The ransomware is a malware, sometimes mistakenly called “virus”, or if it is duplicated and propagates itself, whose ultimate goal is to extract money from its victim. The infection involves downloading malicious software sometimes hidden in the attachment of a trapped email or at the end of a link. It can also spread through hacked web pages that attempt to use computer system vulnerabilities.
When the ransomware has taken place on the computer (or the smartphone, in 20% of cases according to Kaspersky) of his victim he applies a system lock or an encryption (encryption) on the personal files and folders of the computer of such so that they become illegible. Once his work is done, he tells the trapped user a way to unlock the computer to recover his files, usually by paying a ransom against the encryption key that will remove the encryption. The software attempts to pose as an authority: police, gendarmerie, FBI, fight against illegal downloading etc. Other examples in the subject of the forum on ransomware.
The user has no choice but to lose his files or pay the ransom. The payment, however, does not guarantee that the means for recovery will actually be provided by the hacker. It is therefore advisable not to pay and try to recover some files by other means.
How does the malware work?
The operation of a ransomware is a bit special because it has to carry out multiple tasks to be effective. The first is probably the most important but the least technical: it consists in getting into the computer of a victim. In some special cases, such as during the Petya / NotPetya / Petrwap attack, hackers used the software update system, MEDoc, to break in, leaving no room for victims to prevent infection.
More usually hackers use the trick to break into the computer using trapped emails (phishing technique). They redirect the user to an infected site or have a trapped attachment uploaded. Once on the computer, if they manage to pass the course of the antivirus, this is where the malware begins to do its work, sometimes establishing communication with a server to recover the necessary elements for infection.
How to protect yourself?
There are several variants of Ransomware baptized with names such as: Wannacrypt, Cryptowall, Cryptolocker, Petya or Locky etc. The latter is particularly virulent according to security editor Kaspersk who provides some tips to avoid falling into the trap of ransomware.
1. Back up your files
The advice is valid for ransomware but also for computing in general. Hard drives or other memory systems, as well as systems, are not foolproof, so it is important to have your important data (photos, documents etc …) duplicated in two different places at all times. Ideally, the backup should be done regularly on a medium that is not related to the device to be backed up only when copying files (USB key, external hard drive, online backup …). Indeed the ransomware can also spread to the storage media connected to the infected device.
2. Update your system and software
Ransomware, or more generally malware, spreads using software flaws or systems as a gateway. This allowed hackers to lead the WannaCrypt cyberattack. Keep your Windows, Mac, Android, iOS or other systems up-to-date and regularly check that you are using the latest version of your favorite software, including browsers. Finally, some operating systems or software are no longer supported and no longer receive security updates. This is particularly the case of Windows XP which should no longer be used.
3. Be extra careful with attachments
The e-mail attachment system has become an indispensable means of exchanging files over time, but it is also one of the means that hackers use to spread their malware. As we saw with the Locky case an attachment announced as an invoice may contain a malware, so avoid opening or executing attachments received if you have a doubt about the purpose of the message. Ask the sender for confirmation if you are unsure if the shipment is legitimate.
4. Use an updated antivirus
Malware, viruses and other malware are constantly evolving. For this reason, we can find different variants of a ransomware. Use an antivirus update ensures that the latest malware signatures are registered and your antivirus can recognize it. Be careful though, a file downloaded but not reported as dangerous by the antivirus does not mean that it is healthy.
In case of infection, what to do?
5. Do not pay
It is tempting to pay if you have the means to give in to blackmail but it is a false good idea. First of all nothing guarantees that hackers will provide you with the key that will decipher your files or unlock your computer. Then it encourages this type of attack and the mishap may well be repeated for you or your loved ones.
6. Stop the spread
As soon as you know about the infection, disconnect the still healthy external drives to prevent encryption of your still intact files and isolate the computer in your network to prevent the malware from spreading to other computers. Simply turn off the computer and unplug it from the internet.
7. Disinfect the computer
If you turned off the computer while all the files were not yet encrypted use a bootable CD (an Ubuntu CD for example) that will allow you to save on an external drive or a USB key that has been preserved. Then use another bootable security CD such as those offered by antivirus (example with Comodo or BitDefender ) to try to disinfect the computer. If the infection is not blocking the computer and it is still on the road and internet access, look for a disinfection tool by getting help eventually by asking for help in the disinfection forum.
8. Find your files
Software publishers and security researchers have developed tools and get hold of encryption keys for some ransomware. Check first by searching the internet and asking for advice in the forums. If no solution exists you can try to recover some files by searching in temporary files or by using specialized recovery software: Locky solutions and other Ransomware (recovery of some files)