spyware programs specifically targeted at Apple users, thought to be developed by software engineers who specialize in OS X. The people who created the malware were even making it available for free on the dark web. Malicious attackers have also accessed Mac users’ iCloud accounts and used the Find My iPhone service to lock people out of their computers.
Ransomware comes in a variety of forms, with the request for ransom being the main thing that unites them. (2017 did see a few cases where institutions were hit with a ransomware-like attack, but the goal did not seem to be monetary. The ransomware may have been cover-up for spying or some other type of cyberattack.)
One of the reasons why ransomware has become such a popular type of malware is that it’s readily available online for threat actors to use. Avast has found that approximately one third of all “new” ransomware strains actually originate from an existing open-source strain. Also, hackers are continually updating their code to refine their ransomware and improve their encryption, so a certain strain of ransomware might re-emerge multiple times, as Petna has.
Since the attacker’s ultimate goal is to spread the ransomware to as many machines as possible in order to make the most money, an alternative ransom tactic has emerged.
In the Popcorn Time ransomware, the perpetrator asks the victim to infect two other users. If both of those users pay the ransom, then the original victim will receive his or her files back, free of charge.
The scary thing about ransomware is that, unlike a virus, it can attack your device without any action on your part. A virus requires the user to download an infected file or click on an infected link, but ransomware can infect a vulnerable computer on its own.
Drive-by downloads are malicious files that are downloaded to your computer without any direct action from you. Some less-than-reliable websites take advantage of out-of-date browsers and apps to secretly download malware to your computer while you’re innocently surfing the web.
Regardless of how the ransomware gets on your computer, once the program has been executed, it typically works like this: the ransomware begins to change files (or file structures) in such a way that they can only be read or used again by restoring them to their original state. To secure communication between the malware and the command computer (the computer the criminal uses to direct the victim’s computer), encryption is used. It is the encryption that holds the key that will either decrypt data or recover the decryption key needed to recover the files or file system to their original form.
When all the files are securely locked, a ransom note will appear on your screen, telling you how much money you’ll need to pay to decrypt the files, where/how to transfer the funds, and how long you have to do so. Miss the deadline, and the price goes up. If you try to open any of the encrypted files, you will get an error message telling you that the file is corrupt, invalid, or cannot be located.
The act of removing the ransomware itself isn’t all that difficult. If the attacker used encryption ransomware and you can still get into your computer, then you can put the computer into Safe Mode (learn how) and run an antivirus scanner to find and delete the malware.
If the ransomware was of the locker variety that shuts you out of your computer entirely, then you have three choices in how to proceed: you can reinstall your operating system; you can run an antivirus program from an external drive or bootable disc; or you can do a System Restore and take Windows back to a time before the ransomware was loaded. Here’s how you do a sytsem restore on Windows machines:
Windows 7 System Restore:
Windows 8, 8.1, or 10 System Restore:
For Android devices, the following are general steps to remove the malware by entering Safe Mode and uninstalling suspicious apps. These steps can vary depending on your device.
Although ransomware is less prevalent on Macs, you follow the same general steps to get into Safe Mode and then delete the malware.
Unfortunately, removing the ransomware doesn’t suddenly give you access to all of your encrypted files. How easy or difficult it is to recover your data depends on the level of encryption. If it was basic ransomware using basic encryption, one of Avast’s free ransomware decryption tools can likely get the job done. If your computer has been infected by a more sophisticated ransomware like WannaCry that uses encryption, it may be impossible to recover your locked files.
Now, some of you may be thinking that the best way to recover the files is to just pay the ransom. A lot of people do choose to pay, which is why ransomware has become such a popular form of malware. If cyber criminals keep making money, they’ll keep making ransomware.
Keep this in mind, though: There’s no guarantee that the attacker will actually keep their word and decrypt the files after you pay. They might just take the money and run. Or, if they see that you’re willing to pay, they may instantly increase the ransom amount. Plus, a willingness to pay makes you a target for another attack down the road.
It should also be noted that some ransomware is so poorly coded that, once the files are encrypted, they can’t be decrypted and are lost forever. Petna is one such example. So if you pay, you may still not get your files back.
The best way to deal with a ransomware attack is to prevent it from ever happening in the first place. To do this, you should:
The convenience of IoT devices and 6 tips to make your smart home a secure home today.
75% of the websites you visit are tracking you. And your browser is an accomplice — tracking cookies help them collect information about you. Find out which cookies are good, which ones you should disable, and how to hide your identity with a private browser.
A VPN (virtual private network) is a secure, encrypted connection that allows you to surf the web in privacy. Here’s everything you need to know about VPNs – what they are, how they protect you, and why you need one today more than ever before.