Hand over the BitCoin if you ever want to see your precious Data again…
The term ‘ransomware’ refers to a type of malware that’s purpose is to infect a victim’s technology and then extort money from them by holding it hostage, demanding the purchase of an unlock code or antidote in order to restore access. The ransomware will often display a message pretending to be some form of law enforcement and making accusations of illegal behaviour, but that payment will halt further investigation.
A distinction between a real world hostage situation and this digital version is that your data has not really been Taken™ – though you may need a particular set of (tech) skills to recover it without paying the demand – this is more akin to squatters moving in to your home and changing the locks, agreeing to give you the key only if you buy them a caravan. The data is still exactly where you left it, you just can’t get at it, and one bit of good news is that it’s unlikely the attacker has access to it either.
At its accidental best, in 2013 a ransomware attack displaying a very common fake FBI message accusing the victim of possessing child pornography randomly infected the computer of an actual child abuser in the US, who then handed himself in to police. An investigation uncovered his actions leading to charges of child sexual abuse and possession of child pornography being brought against him. At its unfortunate worst, in 2015 a 17 year old autistic boy, with a reduced ability to understand lying, hanged himself after believing a ransomware message claiming indecent images had been found in his possession and saying he would have to pay to prevent “police” taking things further.
So what can you do about it?
First things first, ransomware is typically propagated as a Trojan, most commonly this is actively allowed in by an uneducated or careless victim of social engineering – for example downloading attachments from or clicking links in emails without being 100% sure of the trustworthy source – so basic web safety education is, as is so often the case, the number one preventative measure. Trojan infection can also occur by ‘drive-by download’, which sounds far more exciting but is in fact far more passive – the user visits a web site, often a perfectly legitimate, trustworthy site that has been compromised, usually through the ad network, termed ‘malvertising’, to exploit browser vulnerabilities allowing the payload to be executed without any action by the victim at all. Such booby-trapped advertisements have been discovered in the past on eBay.com, Yahoo!, weather.com and AOL to name but a few big names. You should always ensure that your systems are operating with an up to date version of a secure browser, and simply maintaining well rated and up to date antivirus software will catch the vast majority of known malware long before any damage is done.
Too late. Now what?
Maybe someone got lost somewhere in the previous paragraph and let an attack in, or maybe your data presented a particularly juicy target, enough to be directly targeted with a zero-day attack – a new piece of code different enough from existing malware that it is not detected by even up to date security software, not previously seen by security vendors who will, of course, immediately begin implementing detection and prevention into their software as soon as they are provided with a sample. However it happened, chances are your precious data has already been encrypted and/or you are plain locked out. But you keep backups, right? Not directly accessible by your system (i.e. not also already compromised), right? Well, your OS was starting to feel sludgy anyway, a fresh install would feel great! OK, maybe that wasn’t what you wanted to hear, but there may be other good news – a number of known ransomware attacks have already been defeated, and the details, tools and/or resources made freely available to everyone. So disconnect from any network and switch off any devices that were accessible to the infected system, if only as a precaution. Now find out what you’re a victim of as quickly as possible and get that machine shut off too, and get searching on an uninfected device, with any luck a solution is out there!
Educate. Defend. Patch. Backup.
Failing that, stop the spread and investigate for a solution. Or just pay?