Ransomware 101: FAQ for computer users and smartphone owners

What is ransomware?
Ransomware is the generic term for any malicious software that, as its name suggests, demands a ransom be paid by the computer’s user.

Why would you want to pay a ransom?
Because the ransomware has done something unpleasant to your computer, and potentially to your data.

For instance, it might have encrypted your documents and demanded that you pay a ransom to unlock access to them. This type of ransomware is known as a filecoder.

The most notorious filecoder is Cryptolocker. (Numerous versions of this are detected by ESET antivirus products as Win32/Filecoder).

How would my computer get infected by ransomware like Cryptolocker?
A typical method of infection would be to open an unsolicited email attachment or click on a link claiming to come from your bank or a delivery company.

There have also been versions of Cryptolocker seen which have been distributed via peer-to-peer files-sharing networks, posing as activation keys for popular software like Adobe Photoshop and Microsoft Office.

If your computer becomes infected, Cryptolocker hunts for a wide range of file types to encrypt – and once its dirty work has been done, displays a message demanding you electronically transfer the cash to have the files decrypted.

Cryptolocker

In some cases, the lockscreen may even include a live feed of what your computer’s webcam is currently looking at.

webcam

It is unnerving to unexpectedly see yourself sitting in front of your computer, and might help to trick less technical users into believing that they really are being observed by the authorities.

I’ve also heard of scareware. What’s that?
Scareware is software that tries to scare you into taking a particular course of action.

Most commonly, scareware will pretend to be an anti-virus product that displays a warning of security issues on your computer or smartphone in an attempt to trick you into paying the scammers or downloading further dangerous code from the net.

In some cases the fake anti-virus might actually present itself with the name of a genuine security firm, in an attempt to increase the number of people who are duped into making a bad decision.

Scareware for the Mac

Like ransomware, scareware can be written for any operating system. Ironically, some instances of fake anti-virus scareware have had more impressive user interfaces than the legitimate products they are attempting to ape!

In a sinister development, some scareware – if unsuccessful frightening you into making an unwise purchase – might resort to ransomware tactics to demand money with more obvious menace.

What happens if, after my computer gets hit by ransomware, I don’t pay up?
In the case of many ransomware attacks there is a deadline for payment – and if you don’t pay up in time you could permanently lose access to your files.

Is file-encrypting ransomware the only kind of ransomware?
No, there is also lockscreen ransomware. That’s a type of ransomware that locks your computer, preventing you from doing anything with it until a ransom has been paid.

Lockscreen malware might use underhand psychological tricks to hurry you into paying.

For instance, sometimes the lockscreen message might pretend to come from your country’s police force, and claim that the authorities are demanding you pay a fine because images of child abuse, zoophilia, or evidence of visiting illegal websites and pirated software has been found on your computer.

Reveton ransomware

One of the most commonly encountered families of ransomware that locks users’ computers while posing as a message from the authorities is Reveton.

And do people actually pay the ransom?
Yes, in many cases they do.

Imagine if you didn’t have a verified backup from which you can restore your sensitive or company files. You might very well think it is worth spending a few hundred dollars to regain access to your data.

Corporate users may not care as much about lockscreen malware (after all, they hopefully have backups and access to other hardware), but it’s easy to imagine how home users could be scared by the fake police threats or the mention of child abuse images into paying the ransom rather than taking their computer to their local computer repair shop.

So does paying the ransom decrypt your data?
Yes, generally it does restore access your data If you think about it, that’s good business sense by the criminals. If word got around that the attackers don’t keep their side of the bargain, nobody would ever pay the ransom.

However, paying the ransom doesn’t mean that you’re safe and out of the woods. The criminals might leave malware on your computer, and now know that you are the kind of person who is prepared to pay hard cash to regain access to their computer or data. In short, you could be targeted again in the future.

So if I am a victim of ransomware, should I pay the ransom?
We wouldn’t recommend it. Remember, there is nothing to stop the criminals behind the attack from demanding more money from you. If you pay the ransom you are helping create a new market for online criminals, which might lead to more ransomware and other cybercriminal attacks in future.

Instead, learn from the lesson by putting better protection in place and ensure that you have a proper backup regime to recover your essential files should you be unlucky enough to be hit again.

Can’t my antivirus simply remove a ransomware infection?
Yes, in most cases good security software should be able to remove ransomware from your computer. But that isn’t the end of your problems.

Because, if the ransomware which infected your computer was a filecoder your files are still encrypted. Security software might be able to decrypt your sensitive information if a simple filecoder was used in the attack, but files hit by a more sophisticated example of ransomware like Cryptolocker are impossible to decrypt without the right key.

Prevention is the best medicine.

So, filecoders which encrypt your sensitive files are worse than Lockscreen malware?
Yes, in most situations file-encrypting ransomware is probably harder to recover from than other forms of ransomware. However, if you have a backup that wasn’t impacted by the attack it shouldn’t be too difficult to be up and running again quickly.

Frankly, the worst malware is the one that has infected *your* computer!

Is filecoder ransomware on the rise?
You have probably guessed the answer to this one.

Yes, there is more and more file-encrypting malware seen by ESET researchers all the time – and has been a steady rise over the last year.

Growth in Filecoder prevalence since July 2013

Growth in Filecoder prevalence since July 2013

What operating systems have been hit by ransomware attacks?
Android ransomwareIn theory, there’s nothing stopping online criminals from writing ransomware for any operating system – but the majority of the attacks have targeted Windows users. Cryptolocker, for instance, has only been seen for the Windows platform.

However, ESET researchers recently detected Android/Simplocker, the first file-encrypting Trojan to demand a ransom from Android users via a control centre hidden on the anonymized Tor Network.

Clearly things are getting more sophisticated in the world of ransomware, even on smartphones.

So smartphones could be at risk too?
Correct. Of course, the malware threat is much smaller on even jailbroken iOS devices than it is on Android.

We Live Security’s Rob Waugh has put together a great guide about how to keep your Android device safe from ransomware.

Where can I learn more about ransomware?
Further reading:

Podcasts:

  • Listen to this five minute podcast by ESET expert Aryeh Goretsky, where he even sheds light on the AIDS Information Trojan seen in 1989, probably the very earliest example of ransomware.

Author Graham Cluley, We Live Security

  • Guest

    I was a victim, I installed Malwarebytes and it removed the ransomware. Good anti-virus and common sense help too.

  • John

    Not a great idea, Quinn. You likely lost whatever it encrypted. Cryptolocker and the like are not your average piece of Malware.

    • Quinn

      It “locked” my web browser, it didn’t encrypt anything since it was Lockscreen malware, so I used Malwarebytes to remove it. Fix it no problem, nothing lost.

  • Kiriakopoulos Christos

    Magic words: backup, format, NOD32.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.