There is a lot of talk these days in our company MyIP experts in web hosting about ransomware extortion software. It is amazing how few people know what it means and what will happen to them if they are attacked. Here is a brief description of the steps you can take to protect yourself and what to do if the worst happens.
What is Ransomware?
Ransomware is a category of malware used to try to extract money from its victims – blackmailing them for ransom. Most of these malware programs are designed to sit silently on your system and slowly encrypt your files. Only when they have finished encrypting will they give you a deadly alert – either you pay or you lose your files forever.
No security system is infallible. Malware is usually one step ahead of this game. If, or when, it hits you, here are some helpful tips to help you:
Step 1: Minimize the damage
First, isolate the attacked system , especially if it is connected to your network, to prevent other systems from becoming infected.
If you are an Electronic System Administrator and your servers are infected, disconnect all Ethernet cables.
Do not attempt to back up to an external drive. You may think it’s a good idea to save files that have not yet been encrypted, but this can cause malware to spread. When you insert a disk or USB into an infected computer, the malware may copy itself to the disk you just inserted.
When this drive / USB is installed on another computer, the malware can infect this system as well. Or worse, it could end up infecting your own system again after so much effort you put into cleaning it up. So the best thing to do is to isolate the attacked computer.
Step 2: Identify the type of ransomware
There are several types of ransomware. As a result, some people are more dangerous and more difficult to deal with than others. You can use different strategies to get rid of them depending on the type and characteristics of the attack. The most common types of ransomware fall into the following categories:
Scareware / Fake Antivirus
Scareware, also known as Fake Antivirus, is a category of malware that makes users believe that something is wrong with their system. Then they have to buy some other software to clean it. Of course, there is no problem with their computer and most of the time, buying some software can result in a real infection of their system.
In most cases, it works when a pop-up message appears announcing problems, such as a virus being found, the system slowing down, or registry problems that need to be resolved.
These announcements appear in bold in the center of the screen and may also contain a clickbait that redirects the user to the malware site, even if the pop-up window is closed. See an image here with an example like this:
Scareware is probably the easiest malware to deal with.
Just close your browser tab and the pop-up window will disappear. If pop-up screens appear on your operating system, you may need to locate the guilty executable file using Task Manager or an advanced process scanner. Then you can just delete it or uninstall it. If you continue to have problems, scan with an antivirus program or anti-malware program.
Ransomware that locks the screen
This ransomware category does not allow you to operate your computer unless you pay a ransom. In most cases, a full screen window appears with a warning. He may claim to be from the FBI and is involved in illegally downloading content from the internet.
In other cases, the background may be a pornographic image that cannot be changed. In this case, the blackmail aims to put the victim in a very difficult position to be forced to pay the ransom. The most advanced programs monitor user activity for a few days and display a personalized alert that looks more credible and more intimidating. See an example:
If you are infected with such malware, first try to find the executable file that caused it. In most cases, if you just press CTRL + ALT + DEL you will automatically go to the Task Manager to be able to close the program.
Even if you have deleted the executable file, it is a good idea to do a full antivirus scan to remove any traces left. If all of this does not resolve the issue, you may need to restore Windows to the state it was in before the malware appeared or when it was latent.
Ransomware that encrypts files
In the last and most dangerous category belong those programs that encrypt all your files so that you can not use them in any way if you do not pay a ransom to the blackmailers . Usually, the malware enters the victim’s system and, without realizing it, begins to encrypt all the files, making them impossible to use.
When the encryption is over, the blackmailers will demand payment to decrypt them. Today, cryptocurrencies, like bitcoinand the anonymity they provide is a great way for blackmailers to get the ransom they demand. This is the picture seen by the users who were attacked by the Wannacry malware:
It’s also good to know exactly how encryption works. This may help you to have some information on how you can decrypt and restore your files.
Most programs use a combination of symmetric and asymmetric encryption when running them (click here for more information on encryption types). Symmetric encryption is useful because it allows the attacker to encrypt files much faster than with asymmetric encryption. However, with asymmetric encryption, attackers only need to protect a private key. Otherwise, they will have to maintain and protect symmetrical keys for all their victims.
C + C (Command and Control) servers are generally used to communicate programs.
Here’s how file encryption ransomware uses both symmetric and asymmetric encryption to carry out an attack :
- A private-public key is created on the attacker’s side using any of the many available asymmetric encryption algorithms, such as RSA-256.
- Private keys are protected by the attacker, while public ones are integrated into the ransomware program.
- A new victim’s system is infected with ransomware. Sends the information in parallel with the unique identification system (ID) or the victim ID to the C + CIt server.
Using one of the symmetric encryption algorithms (eg AES), the server generates and sends the symmetric key specifically to the victim’s system. The symmetric key is then encrypted using the private key.
- The ransomware program uses the built-in public key to decrypt the symmetric – and so it begins to decrypt all the files.
Now that you know exactly how ransomware works, let’s take a look at the options you have when your system is infected
Step 3: Decide on your strategy
We mentioned above methods for removing the two categories of ransomware relatively easily.
File encryption programs are the most difficult to block. First, you need to identify the type of malware you are dealing with. Information can be hard to find for the latest programs as they are written new every day. But in most cases, you will be able to recognize it with a little research.
Try to get screenshots of the ransom note and then use the image to do a reverse search to identify the exact type of ransomware. You can also search for phrases as they are written in the note.
Decide whether or not you want to pay the ransom . While it is not right to pay cyber criminals for encouraging them to continue, sometimes your data can be so sensitive or so important that you do not want to lose it for any reason. Use your judgment and your logic and do not pay if it is not absolutely necessary.
Of course, in the worst case, you should know that there is no guarantee that you will recover your data even if you pay.
Step 4: Take action
If you can identify the details of the ransomware that has infected your computer, you will be able to find ways to remove it with a little internet research. Malware is always ineffective. The developer may have forgotten to delete the encryption key from the program that recovers and decrypts the files.
If ransomware is well known and has several “windows”, you will be able to find on the internet ways and instructions on how to remove it. So visit sites like nomoreransom.org .
Because many ransomware programs simply delete the original files after encrypting their copy, you may be able to recover them using some file recovery software. When you delete a file, you are not actually deleting it from the disk unless it has been replaced by another file. Therefore, recovery of important data is possible by using a free recovery software.
If all else fails, get ideas from others. Pay the ransom or lose your data. But of course, even if you pay, nothing guarantees your data. Only you can decide whether to rely on the good faith of those behind the ransomware attack.
You could also try to negotiate with those who attacked you using the email address on the ransom note. You will be amazed at how often he succeeds this way.
If you decide not to pay the ransom again, the next step is to clean your computer, but YOU WILL LOSE all your data forever. If you have made a backup to an external drive, DO NOT connect it to your computer before making sure that you have done a full format of the drive.
The best way to clean ransomware is to format the disk and restart the operating system from scratch. If you still do not want to take such drastic action, make sure that the ransomware has not affected the boot sector. You will find information about this on the internet.
Next, update your antivirus and do a full scan of your system. It is also a good idea to supplement your antivirus with an anti-malware program for complete protection. This will remove the ransomware forever.
Step 5: Summary
Now that you’ve got rid of ransomware, it ‘s time to find out why you were attacked. As a wise man once said: “Prevention is better than cure” and this applies more than anything else to internet security. A defense can be as powerful as the user who applies it because when there is proper protection, it is difficult for any malware to attack you.
Always be vigilant and always keep the following points in mind:
- Always have an updated antivirus
- Always check the URL of the website you are visiting.
- Do not run unreliable programs on your system. Also, things like broken programs, serial numbers, patches, etc. are the most common sources of malware.
- Do not allow unreliable sites to run executable content in your browser.
- Always keep your Operating System up to date. Malware, including ransomware, often spreads through unrepaired security vulnerabilities in older operating systems. A hacker, for example, could exploit a bug in Windows RDP software to gain access to the publicly connected Internet system to run malware.