Ransom and Cryptoware

Ransomware is becoming an increasing problem, especially now that some form of hostage software has been found for MacOS. In this article we describe exactly what ransom or cryptoware is, how to prevent it and what to do if you eventually fall victim to it.

What’s ransomware?

Ransomware is a form of malware that captures your files. The word ‘ransom’ in Dutch means ‘hostage-taking’ and that’s exactly what ransomware does. It keeps files or even your entire computer ‘trapped’ and you can only regain access by paying the attackers money. If you don’t, your files will be destroyed and you’re screwed.

The difference between ransomware and cryptoware

There are different forms of ransomware. The term ‘ransomware’ is the umbrella term for all forms of viruses that take your software hostage, but within that term there are also different versions known. For example, there is ransomware that locks up your entire system and prevents you from even starting your computer. A more advanced form of ransomware is ‘cryptoware’. It encrypts files on your hard drive, such as documents or even movies and music. The key to bypass that encryption is only given after you have paid money.

In the meantime, ransomware is being distributed more and more often and although that doesn’t seem very positive, it has its advantages. Many anti-virus programs have taken measures against this form of malware, and security companies such as Kaspersky even make databases with keys public. On the other hand, the malware often changes as well, so you may be affected by a new version of the ransomware that still has little or nothing to do about it.

How do you become a victim of ransomware?

There are two ways ransomware gets to your computer and takes it hostage. The most common way is through an executable file that installs the ransomware on your computer. The file can come in via an unsafe link, e-mail attachment, advertisements or (illegal) downloads.

The file you download is usually an executable (.exe) that by its name resembles an image or text file; ‘kattenplaatje.jpeg’ appears to be an image, but if you have extensions on then you can see if it is really a jpeg file or secretly ‘kattenplaatje.jpeg.exe’. In the latter case you do not activate an image but an installation file, which may very well contain ransomware.

Another way in which ransomware can end up on your computer is through programs already installed on your PC. For example via Flash, your browser or Javascript. To put ransomware on a computer in this way, hackers have to find a leak in the software. This is done by scanning for outdated software, so it is advisable to keep your software up-to-date at all times.

Prevent Ransomware

Ransomware is persistent and not always successful. Studies show that as many as 5% of ransomware victims pay to recover files – much more than most other phishing or malware.

Unfortunately, we have to kick in a bit of an open door, but good protection against ransomware is the best way not to become a victim. To kick in another open door: there are no special tricks to protect you from ransomware, except updating your system.

You should also be wary of phishing attacks. In this article we have written how to recognize a phishing email.

Just a few things you can do anyway:

Use the latest operating system

It seems quite logical, but make sure you use a version of Windows that is still officially supported by Microsoft. These are currently Windows 7, Windows 8 (and 8.1), and Windows 10. Windows Vista also receives critical security updates from Microsoft, but if you use Windows XP you really need to upgrade.

Also make sure you download all essential updates. We understand that sometimes this is not really attractive because of Microsoft’s aggressive push to Windows 10, but important security updates are recommended.

Update your software

Not only your operating system, but also the software on your computer needs to stay up-to-date. Flash, for example, is notorious software that has a lot of holes in it, just like Javascript in your browser. You can also disable software such as Flash. In any case, make sure you regularly check programs for updates.

Backup

Hopefully we don’t have to explain to you that you need to back up your files on a regular basis, for example to an external hard disk or in the cloud. Some useful tips can be found here. Make sure you make your backups regularly, or create a program to do so automatically.

You might also consider a NAS (‘Network Attached Storage’), a hard drive that you connect to the Internet, but that’s not a waterproof system. This is because some forms of ransomware scan your system to look for files that can be encrypted and if you link a NAS to a system there is the possibility that a NAS may also be infected.

What do you do when you have ransomware on your computer?

Of course, despite all the precautions you take, it can always happen that you become a victim of ransomware. That’s not nice, but maybe something can be done about it! These are steps that might help you solve your problem. Success is not guaranteed, and in the worst case you have to restore your device to factory settings – that’s why backups are so important.

1. First determine what your problem is

Your first reaction is probably frightening, but you can only solve a problem when you really know what the problem is. Look at that first. What’s going on? Did hackers lock your computer? Or is it just about certain files? What do the hostages want? Then decide what your next step will be.

2. Always report it!

Always report it to the police. This is cybercrime and it is punishable. And yes, maybe it doesn’t make any sense and in practice nothing is done with your report, but if it does, you can benefit from it later on.

3. If you have ransomware

With ransomware, your entire system is locked with a full-screen notification that often looks like a phishing notification. A good example of this is the Ukash police virus, which states that you have downloaded illegal files and therefore cannot open your computer. Important with ransomware is that you never pay, because chances are that your computer still won’t open. The trick of ransomware is also often to let you use certain payment apps that try to steal your credit card details in the meantime. Don’t do that!

Do a virus scan

What you can do if you are affected by ransomware is to run a virus scan. A lot of ransomware is recognized by antivirus programs and can easily be removed. If you are still able to access your computer (but your files or your browser are blocked, for example), use a (free) program like MalwareBytes, which recognizes most ransomware.

Can’t you get into your system at all? Then use HitmanPro. You can install that on a USB stick and run it on your computer before the system boots up. You can read how that works here.

Creating a (system) recovery point

You can also reset a system restore point. You go back to a slightly older version of Windows, on which the virus may not yet be present.

Back to factory settings

If all that doesn’t work, unfortunately, there’s only one thing on it: Reset your device to factory settings. You’ll lose all your files, so hopefully you’ve made enough backups.

If you have cryptoware

If you suffer from cryptoware, some or all files or folders on your system are encrypted and you will be asked to pay a ransom fee to decrypt your files. Paying that is a last resort that we will come back to in a moment, but first try to solve the problem.

Filing a declaration

First of all, file a report. This often makes more sense with cryptoware, because there is always a chance that the hackers have already been arrested by now. If so, the keys to remove your cryptoware are often confiscated by the police. You might just get the right key right away.

Virusscan

If that is not the case, you can also do a virus scan with MalwareBytes, but the advice is to run as many antivirus programs as possible. It is possible that there is one program that has the keys for the specific cryptoware, while another program does not. Kaspersky is very busy with cryptoware, and the company has previously disclosed a database with a large number of keys. Again, there’s a chance that the key you just need is in there.

Backup restore

Of course, if that doesn’t work, you can choose eggs for your money and delete the infected files, provided you have a backup. Make sure that the backup is not also infected and that the cryptoware does not get stuck somewhere on your system, so do a virus scan or restore your PC to a restore point.

Pay

We strongly advise against the last resort, but you might consider paying. With cryptoware, the chances are quite high that the attackers will give you the key after payment – although there is no guarantee, so paying remains a gamble. However, if you really need your files and you don’t have any backups, you can consider this.

In most cases, the blackmailers ask for money in the form of bitcoins, the virtual currency that is virtually untraceable. There are several ways to buy and store bitcoins, but the easiest and fastest way is to use an online bitcoinbank that immediately offers you a ‘wallet’ in which the bitcoins are stored. One of the best known is Coinbase, which also clearly tells you how to buy bitcoins. Note: You don’t necessarily have to buy 1 bitcoin (currently about €375), but you can also buy, for example, 0.66 bitcoins for the amount the blackmailers ask you for. Again: Consider very carefully whether you think it’s worth it. In any case, we advise against it, but the choice is really up to you.

Defuse TeslaCrypt

TeslaCrypt was one of the most common forms of ransomware. Fortunately, the creators have decided to stop their criminal activities, at least with this malware form. ESET security researchers have released a tool that makes the encrypted files accessible again. Matter of downloading and running.

No More Ransome, turn a decryptor

The Dutch police, together with Interpol and Kaspersky, among others, have set up a website where software can be downloaded that gives access to encrypted files; decryptors. Maybe you got lucky and just released the keys to the ransomware that took your files hostage.