Ransomware Attacks: How They Work and How To Prevent Them
Have you ever accidentally saved over an important document? Had your phone stolen, along with all your contacts? Lost access to an important resource?
Now imagine waking up to find that your laptop, every critical document you need, perhaps every stored photo with sentimental value, had been stolen from right under your nose and locked in a vault you can’t access… and you’ll have to pay a ransom to have a chance of getting it back. That’s what happens when you’re hit with file-encrypting malware.
What is Ransomware?
Ransomware is a pernicious form of malware that encrypts your files and folders, then demands a “ransom” in return for a decryption key. Typically, the victim will be asked to pay, in cryptocurrency, anything from hundreds to thousands of dollars.
Often the ransomware will be sent to the victim as an email attachment or download link. Sometimes it’s sophisticated enough to exploit security vulnerabilities and infect your computer on its own. Usually, though, you’re tricked into installing the program and giving it administrator access, either because you think it’s harmless/legitimate or it seems to have been sent by someone you know.
While there’s been one successful (if short-lived) case of ransomware designed for Mac, ransomware is typically only a problem for Windows users. Malicious apps are also used to install ransomware on mobile devices.
How a Ransomware Attack Works
Imagine you get an urgent email from someone saying they’re from the company that does your workplace’s accounting. They need you to sign an expense form so they can process a payment but using their in-house program, attached to the email.
You follow their instructions, clicking “yes” on all the standard pop-up boxes asking if this program can make changes to your computer. Except this is malware, sent by a cybercriminal, and you just gave the program the administrator permissions it needs to take over your computer and encrypt your files. Now you have to decide whether to follow the instructions on the screen and transfer a Bitcoin payment in order to get the decryption code.
Or another common scenario; one that affected millions of people worldwide. You click on an ad on a porn site, which opens an automatic download link for malware, including the Angler Exploit Kit (AEK). This bypasses your permissions by exploiting a security vulnerability and installs a screen-lock, so you can’t access anything else on your computer. A message flashes up, claiming to be US law enforcement, saying you just tried to access illegal content and must pay a fine. If you don’t, not only will your laptop stay locked, you may also be arrested.
This kind of ransomware terrifies people into complying. Even if they realize it’s not really from law enforcement (either at the time or after they’ve paid), the fact that it came from a porn site means most people will be too embarrassed to raise a complaint.
How to Prevent Ransomware Infection
There are a number of simple privacy and security-boosting steps you can take to reduce your risk of inadvertently downloading ransomware.
To start with, backup all your files to an external hard drive or cloud storage that is kept separate from your device. Never download an attachment or click on a link in an email from a source you don’t recognize, even if they say they’re from your organization. Consider encrypting your emails altogether, as if a cybercriminal intercepts or hacks them, this could be used to disseminate ransomware in your name. For the same reason, use password encryption and management tools and connect to public WiFi using a VPN.
These steps won’t detect or block ransomware, though – they just make it less likely you’ll be targeted in the first place. The only reliable way to keep ransomware at bay is to invest in top-of-the-range antivirus software that protects you against advanced malware attacks – including, of course, ransomware.
Once installed on all your devices, this software should scan your internet connection, apps and downloaded programs continually, identifying viruses, spyware, trojans and other vulnerabilities by cross-referencing them against known lists of malware. It also needs to be powerful enough to identify “zero-day” threats, typically by building on machine learning algorithms to predict that an unrecognized program or link is dangerous. Since the most successful ransom attacks are those that are developed for a particular target, or have just been created, this zero-day threat feature is absolutely vital.
It’s important to note that this functionality does not come as standard, even among top-rated antivirus providers. When choosing your antivirus software, you must look out for those that specifically list anti-exploit technology and/or ransomware protection as key features. Focus on those that perform well in independent testing for zero-day threats, too. Below are two excellent examples.
Bitdefender is an all-around excellent antivirus software that is incredibly reliable when it comes to detecting viruses, filtering out malicious URLs, flagging phishing attempts, and protecting your privacy when you’re banking or shopping online – and it comes with a built-in password manager. All of this helps keep you safe, but where Bitdefender really shines is in its multi-layer ransomware protection.
Even if a completely new ransomware program slips through initial detection, the software will block any unauthorized program from creating, modifying or deleting files in protected folders, which includes your Desktop, Documents, Pictures, and so on, as well as file-synching platforms like Dropbox and Google Drive. You can also scan all your devices for threats simultaneously, using the Bitdefender Central app on mobile devices.
Kaspersky is another highly-rated antivirus software that performs consistently well in independent testing, including for zero-day threats. Most antivirus software scouts for ransomware by creating a “bait” file and seeing if the downloaded program bites, which is far from foolproof. Instead, Kaspersky (even the free version) uses behavior-based detection to track how the downloaded file tries to interact with other documents on your device. If anything raises the alarm, the program is quarantined.
While this will be adequate for most home users, Kaspersky also offers an excellent anti-ransomware tool for business. This needs to be purchased separately from your main internet security suite but is well worth it. The tool monitors the whole network continuously, looking out for suspicious activity.
Weighing the Price of the Ransom
Once the ransomware has successfully encrypted your files, there is no way to unencrypt them unless you get the code. Occasionally, a decryptor may become available for a particular type of malware, but generally, there’s no way to get around this without the cybercriminal giving you the code. Generally speaking, this means that, if you want your files back, your only option is to pay the ransom and hope they do as promised.
If the files aren’t worth all that much to you, it should be an easy decision not to pay this extortion money. If it’s an old laptop, perhaps you’re willing to discard and replace it, too. (Although, it is possible to remove the ransomware itself, as long as you accept the loss of the files). However, if you cannot do your job without those files, if losing this information will damage your business, or if irreplaceable personal documents have been encrypted, this will be a much harder call. Remember, though, that there’s no guarantee that you really will get the code.
How to Remove Ransomware
The good news is that you can remove the malware itself from a Windows operating system in just 5 steps:
- Reboot to Safe Mode
- Install some form of antivirus software that, as explained above, is effective on sophisticated malware, including ransomware
- Run a system scan to locate any malware
- Follow the instructions to remove the ransomware program once caught
- Restore your computer to a previous state
Unfortunately, if your files have been encrypted, they will stay locked. Removing the malware means you’re giving up on ever getting the decryption key, so while you’ll get your device back, your files are lost.
Ransomware Attacks on Businesses
Unsurprisingly, companies are prime targets for ransomware attacks. They’re more likely to have valuable documents stored on the device or network. The business disruption caused by the attack may be losing them money by the minute, or sending waves of panic through their customer base.
All-in-all, the financial hit from not paying the ransom is likely to be higher than paying it – and they’ll probably have the money to pay it more readily than an individual, too.
One of the worst ransom attacks in recent years was WannaCry, which has infected over 300,000 computers since 2017. Believed to have been created by government-affiliated North Korean cyber attackers, this ransomware worm exploits an SMB protocol vulnerability in Windows OS. Microsoft had already spotted the problem and released a critical patch update, but not for Windows XP. Many large organizations, including the National Health Service in the UK, were still using XP, so when their system got infected, it burrowed through the network, infecting computers and locking up important patient data. This cost the NHS around $120 million.
The Good News… And the Bad
Okay, now for some more positive news. Overall, infection volumes of ransomware are decreasing. In other words, you are statistically less likely to get hit by ransomware now than you were a few years ago.
However, it’s not time to get the champagne out just yet. Cybercriminals haven’t given up, they’ve just got smarter and more focused about who they attack. Instead of putting a malicious download link in an ad and hoping to get a few hundred dollars from tens of thousands of people, they’re more likely to design really sneaky campaigns for a few hundred high-value targets, with a view to extorting tens of thousands of dollars from each one. That includes people who work in big companies with deep pockets. It’s not just CEOs, either… HR and IT professionals are frequent targets, too.
What’s more, some cybercriminals have moved on to exploiting victims in ways they aren’t even aware of. Take cryptojacking, where the victim is tricked into downloading crypto-mining malware in much the same way as ransomware. Instead of demanding payment, they sneakily continue their mining operations using that person’s hardware and internet connection, draining their memory and slowing their internet. This doesn’t hit you as hard financially in the short term, but it may shorten the lifespan of your device – and besides, it’s just creepy having someone digitally squatting in your computer without you knowing it.
Stay vigilant. Install reliable antivirus software. Be wary of email links and attachments. And bear in mind that every time someone pays the ransom, cybercriminals aren’t just rewarded in the short term, they’re also incentivized to try again.