What is Ransomware?
Ransomware, it sounds kind of threatening doesn’t it? Maybe it’s the ransom part that makes it seem this way given that we associate the word with blackmail. We can better understand the nature of ransomware by looking at the term in its two halves. The first half being ransom and the second part being ware – short for software. Just as it sounds, the ransom part refers to the use of blackmail. While the ware, or software part of it refers to how this form of blackmail is delivered and executed.
So how does a hacker use ransomware to get what they want? Well, it can be used to disrupt a certain system – typically a computer. During this time, the hacker makes a demand in exchange for allowing your computer to return to its smooth operation. If you don’t meet their demands, you’ll have to try and reverse the effects of the ransomware – often easier said than done.
I’m sure many of you can relate when I say that we’ve all seen an inspiring movie or two. The ones that leave you with a feeling of desire and motivation to take action or make changes. As true as this is for the everyday Joe, it’s also true for hackers. There’s just one key difference. The types of movies that inspire ransomware attacks aren’t usually the ones we associate with being inspirational. It may sound twisted, but there are cases of ransomware attacks that are inspired by horror films – those being Saw and the Purge. Funny enough, the popularity of Pokémon Go has even made its way into the ransomware world.
- Jigsaw Ransomware: Just like in the movie, this Saw inspired ransomware would act precisely on the hour. With each hour that passes by without payment, one of your hijacked files is deleted. This creates a sense of urgency since you’d likely not want to just sit around and wait it out – especially if those files are important to you.
- Global Ransomware: During the annual purge, anything goes. This Purge inspired attack goes by the name of Global Ransomware and nothing is stopping it from attacking your computer to take your files hostage. In its pursuit, you are left with a Purge themed wallpaper (from the Purge: Election Year movie) and all of your encrypted files end with a .purge extension. The wallpaper displays text explaining that your files have been encrypted in exchange for a payment. It also provides an email address for you to contact. A similar, but more detailed message is displayed through a message box that will automatically pop up.
- POGO Tear Ransomware: Keep an eye on your files as this ransomware is out to catch them all. Inspired by the recent craze surrounding Pokémon Go, this ransomware is like any other. After infecting your system, it proceeds to encrypt your files with the .locked extension. Also displaying a Pikachu themed wallpaper, there lies a message in Arabic with an email address. The message supposedly says the typical lowdown about having to ‘pay to have your files decrypted’. Thankfully the ransomware is still very new and not completely fine-tuned. The decryption key is known for anyone who has been infected by this ransomware.
These are just a few different ransomware inspired by recent movies and pop culture. Really, the list could go on forever. Hopefully you won’t have to experience any of them firsthand. If you have unfortunately, you should keep reading to stay informed about how to protect yourself from these types of attacks.
How Does Ransomware Work?
From the few examples just listed, I’m sure you started to see a general pattern in how ransomware works. If not, I’m going to lay it out for you – here it is.
- You unknowingly download the executable file containing the ransomware.
- Upon downloading and running the file, the ransomware begins to infect your system.
- As it spreads, the ransomware encrypts important files, creates backdoor access ways and may lock other functionality of your computer.
- It then proceeds to provide you instructions in some form (i.e. pop up message box, wallpaper, etc.). These will read some offer along the lines of a ransom payment via bitcoin in exchange for the decryption key to your files.
- After making the ransom payment to the hackers via bitcoin, you can only hope that they will hold up their end of the deal.
- If you choose not to make the ransom payment, the ransomware will remain in effect, though in some cases it may delete your files or the price could increase. It is recommended that you be very cautious in trying to remove ransomware from your system and confirming its presence since they can be very good at hiding.
If you’re wondering how the ransomware decides what files to encrypt, they typically target common file extensions like documents, PDFs, images, presentations and more. These cannot be decrypted without the encryption key held by the hackers. To retrieve the key, it is most commonly reported that victim’s must use a web browser named Tor. In order to actually make the payment, you must acquire bitcoins since they are hard to trace and refund. Supposedly many victims end up paying the ransom since they can’t afford to lose these files or have them remain locked. You can only hope that the hacker on the other end will hold up their end of the promise.
Asides from the movie inspired ransomware, there are some more general ones too that are just as deadly:
CryptoLocker: It is thought that CryptoLocker made its first appearance in the ransomware scene during September of 2013. This piece of ransomware hides itself in email attachments, so the victim is unsuspecting when downloading the infected file. Once it is in your computer, the ransomware encrypts certain file extensions and demands a payment in exchange for having them unlocked by a certain deadline. It is said that if the deadline passes, the ransom amount increases. There is always the concern of whether the hackers behind these ransomware attacks will in fact unlock your personal files after payment is made. Regarding CryptoLocker, some say they are diligent in upholding their end of the promise, while there have also been cases that they haven’t. Initially, if you didn’t have these stolen files backed up, it was impossible to decrypt them otherwise. Later, the United States Department of Justice shutdown the operation. During this time, a Dutch security firm was able to extract the keys that could unlock all the encrypted files in the attack. Those who waited and didn’t succumb to the ransom were finally able to retrieve their hijacked belongings. It is believed that the hackers behind CryptoLocker made somewhere in the neighbourhood of $3 million USD.
CryptoWall: After CryptoLocker was shut down by US law enforcement, CyrptoWall emerged on the scene in 2014. In a very similar fashion, infected computers required a payment be made via an Internet browser called Tor using bitcoin as the payment method. Unless you obeyed, all of your files would remain encrypted – the key only accessible by the hackers.
TeslaCrypt: If you thought the first two were bad, then you’re in for a real treat with TeslaCrypt. Much like the other two, this ransomware targets photo, document and spreadsheet extensions. However, it goes much further than this. It also goes for tax returns and other personal finance files, as well as gaming data and iTunes. The scope of the attack is much more aggressive and widespread.
These three attacks listed above all target Windows users. That’s not to say that those who don’t use Windows are safe though. There exists ransomware that also targets the Android and iOS operating systems. No matter which type of device you’re using, you could be at risk.
How Does Ransomware Spread?
Ransomware spreads around the Web by tricking people into downloading what they think is one thing, but really is something much more toxic. Commonly, ransomware is disguised as an update to a program or system. The ones we see most often imitate an update for Adobe Acrobat, Java or Flash Player. When the window pops up prompting you to make the update, it may not seem unusual at first. Typically, people will follow along so they can get to whatever they’re trying to access in the first place. Before anyone knows it, their computer is under siege and being infected.
Essentially, ransomware is always hid in some sort of file where you are prompted to run it. This is exactly what happens for software updates as you first must download the update and then install it. The point in which you install it is when the ransomware breaches your system. Thus, it spreads as people visit certain websites that these are hidden in. You could stumble upon the website by mere chance, or it could catch your attention in another way. Back in May of this year, a ransomware by the name of Lucky was found to hide itself inside infected Microsoft Word Documents. Unsuspecting victims were sent an email containing a word document that they thought was an invoice. Upon opening the file, they were asked if a macro could run (which many agreed to) and from there the ransomware spread.
How to Stop it From Spreading
Just like any other type of software, there are different types of ransomware. Depending on the sophistication behind the ransomware attack, it may be easy to remove the ransomware or it could be much more difficult requiring an expert. Removing the ransomware is just the first step, you must also reverse the actions it has executed against your files.
That being said, there are two parts to removing the ransomware. These are:
- Removing the virus file containing the ransomware
- Regaining access to your locked and encrypted files
Let’s start with a simpler ransomware meaning it’s easy to remove and easy to recover your files. In the case that it’s easy to remove, a simple virus scan will be able to detect and remove the ransomware. As for your files, some viruses just hide the icons to make it seem as though all of your desktop icons have been stolen from you. Once removing the virus file, you can go into your desktop settings and unhide the icons.
In the case that this isn’t so easy, I really mean that it may not be possible at all – at least until someone recovers the encryption key. Since the hackers are usually the only ones with copies of the keys, you have no option but to sacrifice some money or your files – so you pick. There have also been times where people have been patient and waited out the attack (mind you, this could be years), until someone recovers a copy of the key. Typically when this happens, it is broadcasted online for all of those affected by the ransomware.
So how can you prevent ransomware altogether?
There are many steps you can take to prevent ransomware. We urge you to follow these tips as you will be thanking yourself if – knock on wood – you ever find yourself being held victim by ransomware. Given the nature of ransomware and its tendency to encrypt files, it only makes sense that you should keep regular backups in external forms – either a hard drive or the cloud. Some ransomware will prevent your computer from running certain backup and restoration operations while under attack.
You should also be very cautious about opening suspicious and unfamiliar attachments. If you do happen to download one of these and it asks you to run a macro, do anything but allow it to run the macro. Likely, this is ransomware waiting to do its thing. There are certain Microsoft Office viewers that you can view documents with that won’t require you to run a macro in order to do so – simply because they don’t support it.
So remember these tips to prevent ransomware and avoid paying the fine for it – either literally or in the form of locked files. This not only applies to just you, but anyone that uses your computer or a computer on your network. It’s important to share these best practices with anyone whose actions could affect you and your computer.