Ransomware is one of the most profitable illegal software on the internet. It affects many thousands of people every year and has done so for around 5 years now, since the first ransomware attacks which were well crafted pieces of software that had been really well written so that there is no hope at all of getting your files back without the key, unless you have a secure backup. No one is safe, even Mac users are under attack.
Firstly, what is ransomware and what does it do, how do you get rid of it and get your data back.
Then we will look at how to prevent and recover from an attack.
What is ransomware and what does it do?
Well it is software that you get in any of the normal virus/malware routes via email, download or visiting a website with malicious intent or malicious adverts, even good websites can fall foul to giving you viruses though delivering adverts from third parties that are infected. When you get ransomware on your computer (PC or Mac) it will quietly sit in the back ground and after making contact back “home” it will start to encrypt any important documents it can find. What it calls important documents is up to the maker of the ransomware but generally includes all your Word, Excel, and PowerPoint, database, email, pictures and music files. Some are clever enough to start with the files you use least and then work up to the ones you use more often in order to get more files encrypted before being discovered, others just work on a first come first served basis. Many these days will then also see what other computers are on your network and try to infect them also. This creates further problems down the line as you will see later. Depending on the actual ransomware you have, you may not notice anything is wrong until you try to open a file and it says you can’t because it is corrupt. The ransomware will finish encrypting everything and then pop up a message to politely inform you that “You’ve been got” and give you instructions on how to get your files back with a countdown timer. Others will do this on completion but also if you look in the folder with your file you will see a text files with every encrypted file that tells you basically the same thing and how you can pay to stop and reverse the process. Because the files are encrypted with the best encryption known to man they are impossible to crack without the key. Banning such encryption would not solve the problem because at the end of the day encryption is just maths and you can’t undo what has been learned in maths. All that would happen is the bad guys would continue to use it and it would make it easier for the bad guys to get you stuff if you don’t use encryption yourself.
Now they have the keys to your files and you need to pay for the key to get your files back. Many companies and individuals have paid making this a very profitable scheme and it has made way for thousands of copycat ransomware, some not written as well as the original but just as effective if you don’t know what you’re doing and can’t afford thousands of Pounds to get an expert in to resolve it for you. Although I have not seen any yet, it is possible that you may get charged with supporting terrorism or organised crime if you pay the fees as that is what you are actually doing, these viruses are not done by kids trying to prove themselves they are done by organised crime syndicates and terrorist groups, so as far as I am concerned paying the “fee” is not an option.
How do get rid of it and get your data back?
To get rid of the virus itself is usually not too difficult. At the end of the day, if you aren’t going to pay then they aren’t bothered if you remove it, so many will go without too much of a fight. However if you remove it, you also remove the chance to get your data back as there is generally no way to get it back after you remove the virus itself. If you decide to pay the ransom, then there is a 20% chance it will not be able to give your data back anyway and you will also have to pay the ransom for each device infected, why? Because as we said earlier the virus will look over the network and try to infect any devices it can and starts to do the same thing from each new device infected. It will also infect all your data stored on any shared folder or drive and by default on older PCs you will be sharing your entire drive over the network, even if it is hidden. Severs typically will be encrypted by the virus as they are generally open to all users. That means that each instance of the virus will encrypt the files. To recover them you must unencrypt each file in the reverse order to which it was encrypted; so if you have 5 pcs infected and they encrypt a file in the order of PC1, then PC2, then PC3, then PC4 and then PC5, you must unencrypt them in the order of PC5, then PC4, then PC3, then PC2 and then PC1. Needless to say that you do not know (and neither do they) which PC encrypted which files first, yet alone in other order and they may not be sequential, so if a file was in use at the time PC2 was looking at it then it will move on to the next file and be the first one to encrypt that file and then go back later to infect the other file and be the last one to encrypt that particular file, there is no way for anyone to know. There is of course the fact that some are not written as well and the recovery process, which is after you have paid, is not the focus of their attention; and as there is no refunds if you’re not happy, they don’t care if it works or not.
The best way to guarantee getting your files back is good disaster recovery planning, and this is a disaster. Most victims (around 80%) lose at least 2 days to this type of attack with 20% losing around 5 days or more. Getting the right backup plan is place is the key. Online backup only solutions are great but do typically suffer from time issues. To download from Carbonite or Mozy or any other online backup can take as long as 12 hours per 50GB of data to recover. File sharing programs, such as box or drop box, one drive, iCloud, etc. are even worse as in most cases these will also be encrypted with no way to get them back, although some do offer recovery for a price and it is a telephone call away and a day or twos work.
The only solution that we are aware of that actually does work is our ShareSync app, which comes as a standalone product or as part of other cloud services such as cloud email. This will give you the best of both worlds with easy access and sharing of files with anyone you choose and a backup copy made each time a file is changed. This means that you can just revert a file or files or everything back to a previous state, i.e. before the ransomware attack, and carry on. Backup, sharing and disaster recovery taken care of.
It can take the place of your Drop Box or similar program and your tape or online backup so saving you money.
We do recommend though that you still keep at least three copies of any files that are critical. The working version and two backups on different media. There are different reasons for these which we will cover in another story.
In March 2016 CNBC reported on a story about ransomware in Macs (see their story here) and that story also showed that ransomware for macs has been around since at least 2014.
The best advice we can give you, is “Don’t get infected in the first place, but make sure your disaster recovery plans include this type of disaster. Test it to make sure it works”
We can certainly help any size business or individual to plan for this and other types of disaster, so use our new chat, call or submit a support ticket here.
Whatever you do, make sure you are protected against this type of attack. Virus and Malware checkers are good, but they are reactive, not proactive (that would be nice but it is impossible). They can only find a new virus or any sort after it has been discovered, which means that there is at least, usually more, when they can attack and no one will know they are there. Also many virus makers know how to get round the antivirus programs so that is another thing the antivirus makers are constantly trying to combat.
CritchCorp Computers Ltd