In the real world, a ransom is something you pay to get a precious person or item back from the criminals who have seized it. In the virtual world of cybercriminals, exactly the same thing can happen! Except the precious treasure are your data, and the payment is usually cryptocurrency. The most common way for this sort of thing to happen is through something called a ransomware attack.
Intersting Pick: 10 of the Worst Cyber Crimes in History
Ransomware is a specific type of malware that captures your data without your knowledge and then demands something, usually money, for you to get it back. It's one of the most devastating and damaging types of malware ever devised. It's crippled large organizations and caused the loss not only of money directly but irreplaceable data. By understanding how it works, you'll have a better chance of dealing with it or avoiding it altogether. So let's look at the nuts and bolts of a ransomware attack.
How a Ransomware Attack Works
Ransomware infects a computer in pretty much the same way that most malware does - it's a piece of software that the user runs. So it might be something you downloaded after clicking on a compromised link or an infected email attachment. Often, you don't need to have done anything wrong to become infected.
The WannaCry ransomware attack is a good example of this. That malware came in the form of a worm. It could spread over networks, infecting shared network drives and rapidly taking over any computers on the same local area network.
Whichever way the ransomware manages to infect your computer, most of them are pretty similar from that point onward. The software works in the background, locking your data with strong encryption. Usually, the ransomware starts with locations most likely to contain data you can't afford to lose. That includes document folders, photos, and other files you care about. The encrypted files are set to hidden and then replaced with fake files with the same name.
Once the malware has completed its job, you'll be interrupted with a message telling you that your data has been encrypted. You'll be given a way to pay the ransom and a way to get in touch with the malware author. However, this isn't always the case. As of that moment, your data is effectively captured by the ransomware. There is no practical way to unencrypt the files with the decryption key - which of course, only the malware creator knows.
Signs of a Ransomware Attack
While ransomware is usually completely hidden from the user until it is too late, it's sometimes possible to pick up on it earlier in the process. Your computer's hard drive might be constantly running. The computer might be much slower than usual because the CPU is being used to encrypt data. You could notice slow internet performance or the appearance of weird duplicate files.
There's no one sign common to all types of ransomware, but it's not unusual to notice that something is off.
What to Do During a Ransomware Attack
If you do manage to pick up on a ransomware attack before it's gone too far, the most important thing to do is immediately disconnect your computer from both the internet and the network.
There are two reasons for this. First, you want to avoid infecting other computers on the network. Secondly, a lot of ransomware depends on being able to call back home in order to work. For example, the encryption key is retrieved from a remote server. So if there's no internet connection, then there is no way for the ransomware to encrypt your data.
If the attack has progressed to the point where you've received the ransom demand, it's very important that you do NOT pay any money whatsoever to the attackers. There is no guarantee they will unlock your information. It also means they will be motivated to victimize more people.
In general, you will have to consider your encrypted data lost. However, you can try recovering earlier versions of those files from the shadow volume copy in Windows. Which is something we have had some success with in recovery attempts.
Finally, consider completely wiping your disks and reinstalling your operating system. If you're not willing to do that, then using cleaning tools meant to clear that specific type of ransomware is probably the most effective route.
How to Prevent Future Attacks
Ransomware attacks are all about your unique data. Who cares if, for example, Microsoft Office or a video game installation is lost? That can be restored from the original source at any time. It's your dissertation or those family photos that can't just be reinstalled from a disk.
Backups are, of course, our first line of defense against this, but the problem is that the ransomware will encrypt any storage device connected to the computer. That includes your network-attached storage and any USB drives. So only cold-storage backups are safe - assuming that you haven't plugged them in since the infection began.
The good news is that cloud backups are incredibly robust against ransomware attacks. Even if your local DropBox (for example) folder gets encrypted and that encrypted mess gets synced to the cloud, you can always roll the changes back.
Most cloud services have a rolling window of file versions, which means you can go back to the point before the ransomware did its damage. So the best way to prepare for this event is to store all your most important documents in a cloud drive which offers this rollback function!