How to beat ransomware

Red skull and crossbones atop binary code, under a magnifying glass

Ransomware hit the headlines a few years ago as one of the most dangerous types of malware yet. It takes control of a victim's device, encrypts their files and then demands money in order to remove it. Sadly, in the last year the threat of ransomware has grown much worse - WannaCry will be the biggest ransomware story you can probably remember from 2017.

Ransomware hasn't only spread from PCs to phones, tablets and Macs but there has been a huge increase in the number of instance of ransomware detected. The methods hackers have utilised have also become more intelligent, devious and difficult to deal with.

In this piece, we provide an informative guide on how to avoid, detect, remove and recover from this devious malware.

On the following three pages you can read about exactly what ransomware is, what it does and we also take a look at the biggest ransomware attack to this day: WannaCry. Our Ransomware Survival Guide also explains how you can avoid infection and, should it happen, what the best way to recover from one of these malicious attacks is. Is it worth paying the ransom? We cover the advantages and disadvantages of that, too. This is especially worth considering if the attackers ask the money to be in a strange currency, such as Bitcoin. Read on to find out more...

Your ransomware questions answered

What is ransomware?

Ransomware is a particularly virulent form of malware that locks your computer and encrypts your files so that you can't access them. The exact details vary, but it may stop you using Windows or certain programs such as your web browser. Once your files are encrypted, the ransomware will ask for payment to unlock them, usually in the untraceable virtual currency Bitcoin. Although removing ransomware is actually quite easy, your files will remain encrypted. There's also another spiteful trick the malware uses to get you to pay up: if the money is not paid on time, the ransom is doubled.

How do I get infected?

As with most forms of malware, the primary source of infection is an email attachment or malicious link. The senders use con tricks to get you to open the attachment, such as pretending that it's an invoice for something you've bought from a reputable company. This tactic preys on your fear of being charged for an item you didn't buy, so that you'll open the invoice without thinking about it.

Where does ransomware come from?

Ransomware in its modern form originated in Russia and Eastern Europe. Thanks to decentralised digital currencies such as Bitcoin, which make it easy for attackers to demand a ransom and be paid without leaving a trace, ransomware is now so lucrative that it's become the primary revenue stream for some cybercriminals.

It doesn't even take much skill to create your own ransomware. Last year, a Turkish security researcher called Utku Sen created a strain of ransomware called Hidden Tear and published the source code online. It was described as being "for educational purposes only" (as were some early viruses) and ostensibly designed to teach security professionals how to defend against such threats. However, it provided a quick way for anyone with average computer skills to get into the ransomware business.

What does it look like?

Once your PC has been infected and your personal files encrypted, a message appears telling you what's happened and provides info about how and how much to pay. The look of this message will vary depending on which ransomware family is behind the attack.

Is it really that common?

Sadly, yes. According to the latest IT Threat Evolution report from Kaspersky Lab, in the first three months of 2016, ransomware attempts were recorded in 114 countries around the world and 372,602 people were targeted, with around 17% in the corporate sector (banks and other businesses). That might not sound like a huge number of victims when you consider that there are probably around a billion or so Windows users, but the figures showed 30% more attacks than recorded in the previous quarter, and this growth is showing no signs of slowing. In March 2016, there were 184,767 recorded attacks, way ahead of the 136,363 attacks in February and the 51,472 in January.

However, Kaspersky Lab warns that "the real number of incidents is several times higher", because it can't always distinguish ransomware from other forms of malware.

There have been several high-profile victims, including Lincolnshire County Council, which was hit by an unnamed ransomware infection in January that resulted in its computer systems being shut down for four days.

Are only Windows PCs at risk?

Not anymore. Ransomware developers have started targeting Linux, too, because a lot of web servers use that operating system. There have also been attacks on Macs and Android devices.

Why don't the police stop it?

It's very difficult for law-enforcement agencies to track down the source of ransomware because the criminals use state-of-the-art encryption and routing tricks to make their location impossible to identify.

What happens if I pay the ransom?

If everything goes to plan, once the ransom has been handed over, a key will be generated that you can use to decrypt your files. But first, you should read our full advice on page 3.

How can I be sure I'll receive this key?

You can't. Some ransomware, such as KeRanger and CTB-Locker, lets you decrypt one or two files to prove that the key exists and works, but there's no guarantee that once you've paid a ransom all your files will be unlocked.

What happens if I don't pay?

Your files will remain locked and unusable, unless the encryption has been cracked and there is a program you can use to unlock the files for free. Such tools are rare but they do exist, so you might get lucky.

Continue to page 2 to find out about WannaCry, the massive global ransomware attack.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.