Ransomware, you hear it more and more these days. Big international company's getting their hardware and software infected with ransomware. And they can get full control back if they pay for it.
What is ransomware?
Ransomware is a type of malware, or malicious software, that blocks a computer or encrypts files. Only when you pay the ransom you would be able to use the computer or the files again. Other terms for ransomware are cryptoware or ransomware.
Ransomware is very annoying. For example, you can undetected lose your entire photo archive or music collection, including connected backups. Older variants of ransomware only block the Internet browser or computer startup. Criminals are increasingly targeting companies and institutions, because there is more money to be made there. However, as a home user you still have to pay attention.
Ransomware Features
- Holds files hostage by encrypting them. This means that you can no longer open files.
- Payment is required in the digital currency Bitcoin. Converted, it comes to hundreds or even thousands of euros. The amount is sometimes increased after a time limit.
- Infection occurs through malicious files (usually in email attachments) or through a leak on the PC by unupdated software. In the latter case, the ransomware can get on the PC without you even having to click anything.
- Suspicious files in emails are: zip, exe, js, lnk and wsf files. Word files that ask to enable macros are also dangerous.
- Watch out for fake Microsoft employees calling you. Your PC supposedly has a problem and that's why they want to log in remotely, after which they block your PC or files with ransomware.
- Paying ransom is not recommended, but can be a last resort.
- The encryption is usually not without undoing the key. If you are lucky there is a solution, see the section Saving files.
- Ransomware can also infect files on attached external hard drives or network storage that has a drive letter in Windows Explorer (such as E:, F:, G:). Therefore, keep a backup separate from the PC.
- The keys of some variants have been found by the police or security researchers, see the section on saving files.
- Names of ransomware variants that encrypt files include: Cerber, CTB-locker, Coinvault, CryptoLocker, LockerGoga, Locky, Petya, Ryuk, SamSam, Teslacrypt, TorrentLocker, WannaCry, and Wildfire
Practical examples of ransomware emails
Fake ransomware emails try to trick you into clicking a link or contain an infected attachment. For example, the emails mention (too high) invoice amounts, fines, collections or failed delivery attempts. Its details would be in the attachment or behind a link. The attachments or links include disguised executable files (invoice.pdf.exe), javascript (.js) files or Word files with malicious macros. Sometimes they are packaged in a zip file.
Company names that are misused as so-called sender include KPN, Ziggo, Intrum Justitia and transport companies. So-called scans of (Xerox) copiers and reports of car damage also occur.
Read more about recognizing phishing (fake emails).
Rescueing files
Unfortunately, with a ransomware infection, files are often not salvageable if you don't have a backup. If your files are encrypted, go through the following steps:
- Remove the malware first so that files are not re-encrypted. Do an extensive scan with your virus scanner and a second opinion with trusted software such as Malwarebytes or Hitman Pro.
- Restore a backup of the files. The condition is of course that there is a (recent) backup and that it is not encrypted by the cryptoware.
- If you're lucky, the creators of the cryptoware have been arrested or police or security researchers managed to get hold of encryption/decryption data. For an overview of ransomware decryptors, with which you can save your files without the help of criminals, you can look at nomoreransom.org, an initiative of EuroPol, among others. There is often no solution for newer ransomware.
- Find hidden backups. If you have not made a backup, there is a small chance that Windows did this automatically. Find these shadow copies as follows:
Right-click a file or folder.
Click Properties > Previous Versions tab.
See if there is an older version that can be restored. Sometimes data recovery software like the free recuva works. - Pay ransom. Of course we strongly advise against this option, but if the affected data is very important to you, we can imagine that you will give it a go. Experiences show that victims often get the keys, but there is no guarantee.
Preventing Ransomware and Other Malware
The risk of data loss with ransomware is high, so it is important to prevent contamination and to make regular backups in case this does happen. Follow the tips below to reduce the risk of viruses and cryptoware:
- Install a good virus scanner.
- Keep all software up to date, including operating system, Internet browser, browser add-ons, and popular programs, such as Adobe Reader. With ScanCircle you can quickly see how your PC is doing. Disabling is recommended for software such as Adobe Flash and Java.
- Don't click on attachments and links in emails unless you're sure it's trusted. If in doubt, check the Scammed website to see if the e-mail appears there.
- Do not enable macros with third-party Office documents, especially if the document asks for it.
- Ransomware is often an executable .exe file disguised as another kind of file, for example a PDF document. Toggle Show file extensions so you can see through the disguise.
- And again: make backups. That is wise in any case, but in case of ransomware infection, it is often the only recourse to prevent the loss of all your data.
- With (Apple's) macOS and Linux you run much less risk. But these systems can also be infected.
Create non-encryptable backup
There are several ways to make a backup. However, be aware that not every backup method is suitable for restoring ransomware encryption. Ransomware can encrypt not only the data on the compromised device, but also external storage points.
- To make a backup, only connect the USB stick or external hard drive at the time of a backup and then disconnect it.
- With a network storage you can choose that only the backup software may save files on the network drive (for example via FTP) and that only files are read via Windows Explorer.
- With a cloud backup, as well as some other forms of backup, you can restore files if version control is present. If files are encrypted in the most recent version of a backup, you can still go back to an older version of the backup.
Anti-ransomware programs
There are software specifically aimed at preventing ransomware infection that should be used in addition to a virus scanner, such as Cybereason Ransomfree, HitmanPro.Alert, or Kaspersky Anti-Ransomware Tool. There are drawbacks: with some virus scanners they cause problems, they sometimes cause extra delay and some are also quite expensive.
Many of the techniques used by the programs are now also included in "normal" virus scanners. To reduce the chance of infection from ransomware, you can consider special anti-ransomware programs, but it is more important to stick to the other points in the list of tips under 'avoiding ransomware and other malware'.