Frequently Asked Questions: Ransomware

ransomware-faqThe rapid development of ransomware has been recognized as a major security issue mainly because of one thing: it works. From newsrooms to online reports, ransomware has undoubtedly been thrust into public consciousness, but has remained an unfamiliar concept to end users and businesses. The unfamiliarity, unfortunately, has also largely contributed to ransomware's success.

Need to know what ransomware is all about? How can ransomware infect your system, or how to prevent ransomware from entering your network? Here are some of the most frequently asked questions on the topic. 

What is ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system. This could either be done by locking the system's screen or by locking the users' files unless a ransom is paid. More recent ransomware families, now commonly known as crypto-ransomware, have the capability to encrypt numerous file types on infected systems and coerces users to pay the ransom in exchange for the decrypt key needed to regain access to the affected files.

I only visit trusted websites. Am I still at risk?

Yes. Ransomware is distributed through a number of different ways, and not just delivered by bad sites. The use of spammed messages with poisoned attachments is one of the most effective ransomware distribution methods, making for 76% of all ransomware reports collected from January to May of 2016. This means that cybercriminals have mastered how to pique users’ interest by way of effective social engineering lures to make them click on a bad link or an attachment in an email. Other methods of distribution used by ransomware are compromised software and hacking, while compromised websites, malvertisements and exploit kits are also noted as viable sources of ransomware infections based on findings.

The ransom note says my files have been encrypted. What does that mean?

Originally designed to secure communications, encryption was used to make sure that only the sender and the reader can read the encrypted data. Unfortunately, it has also become a powerful extortion tool used by crypto-ransomware, based on the simple fact that you can't access encrypted files without a matching decrypt key. Commonly, ransom notes would state something like “All of your files were protected by a strong encryption with RSA****”. RSA is a form of asymmetric key cryptography, which uses two keys. One key is used to encrypt or lock the data and another is used to decrypt the data. One key, called the public key, is made available to any outside party while the other is kept by the user and is called the private key. Ransomware victims are asked to pay a certain amount to gain access to a private key to decrypt and unlock the data that were held hostage. The ransomware usually renames affected files to show which files have been encrypted.

[Related: Encryption: what it is and how it works]

Can I just rename my files and regain access to them after it gets encrypted?

No. It doesn’t work that way. Ransomware infections make use of cryptography to ensure that the victim’s data becomes unusable unless the ransom is paid to obtain the private key to decrypt and unlock the renamed files.

What are bitcoins? Are there other ways to pay?

Bitcoin is a form of electronic currency that makes use of peer-to-peer (P2P) networks to track and verify transactions. Bitcoins can be used to pay for various online services like web hosting, mobile app development, and even cloud file storage. They can also be used to pay for products like games, music, gift cards, and books. Bitcoin use is not limited to online transactions, as some real-world establishments accept bitcoin as payment for various goods. The perceived anonymity and the fact that the bitcoin system does not have a central authority to control this form of currency, cybercriminals commonly utilize this as a mode of payment for its transactions.

To date, the digital currency is the most common mode of payment used by cybercriminals behind ransomware infections. Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards, which are easily monetized. In June 2016, bitcoin exchange via Paypal was also seen, which was an interesting choice given that transactions made on the platform can be traced.

Do I really have to pay to regain access to my files and system? Will they decrypt my files after I pay?

In the past, the ransomware business model relied heavily on its ability to make users think that paying is the only option to regain access to their files, which is why files have been duly decrypted following settlement of payment. If victims have not regained access on their files even after payment of the ransom, victims would stop paying.

However, paying should never be the only option, and it's highly recommended that victim's don't pay. Authorities have also strongly discouraged enabling cyber-extortionists by caving in to their demands. In fact, the Federal Bureau of Investigation (FBI) has identified cases where victims who paid the ransom but didn't get the necessary decrypt key. And even if the key was obtained, it's not easy to regain access to systems, especially if the malware affected a big chuck of a network, just like the case of the Hollywood Presbyterian Medical Center. In another case that affected the Methodist Hospital, the cybercriminals reportedly demanded payment twice, even after the victim settled the original ransom.

The ransom note said they uploaded all my files and will post them publicly. Can they really do that?

This is among the many scare tactics used by cyber-extortionists to prod the victim into paying the ransom. In other instances, cybercriminals warn would-be victims of crimes that they did not commit, as a hook to get them into clicking a link, downloading an attachment, or paying the demanded ransom. These tactics are usually empty threats.

Ransomware infections are only for PCs right? Is my smartphone safe?

No. Smartphones are also targeted by ransomware. In the past, the group behind the distribution of Reveton police ransomware was also discovered spreading mobile ransomware to Android devices. Much more recently, FLocker (short for “Frantic Locker”, detected as ANDROIDOS_FLOCKER.A) gained traction in mid-April 2016 with over 1,200 variants. This mobile ransomware penetrates a device by way of a fake US Cyber Police advisory or any other law enforcement agency accusing victims of crimes they did not commit. The malware then demands US$200 worth of iTunes gift cards as payment. Further, this type of mobile ransomware has the ability to infect Android-based smart TVs.

Can antivirus software remove ransomware from my infected system?

Online tools have recently been made available to remove ransomware infections and to decrypt files. Trend Micro offers free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware. The Trend Micro Crypto-Ransomware File Decryptor Tool can decrypt files locked by certain crypto-ransomware variants without paying the ransom or the use of the decryption key. Removing ransomware and decrypting files are two different things though—files encrypted by ransomware will still remain unusable even if the malware has been removed.

Unfortunately, ransomware families are constantly updated with stronger encryption algorithms, and existing tools are unlikely to work on every single ransomware variant. More sophisticated ransomware families still need private keys to regain access to encrypted systems and files. This is why prevention is absolutely the best way to stop ransomware.

How can I make my computer ransomware-proof?

There is no silver bullet or one-size-fits-all antidote when it comes to preventing ransomware from crippling systems of home users, businesses, and enterprises. A multi-layered approach that prevents it from reaching networks and systems is the best way to minimize the risk of reaching endpoints. Protection via email and web gateway solutions is advisable, but the key is in arming yourself with knowledge on infection techniques commonly used by cybercriminals:

  • Avoid opening unverified emails or clicking links embedded in them. If the email came from an unknown source, refrain from clicking or opening them. If the email claims to have come from someone you know, always verify if it did come from them.
  • Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location. Losing one’s database of important files and documents remains as the biggest lure of cybercriminals to make victims pay for the ransom. Having a backup of your important files keeps damages to a minimum.
  • Remember to regularly update software, programs, and applications to reduce the risks posed by vulnerabilities which can be exploited to install malware such as ransomware.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.