Introduction to Ransomware
Why you Should Never Pay the Ransom
What is Ransomware?
Ransomware is a type of malware that encrypts files on your computer. Typically, files are encrypted and a ransom note that contains instructions on how to regain access to your files is left behind. This ransom note usually asks for a certain amount of Bitcoin to be sent to the attackers' Bitcoin wallet and in return, they will give you a unique decryption key that can be used to decrypt your files.
What’s the difference between Ransomware and Trojans?
There are a few differences between Ransomware and more common forms of malware such as Trojans. Trojans typically masquerade as legitimate applications that then act as a backdoor into your computer for attackers. Ransomware, on the other hand, is much more blatant about the damage that it is causing your computer. Ransomware does not hide the fact that it is encrypting the files on your computer because the attackers want you to know what they are doing so that you can send them money to stop.
Trojans require you to enter your banking credentials before they can hack your bank account and make money off of you. Ransomware cuts out this waiting completely by asking you directly for money in exchange for access to your files. Ransomware has been growing steadily in recent years, potentially due to the increase in the use of cryptocurrencies such as Bitcoin that facilitate money transfers without the risk of being caught.
How does it get on my computer?
Like all types of malware, there are a few ways that Ransomware can infect your computer:
- Phishing emails: The Ransomware comes as an attachment or a link in a spam email. When clicked, the application will be launched, in some cases, administrative permissions are asked for, and the encryption of your files will begin.
- Through other infected computers on your network: This is a more recent and much more dangerous way of infecting computers that was abused by the WannaCry Ransomware. Basically, one computer on your network gets infected, possibly through a spam email, and the infection spreads throughout the network using vulnerabilities in Windows.
How do you know if you’ve been infected?
If you’ve been infected with Ransomware, your files will be unopenable and many times will have a fake file extension appended to them (some example: .fun, .encrypted, .payme). This typically does not happen to all of your files right away, and you can actually see the application going folder by folder and encrypting each file. Inside each folder or on your desktop, a ransom note will appear with instructions telling you how to get your files back and the price that it will cost.
How many companies are affected every year?
It is hard to say with certainty since many of these attacks go unreported but some estimates have said that 1 company fell victim to Ransomware every 40 seconds in the third quarter of 2016. We can only assume that this number has increased since then with the increased value of Bitcoin as well as the increased number of public Ransomware cases. Looking at these cases, it can be seen that Ransomware can make serious money, with Riviera Beach City in Florida paying $600,000 to get rid of their Ransomware infection in 2019.
If the files are encrypted, why pay the ransom when you can just try to decrypt them?
This is a good question to ask and is the first thing that cybersecurity companies try to do when they are asked for help by victims. Some Ransomware encryption algorithms are weak and can be cracked quickly, while others have been cracked in the past and decryption keys can be found online. In general, cybersecurity companies do not recommend that you pay the ransom. However, if you are not able to beat the encryption algorithm within the time period noted in the ransom note (usually 3 days), and you don’t have any file backups, your files may be gone for good.
Should I ever pay the ransom?
No, you should never pay the ransom. There is no guarantee that you will be given a decryption key and that you will be able to access your files again. There is also no guarantee that the attackers will not leave behind other malware on your computer. It is much better to think proactively by backing up your most important files on a separate hard drive and practicing good email security.
Famous Example: WannaCry
In May 2017, the world was worried about a different epidemic, the WannaCry Ransomware attack. WannaCry spread throughout Europe quickly, taking advantage of a Windows vulnerability using an attack vector known as EternalBlue. EternalBlue was originally developed by the National Security Agency (NSA) but was leaked to the public in early 2017 by a group known as the Shadow Brokers. This vulnerability allowed for the Ransomware to spread across networks and as a result over 150 countries and 230,000 computers were affected.
The ransom was $300 and if you did not pay in 3 days the ransom note indicated that your files would be permanently deleted. However, even if you paid the ransom, the virus had no way of determining which computer was yours and as a result, it is widely agreed that paying the ransom would not have saved your files.
The National Health Service (NHS) of the UK was among the hardest hit, with the virus costing them approximately 92 million euros in canceled appointments. Globally, the virus is estimated to have cost about $4 billion in damages. It is important to note that the vulnerability that the Ransomware exploited was patched by Microsoft 2 months before this attack but many companies were slow to roll out the patch and as a result became infected.
How to protect yourself
Companies may get targeted with Ransomware more commonly than individuals but you should still take precautions to make sure that your files do not become encrypted. The best pieces of advice to protect yourself are:
- Keep your Operating System up to date: many of the exploits that Ransomware uses to infect you or spread to other computers have already been patched by Microsoft and other Operating System vendors.
- Don’t open suspicious emails: Ransomware is often delivered as an attachment or a link in spam emails. By practicing good email security, you can prevent yourself from accidentally exposing yourself to Ransomware.
- Use an Antivirus: many modern antivirus applications can detect ransomware and stop it in its tracks before it is able to do any serious damage to your computer.
- Use Windows 10 Ransomware protection: Microsoft added 2 new security features to Windows 10 that can help control a Ransomware attack on your computer. The two components are Controlled Folder Access and Ransomware Data Recovery. These components allow you to monitor folders and block any changes to files within those folders as well as back up important data on OneDrive. There is a great article on Bleeping Computer showing how to enable Windows 10 Ransomware protection.
- Backup your most important files on an external hard drive: If you do end up falling victim to Ransomware, having your most important files on an external hard drive that doesn’t get infected will be a lifesaver.
