In recent years there has been a new trend amongst malware authors – the introduction of so-called “ransomware” where a criminal demands money to unlock your PC. As this trend is continuing, and as we have seen an instance or two of such infections at the University, it is time to explain what it is and what to do about it.
Ransomware works by demanding that you pay those who caused the infection to not harm your PC. The usual method is to encrypt your files on the hard disk, and transparently decrypt them. At a certain point the ransomware will pop up a demand saying that you will lose access to your files after a certain date. Unless you stump up the ransom.
In some cases ransomware heightens the threat by claiming it has discovered evidence of illegal activities and that if you don’t pay up, the police come knocking.
Encryption?
To clarify what ransomware does to your files, it uses strong encryption on as many of “your” files that it can reach as possible. Once encrypted, the only way of accessing the contents of the files is with the co-operation of the ransomware, or knowledge of the “private key” used.
To emphasise: Your files will be scrambled in a way that only the people behind the ransomware can unscramble them.
There have been cases where the encryption has been weak enough that anti-virus vendors have been able to release tools to unscramble the encrypted files, but newer ransomware uses very strong encryption.
To Pay or Not To Pay?
As an ethical organisation, the only advice IS can issue is not to pay the ransom and live with the consequences. Criminals should not be rewarded.
And whilst restoring from backups is tedious, it does at least test that your backup mechanism is working.
In most cases, the payment of a ransom will result in your files being unscrambled (it is in the criminal’s interest to be “honest” in this regard), but there are new reports that certain law enforcement groups are getting sufficiently pro-active that they have closed down payment channels used by the ransomware.
Without a means to pay the criminals, your files will remain scrambled.
Cryptolocker
Cryptolocker is the current type of ransomware that is getting the most attention. Indeed it is gathering more attention than previous ransomware types, and that is because it is a particularly effective form. Cryptolocker :-
- Uses very strong encryption so there is very little likelihood that anyone other than those who have the private keys will be able to unscramble encrypted files.
- Is very blatant about what it does – it is very specific about it being ransomware when it notifies you.
- Gives you only a very small time window to pay the ransom to unlock your files – 72 hours.
For some reason it has caught the attention of main stream media, so there could be a great deal of news coming from that direction (not always 100% accurate!).
How Do People Get Infected?
The method of infection depends on what ransomware is being distributed, but most commonly :-
- Email with an attachment containing some enticing document. The naive person will click on the attachment only to find out it is a normal Windows executable; it is possible for the attacker to hide the .EXE extension and make it appear more like a document with a fake .PDF extension.
- Downloading content from the web. Perhaps it is advertised as an interesting document, but against turns out to be a Windows executable.
- Drive-by infections via compromised advertising banners. Those ‘ad banners’ you find on web sites, can (and sometimes do) contain malware … including ransomware.
In theory anti-virus protection should prevent this sort of thing from happening, and it is still essential that you have an up to date anti-virus protection on your PC. But it is not a guarantee that you will not get infected.
In addition to avoiding getting infected, it is also helpful to ensure that you can recover if you do get infected – what we would call “defence in depth”. This is done mostly by ensuring you backup your documents and data :-
- Make sure your documents and data is saved to the N: or K: drives which are backed up by IS.
- If you use a Mac, then set up a backup using Time Machine and an external drive.
- If you are using Windows or Linux, then set up some other sort of backup mechanism.
The later case is not really specific enough, but you should ensure that your backup media is not permanently connected (or if it is, a snapshot is created regularly), or you could find your backups being encrypted by ransomware.
Further Information
The following links contain further information on ransomeware, and cryptolocker specifically. Some links are very technical and others are intended to give the same sort of information as this blog posting :-
- http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/
- http://en.wikipedia.org/wiki/Ransomware_(malware)
- http://en.wikipedia.org/wiki/Cryptolocker
- http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information (This contains suggestions for a Group Policy to prevent Cryptolocker from running).
- http://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_