What is ransomware?
The malware encrypts your files so that they cannot be opened, or it locks you out of your computer completely to prevent access to all of those important photos, videos, accounting files, work documents, etc. The malicious attackers responsible for sending you the malware then contacts you to demand a ransom, promising to decrypt the files after you pay (often in Bitcoin).
Ransomware is not new. The first known attack occurred in 1989 and was spread between computers via floppy disk. In today’s fully network-connected world, the easy access to open-source ransomware software and the strong potential for financial gain have led to a surge in ransomware’s popularity.
Is ransomware a virus?
Most of us are familiar with the term virus, and we use it to refer to all forms of malware. The truth is, a virus is just one specific type of malware. Other common types include worms, Trojan horses, spyware, and ransomware. The goal of each type of malware is different. Worms replicate and bog down your computer’s performance. Viruses are designed to infect your computer, damage your files, and then spread to new hosts. Trojan horses want to gain a secret backdoor to your computer to access and exploit your personal information. There are numerous reasons why cyber criminals would create and distribute these types of malware.
With ransomware, the reason is usually pretty straightforward: the perpetrator wants money. Generally speaking, the goal isn’t to permanently damage or destroy your files or even to steal your identity, but to convince you to pay for the decryption key.
Ransomware on PCs
Anyone can be a target of ransomware. The highest profile ransomware attacks in 2017 affected individuals and businesses alike, including major corporations, hospitals, airports, and government agencies.
The PC is still the most popular target for ransomware attacks, as hackers exploit known vulnerabilities particularly in the Windows operating system.
In May 2017, the WannaCry ransomware quickly spread around the globe and ultimately attacked over 100 million users.
WannaCry exploited a known Windows weakness called EternalBlue, which is a bug that allows hackers to execute code remotely through a Windows File and Printer Sharing request. Microsoft had issued a patch for EternalBlue two months before WannaCry hit; unfortunately, many individuals and businesses did not perform the update in time to prevent the attack. EternalBlue goes all the way back to Windows XP, an operating system that Microsoft no longer supports—which is why Windows XP users were hit the hardest by WannaCry.
Ransomware on mobile devices
Ransomware attacks on mobile devices are growing in frequency. Attacks on Android devices grew 50 percent from 2016 to 2017. Oftentimes, the ransomware will make its way onto the Android device through an app from a third-party site; however, we’ve also seen cases where ransomware was successfully hidden within seemingly legitimate apps in the Google Play Store.
Ransomware on Apple products
Apple fans aren’t in the clear, either. In the past, Mac users were generally less susceptible to malware attacks; In 2017 two security firms uncovered ransomware and spyware programs specifically targeted at Apple users, thought to be developed by software engineers who specialize in OS X. The people who created the malware were even making it available for free on the dark web. Malicious attackers have also accessed Mac users’ iCloud accounts and used the Find My iPhone service to lock people out of their computers. however, as Apple products earn a larger share of the market, they also get more attention from malware developers.
Types of ransomware
Ransomware comes in a variety of forms, with the request for ransom being the main thing that unites them. (2017 did see a few cases where institutions were hit with a ransomware-like attack, but the goal did not seem to be monetary. The ransomware may have been cover-up for spying or some other type of cyberattack.)
- Crypto-malware– The most common type of ransomware is known as Crypto or encryptor ransomware; as the name suggests, this is the type that encrypts your files. You can still log on to your computer, but you can’t open your files. WannaCry is a prime example of this type of ransomware.
- Locker – Locker ransomware locks you out of your computer completely so that you can’t even log in. The Petya ransomware, which first emerged in 2016 and returned in a more advanced form in 2017, uses the locker approach by encrypting your hard drive’s master file table to lock up your computer.
- Doxware– Doxware downloads a copy of your sensitive files to the attacker’s computer, and he or she then threatens to publish the files online if you don’t pay the ransom. Imagine someone threatening to post your most personal photos or videos on a public website for the world to see. The Ransoc ransomware used the doxing method.
- Scareware– Scareware is a fake software program that claims to have found issues on your computer and demands money to fix them. Scareware might inundate your screen with pop-ups and alert messages, or it might lock up your computer until you pay.
One of the reasons why ransomware has become such a popular type of malware is that it’s readily available online for threat actors to use. Avast has found that approximately one third of all “new” ransomware strains actually originate from an existing open-source strain. Also, hackers are continually updating their code to refine their ransomware and improve their encryption, so a certain strain of ransomware might re-emerge multiple times, as Petna has.
Since the attacker’s ultimate goal is to spread the ransomware to as many machines as possible in order to make the most money, an alternative ransom tactic has emerged.
In the Popcorn Time ransomware, the perpetrator asks the victim to infect two other users. If both of those users pay the ransom, then the original victim will receive his or her files back, free of charge.
How does my device get infected?
The scary thing about ransomware is that, unlike a virus, it can attack your device without any action on your part. A virus requires the user to download an infected file or click on an infected link, but ransomware can infect a vulnerable computer on its own.
- Exploit Kits – Malicious attackers develop exploitkits that contain prewritten code, designed to exploit issues like EternalBlue that we described above. This type of ransomware can infect any network-connected computer running out-of-date software. One day, you turn on your computer, and bam! All your files are locked.
- Social Engineering – Other forms of ransomware take advantage of tried-and-true methods to infect your computer. Social engineering(or phishing) describes the act of tricking people into downloading malware from an attachment or web link. These files usually come via an email that seems to be from a reputable source, and the attachment or link looks like an order form, receipt, bill, or important notice. Its file extension makes it look like a PDF or Excel/Doc file, but it’s really an executable file in disguise. The user downloads the file, clicks on it, and the nastiness begins. (It may not begin right away, either. Some ransomware is designed to hide on your computer for a designated amount of time to make it more difficult to pinpoint exactly where it came from.)
- Malvertising– Malvertising is another infection method, in which the attacker uses an advertising network to distribute its malware. The fake advertisement could be distributed even to trustworthy websites. If the user clicks on the ad link, the ransomware is downloaded to their computer.
Drive-by downloads are malicious files that are downloaded to your computer without any direct action from you. Some less-than-reliable websites take advantage of out-of-date browsers and apps to secretly download malware to your computer while you’re innocently surfing the web.
Regardless of how the ransomware gets on your computer, once the program has been executed, it typically works like this: the ransomware begins to change files (or file structures) in such a way that they can only be read or used again by restoring them to their original state. To secure communication between the malware and the command computer (the computer the criminal uses to direct the victim’s computer), encryption is used. It is the encryption that holds the key that will either decrypt data or recover the decryption key needed to recover the files or file system to their original form.
When all the files are securely locked, a ransom note will appear on your screen, telling you how much money you’ll need to pay to decrypt the files, where/how to transfer the funds, and how long you have to do so. Miss the deadline, and the price goes up. If you try to open any of the encrypted files, you will get an error message telling you that the file is corrupt, invalid, or cannot be located.
How can I remove ransomware?
The act of removing the ransomware itself isn’t all that difficult. If the attacker used encryption ransomware and you can still get into your computer, then you can put the computer into Safe Mode (learn how) and run an antivirus scanner to find and delete the malware.
If the ransomware was of the locker variety that shuts you out of your computer entirely, then you have three choices in how to proceed: you can reinstall your operating system; you can run an antivirus program from an external drive or bootable disc; or you can do a System Restore and take Windows back to a time before the ransomware was loaded. Here’s how you do a system restore on Windows machines:
Windows 7 System Restore:
- As your PC is booting up, press F8, which will bring up the Advanced Boot Options menu.
- Choose Repair Your Computer, followed by Enter.
- Log in with your Windows username and password. You can leave it blank if you don’t have one.
- Select System Restore.
Windows 8, 8.1, or 10 System Restore:
- As your PC boots up, hold the Shift key. You will enter the recovery screen (restart if this doesn’t work).
- Choose Troubleshoot.
- Go to Advanced Options.
- Select System Restore.
For Android devices, the following are general steps to remove the malware by entering Safe Mode and uninstalling suspicious apps. These steps can vary depending on your device.
- Boot Android into Safe Mode:
Find the power button and then press it for a few seconds until you see a menu. Click Power off. Once you receive a dialog window that suggests you to reboot your Android to Safe Mode, select this option and press OK. If this does not work for you, just turn off your device and then turn it on. Once it becomes active, try pressing and holding Menu, Volume Down, Volume Up or both these buttons together to see the option for Safe Mode.
- Uninstall malicious and/or any suspicious and unknown apps:
When in Safe Mode, go to Settings. Then, click on Apps or Application manager (this may differ depending on your device). Look for the previously-mentioned suspicious app(s) and uninstall them all.
Although ransomware is less prevalent on Macs, you follow the same general steps to get into Safe Mode and then delete the malware.
- Restart your Mac in Safe Mode. Press and hold the Shift key immediately after you hear the startup tone. Release the Shift key when the Apple logo appears. Safe Boot appears on the Mac OS X startup screen.
- Use antivirus software to remove the malware.
How can I recover my files?
Unfortunately, removing the ransomware doesn’t suddenly give you access to all of your encrypted files. How easy or difficult it is to recover your data depends on the level of encryption. If it was basic ransomware using basic encryption, one of Avast’s free ransomware decryption tools can likely get the job done. If your computer has been infected by a more sophisticated ransomware like WannaCry that uses encryption, it may be impossible to recover your locked files.
Now, some of you may be thinking that the best way to recover the files is to just pay the ransom. A lot of people do choose to pay, which is why ransomware has become such a popular form of malware. If cyber criminals keep making money, they’ll keep making ransomware.
Keep this in mind, though: There’s no guarantee that the attacker will actually keep their word and decrypt the files after you pay. They might just take the money and run. Or, if they see that you’re willing to pay, they may instantly increase the ransom amount. Plus, a willingness to pay makes you a target for another attack down the road.
It should also be noted that some ransomware is so poorly coded that, once the files are encrypted, they can’t be decrypted and are lost forever. Petna is one such example. So if you pay, you may still not get your files back.
Ransomware protection: How to prevent a ransomware attack
The best way to deal with a ransomware attack is to prevent it from ever happening in the first place. To do this, you should:
- Update your operating system and your apps.Yes, we know all those Windows system-update notices can get annoying, but don’t ignore them. (Don’t ignore the updates on your mobile devices or IoT products, either.) Many system updates involve security patches, and those are crucial to keep your devices safe. If you are still using an older OS like Windows XP that Microsoft no longer supports, then you are especially vulnerable to attack and really should consider upgrading to a newer operating system.
It’s also important to update your computer software, especially your web browsers and plug-ins.
- Back up your files.It’s important to perform regular system backups to an external device, be it a USB hard drive, a NAS drive, or cloud storage. At the very least you should back up your most important and treasured files so that they are safe from malware and hard-drive failure. These days, storage is cheap, and options are plentiful in both the USB and NAS categories. There are also plenty of free cloud-based storage systems, including Dropbox, Google Drive, MEGA, and OneDrive.
- Use antivirus software, and keep it up to date.Avast offers various levels of antivirus protection (Avast Free Antivirus is free!) to protect you from ransomware and other malware. For business customers, our new Avast Business endpoint protection software offers strong business-grade data, device and identity protection for a range of budgets. For the IT channel, we have also integrated this right into our CloudCare Just as cyber criminals are always refining their malware, Avast is always refining its antivirus software, so it’s important to keep the software up to date.
- Keep an eye out for manipulative social- engineering techniques.This may go without saying, but never open or click links or files from unknown sources. If you get an email with a questionable attachment, just delete it without ever opening it. If you do know the person who sent the email, you may still want to verify with them that the attachment is legit. Also keep an eye out for messages that try to trick you into clicking on links to malicious websites; it could be from an email, text, or even social media. Especially if you’re entering any personal information, triple-check that the site has HTTPS enabled. How can you tell? Look for the green-padlock symbol in your browser, a visual cue that assures you the site is secure.
by Charlotte Empey on February 6, 2018
Updated on November 25, 2019