Your comprehensive ransomware guide: What you need to know to stay safe

Ransomware refers to a piece of sophisticated malware that blocks a person’s access to their files. The only way to regain access is to pay a ransom. There was an episode in season 6 of the hit and amazing show “The Good Wife” that depicted ransomware — the villain in the episode was in Russia. He was thwarted at the end. You might not be as lucky. That is why we put together this ransomware guide.

There are two types of ransomware in circulation:

1. Encrypting ransomware: These incorporate sophisticated encryption algorithms. They are authored in such a manner so as to block access to system files. They then demand a payment to provide the key to the victim, which can be used to decrypt the system files. Some examples of encrypting ransomware include Locky, CryptoLocker, and CryptoWall.
2. Locker ransomware: These lock a person out of the OS, making access to files, apps, or desktop computers impossible. Attackers still demand a ransom payment before unlocking the computer. One prominent example of locker ransomware is WinLocker.

There are some types of locker ransomware that are capable of impacting even the master boot record, or MBR, of your computer. Since the MBR enables boot up, if there is an attack by MBR ransomware, the boot-up process does not complete. Instead, a ransom message is displayed. Petya and Satana families belong to this category.

Encrypting ransomware make up the biggest cyberthreats at the moment and have been the biggest threat for many years now.

Characteristics of ransomware

• The encryption featured is unbreakable. This means that the affected person cannot decrypt files that have been encrypted.
• Ransomware can encrypt various types of files ranging from video, audio, documents, and pictures.
• It has the ability to scramble file names. This creates a situation where the victim cannot know which specific data has been affected.
• It can add various extensions to files. Sometimes this is done to indicate a different strain of ransomware.
• The ransomware will display a message or an image that informs the affected person that their data has now been encrypted; the payment of a certain sum of money is required in order to get it back.
• Generally, it requests payment only in bitcoins because bitcoins cannot be traced by law enforcement or cybersecurity experts.
• Ransom payments generally come with a specific time limit. In most of the cases, breaching the time limit would mean that the ransom demands would increase. In some cases, the data is destroyed forever.
• Ransomware uses a number of complex evasion techniques in order to remain undetected by antivirus software.
• It often pulls in infected machines into botnets.
• Instead of encrypting files, it can also extract usernames, email addresses, passwords, etc. and have them sent to specific rogue servers.

Why do ransomware creators target home users?

• They rarely take data backups.
• The level of education regarding cybersecurity is low.
• Even baseline cyber protection is not widespread enough.
• They tend to rely on luck to keep them safe online.

Why do ransomware creators target businesses?

• They are, as the saying goes, following the money.
• Malcontents know that business disruptions can elevate their chances of being paid.
• Corporate computer systems are often complex, meaning that the number of vulnerabilities is high.
• Cybercriminals believe that companies would tend not to report any infections due to fear of brand damage and legal consequences.

Why do ransomware creators target public institutions?

• They have large databases of personal information which can be sold.
• Training to handle cyberattacks is often insufficient.
• Public institutions often use outdated equipment, meaning that the number of vulnerabilities is high.

How is ransomware spread?

• Spam email campaigns with malicious attachments or links.
• Security exploits in software.
• Redirects of Internet traffic to malware websites.
• Legitimate websites with malicious code injections.
• SMS messages.
• Botnets.
• Self propagation.

For example, cybercriminals locate vulnerable websites, inject malicious JavaScript into them, and use it as a trigger to redirect requests to infected websites.

How do infections happen?

These are the key steps in an infection.

• The victim is sent an email with a malicious link or attachment, which is what Diane Lockhart did in “The Good Wife,” triggering ransomware software to take over every office computer and causing widespread panic. Alternatively, a malicious website uses a security exploit to open a backdoor on the victim’s computer.
• Once the link is clicked or the attachment downloaded, a downloader is saved on the affected computer.
• The downloader downloads the ransomware program on to the system.
• The malicious server sends back any requested data.
• The malware encrypts the complete content on the hard disk, other sensitive information, and personal files.
• A warning message pops up with instructions on how to get the decryption key.

Why do most ransomware often go undetected in antivirus programs?

There are several techniques that malware makers use to ensure that ransomware remains covert.

• Encrypted communications with commanding servers, which are difficult to detect amidst regular network traffic.
• Traffic anonymizers like bitcoin and tor are used.
• Anti-sandboxing techniques are used so that antivirus won’t pick it up.
• Domain shadowing is used to keep the communication between malware control servers and the downloader hidden.
• Encrypted payloads are used, which can make it difficult for antivirus programs to detect malware.
• Ransomware exhibits polymorphic behavior, meaning that it can create new variants as needed.
• Ransomware can remain dormant on a computer only to initiate an attack at the appropriate time.

Steps to take ransomware protection to the next level

Here are some steps that you can follow to ensure that your ransomware protection goes to the next level. Make sure that:

• Important data is not stored only on the PC.
• There are two backups for your data: one on an external HD and another in a cloud location.
• The cloud drive is not set to be on permanently. It is used specifically only to sync the data and then closed.
• You use the latest version of the operating system and software, including the most current security-related updates.
• You do not use an admin account for daily use. You only log in with an account with lower level of privileges.
• Macros are turned off in MS Office.
• If you have to use plugins like Adobe Flash, Java, Silverlight, and Acrobat Reader, use the browser setting to ask and activate as needed.
• Your browser’s privacy and security settings have been adjusted for maximum protection.
• Ad-blocker software is used to avoid any possible threats from malicious ads.

Ransomware represents perhaps the most dangerous threat to computer systems. The fact that most ransomware is able to evade antivirus software makes it all the more so. You need to adopt measures to protect yourself from this menace.

Photo credit: Shutterstock