Ransomware: Refusing to Negotiate with Attackers

Image

  Last week, the information security community was saddened to learn of Joseph Edwards, a 17-year-old secondary school student who committed suicide after his computer became infected with ransomware. Edwards’ computer was corrupted by Reveton (or Police Ransomware), a common type of malware that locks a victim’s computer, claims that the victim is in trouble with law enforcement authorities for having looked at illegal websites, and demands a fine in order to stop the police from investigating them. In this case, Edwards was a grade-A student with Autism, a neurodevelopmental disorder that, in his mother’s opinion, may have prevented him from understanding both the illegitimacy of the scam, as well as the implications of his subsequent actions. Even so, this tragedy is not lost on information security professionals. In observance of International Data Privacy Day, which occurred on January 28, Tripwire would like to honor Joseph Edwards’ memory by providing a detailed guide on ransomware, including what it is, how it works, steps users can take if they find themselves victims of ransomware, and what measures people can take to protect their computers against it.

Ransomware: A Bitcoin (Or Two) for Your Files

Ransomware is a type of malware that cybercriminals use to extort money from their victims. This type of malware activates when a user clicks on a phishing link or opens a suspicious email attachment (usually a “.zip” file), triggering the ransomware program to install on a user’s computer. Security experts generally agree that there are two different types of ransomware. The first, known as “WinLocker,” is the less harmless of the two. WinLocker locks the computer screen and demands that the user pay a ransom fee in order to have access restored. There are many strains of ransomware that replicate WinLocker’s method of attack. For instance, “MBR ransomware” infects a portion of the computer’s hard drive. This causes the normal boot process to be interrupted, which attackers exploit by displaying a ransom demand. Notwithstanding the disruptions they may cause to normal computer functions, WinLocker and MBR ransomware are not too different from “scareware,” malware that tries to frighten users into purchasing licenses for usually ineffective rogue anti-virus software. The second type of ransomware, however, is by far more serious than WinLocker. Instead of locking computer screens or interrupting a computer’s boot process, crypto-ransomware, which began with CryptoLocker back in the fall of 2013, encrypts most types of personal files available to users, including “.doc,” “.xl,” and “.exe”. The attackers then demand that the users pay a ransom (usually between $200 and $3000 in Bitcoins) in exchange for the decryption keys to their files. But it is more sinister than that. CryptoLocker uses asymmetric encryption, a form of encryption that includes both a public and private key, to lock users’ files. The public key is used to encrypt the user’s data, whereas the private key is used for decryption. This private key is not accessible online and is stored on the attacker’s server, which means that users have little hope of recovering their files back. In an effort to heighten the psychological effects of infection, attackers oftentimes use hyperbolic language in their ransom demands to accuse their victims of illegal behavior, including accessing child pornography websites or accessing sensitive law enforcement documents. They also commonly include a date and time after which the decryption keys for the victim’s files will expire, thereby heightening the urgency of payment. Acknowledging this, the consequences of infection for the user vary. If infected by WinLocker or MRB ransomware, the user will likely experience only a minor loss in productivity as they take the time out to remove the malware from their computers. However, users whose files are encrypted by CryptoLocker could lose years and years of work. In the case of Edwards, if they do not understand the true extent of the scam, they might even decide to take their own life.

Ransomware – How to Remove It From Your Computer

Removing ransomware from your computer depends on the infection type and severity. If the ransomware is like WinLocker and has locked your web browser, you can navigate to your computer’s applications and try to force quit the browser. Once the web browser shuts down, you will be asked whether you would like to restore your previous session. Make sure you click “No” to avoid re-loading the ransomware program into your browser. Unfortunately, most strains of ransomware are not so easily expunged. This leaves users with two options. If they are computer savvy, they can access their computer’s registry and remove all of the malware indicators. For all other users, it is recommended that they launch an on-demand malware scanner, such as Malwarebytes. In some instances, the ransomware may not permit an online scanner to activate. If this occurs, users should either try to load an offline malware scanner, such as USB-based anti-virus software, or restore their computers to a previous setting using either System Restore (Windows) or Recovery Mode (Mac). For the most extreme cases, users can also conduct a full factory reset of their computers, which will eradicate all system modifications, including user data and any lingering strains of ransomware. Under no circumstances should users ever pay a ransom. Attackers leverage locked screens and encrypted personal files to extort money only. Once they have received payment, they are under no obligation to restore users’ computers to their normal functionality. Additionally, as evident in a new form of ransomware called “Business E-mail Compromise” (BEC), attackers can also use ransomware payments as drops for Trojans, keyloggers, and other malicious software. With this in mind, users should focus first and foremost on removing the ransomware infections from their computers.

Safeguards Against Ransomware

Given the damaging effects of ransomware, it is imperative that users take a series of precautions to protect themselves against infection. These include the following:

• Install and regularly update real-time anti-virus software: As opposed to on-demand malware scanners, anti-virus software constantly searches a user’s computer for malware. These solutions are therefore the first line of defense in users’ fight against ransomware.

• Use cyber security common sense: Security awareness goes a long way in preventing malware infections. Acknowledging this, users should not open any attachments from suspicious emails and should learn how to spot a phishing email.

• Load an update whenever it becomes available: Updates to web browsers and other applications often contain security patches for known vulnerabilities. By installing each update, users thus close a flaw that attackers could otherwise exploit to load ransomware onto their computers.

• Backup your files often: CryptoLocker derives its power from holding the keys to a user’s files. However, if a user has multiple backups of their data, they can focus on removing the ransomware from their computers without worrying about losing their files. As a result, users should frequently backup any information they wish to not fall into the wrong hands.

Data Protection and the User

Ransomware tries to use fear and intimidation to get what they want, often leaving users with a feeling of helplessness when their computers’ normal functions are interrupted. But the effectiveness of any ransomware strain depends on how each user responds and what defensive measures they have in place. By following the above steps above, not only can users successfully remove ransomware from their computers, but they can also protect themselves and their data from ever being infected in the first place.