• Ransomware that blocks access to a computer system until payment is made has been around since at least the 1980’s.
• Ransomware can be delivered as attachments, phishing messages, malicious links and even downloads.
• Sometimes the only option is to simply wipe your PC and start a fresh.

Ransomware – malicious software designed to block access to a computer system until a sum of money is paid, first dominated headlines in late 2013. Over the intervening years, there have been multiple attempts to stop cybercrime groups responsible for sending this malware but, being successful as the technique is, ransomware has continued to be adopted by scammers on the internet.

Why is ransomware so virulent?  What can be done to protect systems from the modern day highwaymen behind these attacks? Ransomware has been around for many years, possibly dating back as far as the 1980s, with the first instance believed to be the ‘AIDS Trojan’. Supposedly an AIDS information and assessment pack, sent by the PC Cyborg Corporation on a 5.25” diskette (or floppy disk for those old enough to remember) was instead a Trojan horse. Once the disk was installed it invisibly unleashed a piece of malware that, after a specified number of reboots, encrypted the hard disk without warning and then demanded the user pay a ‘license fee’ in return for the decryption key. The campaign was relatively small and the mastermind behind the campaign was caught, although he was eventually deemed unfit to stand trial.

Much changed in the intervening years and, in September 2013, a new form of ransomware called “CryptoLocker” began making the rounds, infecting machines at an alarming rate. This family of Ransomware was delivered under a number of guises – from attachments to phishing messages, malicious links and even drive-by downloads on compromised web pages. CryptoLocker employs strong encryption to scramble nearly every file on the target’s computer, making it impossible to recover without the unique private key used to encrypt them. While previous forms of ransomware have had relatively limited success in extracting payments, CryptoLocker and its spinoffs, CryptoWall and CryptoDefense, have easily become the most effective to date – plus it also has a cool name!

Instead of simply making a half-hearted threat with a splash screen that made a threat and demanded a ransom, the new family of malware encrypted every document on its victims’ machines that it could find. This way, even if someone were to uninstall the malware component, all of their files would still be unusable due to the fact that they were encrypted with one of the industry’s most trusted algorithms, AES. In addition to that, the AES key, required to decrypt the files, was again encrypted with yet another strong industry standard, RSA-2048. This made the retrieval of the encrypted files nearly impossible without the decrypted key from the bad guys.

Today, ransomware continues to encrypt data. The recent Windows 10 roll-out has been used by criminals as bait to lure victims into downloading CTB-locker. The FBI’s Internet Crime Complaint Center (IC3), recently stating that the CryptoWall variant of crypto-ransomware cost US businesses and consumers at least $18 million between April 2014 and June 2015. Another case that hit the headlines was Lincolnshire County Council. Its systems were infected with ransomware at the end of January 2016, taking a week for it to get systems restored and back online.

Best defense is a good offence

The old adage ‘an ounce of prevention is worth a pound of cure’ really does hold true here given the fact that once your data is encrypted by the malware, the encryption is all too often unbreakable. Since reversing the encryption without the key is often futile, we are left with prevention. Here’s a list of preventative actions organizations can take to prevent ransomware getting a grip on their stuff: The easiest is to perform regular back-ups so that, should you become infected, you can restore systems to a point before the malware took hold, thereby minimizing the damage

Don’t assume that by backing-up data to cloud repositories that you’ll be immune. In fact, if files automatically upload then having been infected with ransomware the encrypted files will also upload! Also, some ransomware authors have developed variants that will specifically target endpoints subscribing to cloud solutions – searching for stored credentials to encrypt this data and lock users out!

Remember, attackers are agile and will often take advantage of zero-day vulnerabilities so run regular software and hardware updates – this will be engraved on my tombstone because I say it so often. Software and hardware updates often contain security patches to holes that malware, like ransomware, wiggles its way through. The best type regular software updates are automatic ones, but if that’s not feasible, at least set up notifications to let you know when the latest update is available. Then set a max number of “snoozes” you can set for your update. Don’t make it easy for criminals and instead employ robust security defences. As we mentioned earlier, ransomware is often delivered via an email attachment or malvertisement on the Web. By having email and Web protection, you can prevent ransomware from ever entering your network

Conduct, or participate in, regular security awareness training so you are acutely aware of the dangers from clicking links, opening attachments and deploying programs. Any time a process reads or writes a block of data to the disk that is an I/O request so monitoring for these and protecting the Master File Table (MFT) in the New Technology File System (NTFS) could be beneficial in blocking known current Ransomware variants. Enable your ‘System Restore’ feature in Windows, just in case you need it! I personally don’t see a means to prevent infection 100 percent of the time but, by adopting these steps, you can shrink the attack surface significantly.

Stand and Deliver

So, what happens if you do fall victim to a ransomware attack? Well, if you’re already infected then all you can do is hope that it’s not actually CryptoLocker or its spinoffs, but is instead ScareWare which is far easier to eradicate, as once the malicious command has been executed, your files are encrypted. The only way to actually unlock them is if you have the key, which you don’t. Of course, there is one person who does (or claims to) have the key—and will give it to you—for a nominal fee. If you’re contemplating paying the ransom, keep in mind that the only reason why these thieves keep making these attacks is because people are paying them. If all of the victims stopped paying ransoms, they wouldn’t have a successful business model, whose core objective is to steal your money, mind you. And these thieves often are associated with larger criminal organisations, which use your money to fund their illegal activities.

The easiest thing you can do (aside from not getting infected…but if that horse has bolted) and assuming you’ve created a hard backup of important files is simply wipe your machine and start fresh. That said, if you don’t have a back-up, there are some techniques that you can try that may help recover your files: You’ll need to be able to run the PC in safe-mode and then use an on-demand virus scanner to try to remove the malware. Alternatively, and assuming the ransomware doesn’t block this action (and many do,) you can try a ‘system restore’ to roll the system back in time to before the infection began. This shouldn’t affect your files: You can do this by restarting your PC. As soon as it starts booting up, press F8 on the keyboard which should bring up the ‘advanced boot options’; Select ‘Repair your computer’; Select System Restore (you may be asked to log in first); If you don’t see any of these then you’re last resort is to use your Windows Disk – if you have one! If this hasn’t worked then you could try a factory restore.

With some ransomware files aren’t actually encrypted but hidden so, once you’ve removed the infection, you will need to find your files and icons again. If you were infected with CryptoLocker or its spinoffs its unlikely that any of this will have worked so your final option is to pay the ransom – although even that isn’t guaranteed, as you’re making a deal with the devil! There have been several versions of crypto-ransomware this past year and they are still working and victims are still paying these criminals. Thanks to this, we can guarantee that we will continue to see old and newer versions of ransomware flooding the Internet.

There is no easy way to defeat ransomware and it has proven many times it is effective for attackers in getting users to actually pay the ransom, so the tactic is still alive and likely to continue evolving. With the attacks still being prevalent, I can’t stress enough the importance of data backups that cannot be potentially accessed by the malware (it has been known to encrypt network shares and NAS units). As long as there are crafty cybercriminals willing to innovate new attacks that will push the needle we have to look for ways to deflect their shot.