If your files are encrypted by ransomware, should you pay the ransom? We examine the options…
Ransomware is a growing threat, threatening to take over your machine, encrypt your files and demand payment in exchange for their safe return. But, as we explore below, paying the ransom is rarely the solution.
What is ransomware?
Ransomware is a type of malware, or malicious software, which has exploded in notoriety in recent years.
The malware is often installed on your machine via a phishing email or a drive-by-download on a compromised website, and a short time later a pop-up message will appear on screen telling the user to pay a ransom (in some cases as much as $300) in order to ‘unlock’ their stolen documents.
Fortunately, the severity of ransomware varies considerably. At the lower-end, most variants simply bombard the user with ‘scareware’ pop-up messages, telling them to pay up to restore normal service. However, these variants haven’t actually encrypted any files.
That said, there are other versions which block access to the start screen, while ‘filecoders’, like CryptoLocker, will encrypt documents stored on the system’s hard drive.
These warning messages typically claim to be from law enforcement agencies, warning of illegal activities or content. They may alternatively claim that the system’s operating system is a forfeit, or pretend to be an anti-virus solution that has identified an infection.
To date, the most prolific variants of ransomware been CryptoLocker, TorrentLocker, Reveton and CryptoWall although newer versions like CryptoFortress, CoinVault and others have emerged in recent months, sporting newer tactics like making emails appear quarantined and running operations through the Tor or Invisible Internet Project (I2P) anonymizing networks. As ESET found with Virlock, ransomware is increasingly polymorphic, which makes it harder to detect and remove.
Ransomware, described by one malware analyst as a “polished and finished product for the bad guys”, is so widespread now that it’s a big concern for businesses. One study earlier this year found that ransomware had a bigger impact on organizations than widely-publicized advanced persistent threat (APT) attacks.
What you should do
Paying for the ransom is a dangerous option. For starters, there is no guarantee your files will be returned or that the malware has been removed. Will the hacker exploit you again in six months’ time? The truth is you don’t know.
Instead, information security professionals recommend a few useful tips, such as regularly backing up your data and ensuring your computer is running the latest software and anti-virus (ESET protects against CryptoLocker, Cryptowall, CTB locker and many other types of ransomware).
If you do get infected, and haven’t followed the advice above, all is not lost; your best bet is contacting an IT professional although there are free decryption tools online, and ways you can remove the malware via the operating system.
For less sophisticated ransomware that hasn’t encrypted files, you can enter Windows Safe Mode and run an on-demand virus scanner to hopefully remove the malware. Alternatively, you could try and do the same by logging onto the computer from another user account (hopefully bypassing the malware on the start screen), or by accessing the infected PC from a ‘clean’ PC on the same network.
If you can’t get onto the home screen, another option is System Restore, which will restore system files and programs to a state they were in previously. To do this, shut down your computer, reboot and hit the F8 key continuously to enter advanced boot options. You should see an option to repair your computer.
ESET security expert and Editor in Chief of We Live Security says users shouldn’t pay for the following reasons: “If you pay, you will support cybercrime activities by funding them with money; you don’t have any guarantee that your information is going to be decrypted again. Remember, this is not a service, they are cybercriminals. [And] even if you pay, you are not going to be ‘whitelisted’ so you could get infected again so it’s not a real solution for the future either. Prevention is the most important tool against Ransomware, since the infection can be usually cleaned afterwards but not always the information restored.”
Labaca Castro recommends using a security solution to prevent computer getting infected, frequently back-up information so it is somewhere safe and recover it easily, and avoid opening attached files in emails from unknown senders. Additionally, ESET also offers a decryptor for specific variants from Simplocker to recover your information.