What is ransomware?

15 May 2017

You might have seen a few headlines over the weekend about what's being called "the biggest ransomware outbreak in history". A virus - known as WannaCrypt or WannaCry - infected over 200,000 machines across 150 countries. It crippled computer systems in British hospitals, German railways, and has now spread to Australia, locking users out of their files unless they pay a ransom. Fortunately, protecting yourself against it is easier than you might expect.

So what is ransomware?

Ransomware is an increasingly popular form of malware that locks you out of your computer or smartphone and prevents you from accessing your files, unless you pay the ransom.

Ransomware can vary in severity: some simply lock you out of your computer and prevent you from logging in, some encrypt individual files and prevent you from accessing them, and some will target your "master boot record" which will stop your computer from loading your operating system.

Some ransomware strains will also attack your external drivers, which will then distribute it to other computers.

Ransomware has grown in popularity as it's one of the easiest ways to monetise cyber-crime. While a virus or trojan may hide away in the background of your computer, waiting for you to enter credit card numbers or passwords, ransomware immediately demands money.

In some instances, ransomware display a timer at which point the ransom will increase or threaten to permanently delete files, in order to put further pressure upon you. A key objective of ransomware is fear.

According to the latest Symantec Internet Security Threat report, the average ransomware demand was USD$1,077 for 2016, up from USD$294 in 2015. Cyber-criminals will typically demand payment in Bitcoin, a digital cryptocurrency. Since Bitcoin payment addresses are not explicitly linked to owners, the currency is a popular choice for illicit online activity.

While ransomware predominantly targets PCs, mobile ransomware has become more prevalent, especially on Android. However, most ransomware that targets Android devices requires you to manually change security settings to allow the installation of non-Play Store apps. In general, there is very little reason to install an app that isn’t from the Google Play Store, so don't change these settings. 

What is WannaCrypt?

WannaCrypt - also known as WannaCry - is the hot new ransomware that's been making headlines. At time of writing, it's infected over 200,000 machines across 150 countries. WannaCrypt is notable, as it doesn't just infect the computer it is run on, but can automatically spread to other computers on the same network.

The ransomware only targets Windows machines, and exploits a recently patched vulnerability. Windows 10 machines don't contain this vulnerability, and as such, WannaCrypt won't spread over a network to these devices. Windows 8.1, Windows 7, and Windows Vista are all vulnerable to network infection. The security update that prevents this is MS17-010. In general, it is best to leave automatic security updates on for these devices, especially for home users.

In the case of Windows XP and Windows 8 - which are both no longer receiving regular updates - Microsoft has released a standalone patch that address the vulnerability. You can find it here.

If your Windows security is not up to date, it's best to not connect your machine to any public or unfamiliar networks until you've run the updates.

How do you get infected?

Speaking more generally, ransomware typically tries to trick you into installing it. It can spread via dodgy links online (where you're offered free access to something if you download a specific file), links in an email, or even attachments. Symantec found that one in 131 emails sent in 2016 contained a malicious link or file.

In many cases, these emails purport to be from a government agency, bank, or from an online service like Netflix. They'll typically use fear to get you to click on a link or install a file, something along the lines of chasing up a non-existent fine, an alert about someone accessing your account, or even just an overdue bill.

Cyber-criminals can also use publicly available information about you to create more targeted messages that you actually might be expecting from a friend, individual, colleague, employer, or service provider, which can increase the chance of you actually installing the software.

Traditional internet security software won't always detect these due to the vast number of attackers running individual schemes. Your typical antivirus solution needs to know what to look for to prevent infection, but this won't do much if malware is too new, too obscure, or written in a way where it can modify itself to avoid detection.

Modern security software can use behavioural analysis and sandboxing to try and catch ransomware. In the case of behavioural analysis, security software looks for suspicious activity happening on your computer, such as files being encrypted. If spotted, the software will attempt to stop the malicious activity. Where behavioural analysis looks to stop suspicious activity in progress, sandboxing acts more like a quarantine, and first views new or suspicious software in an isolated environment commonly called a "sandbox" where it can't affect the rest of the system. 

Of course, security software isn't always a silver bullet, and malware can fall through the cracks.

What do you do if you get infected?

If your device gets infected by ransomware, in most cases, you shouldn't pay the ransom. There may be some circumstances where this is your only choice, but this should only be your final resort. Paying a cyber-criminal will only further encourage this kind of behaviour, and there's no guarantee of regaining access to your files.

An online tool called Crypto Sheriff can be used to check if ransomware afflicting your computer has been solved, and if it has, will provide you with a link to a decryption tool. To use it, you'll need to upload an encrypted file from your computer, or any email or website address you see in the ransom demand.

In some cases, data recovery professionals can help you regain access to your files, but the process isn't cheap. You could end up spending a large chunk of change to find out that recovery isn't possible, and if it is, it could even cost more than paying the ransom.

If you've got a recent external backup of any important documents, or you use cloud storage solutions to decentralising your files, the best option is to factory reset your computer and restore from your backup.

How do you prevent yourself from getting infected?

The best way to prevent a ransomware attack is following our golden rule of online security: don't install files or open attachments from senders you don't recognise. If you get a suss email from someone you don't know, don't open it. And definitely don't open any attachments that came with it; even safe sounding files - like Word documents - can house exploits that can attack your computer.

Certain viruses can also hijack other people's email and chat accounts, so if you get a weird sounding message from a friend with an unexpected attachment, there's a good chance it's not from them.

You also need to be careful of scams: if you get an odd email from a government agency, service provider, or bank, there's a good chance it's not from them. These will often come from emails that seem similar enough - aple.co, rather than apple.com, for example - which can give them away.

On a similar note, don't install files from dodgy websites. If you're on a torrent site and you're asked to download an extra program to access the game, porn, or movie you're trying to pirate, it's not legit! If there's an ad that says your computer is infected, it’s lying!

You should also make sure your software is up to date, regardless of whether it's your operating system or iTunes. In the case of WannaCrypt, it used a recently fixed vulnerability in Windows to spread to other machines across a network. If you've got the update installed, your computer can't catch WannaCrypt over a network. 

And while it won't prevent you from getting infected by ransomware, keeping regular backups on external drivers or on cloud storage solutions can effectively mitigate the effect of an attack. If you've always got a recent backup, you can restore your computer from it, rather than paying the ransom to get your files back.

If possible, the best approach to backups is to have two external drives for the sake of redundancy. While this might sound like overkill, it also means you can keep one offsite (like at your office, for example).

For more tips on staying safe online, read our guide here.

Fully l33t hacker image from ShutterStock.

Broadband Deals

Special Offer Pricing for 6 months!

Special Offer Pricing for 6 months!

Get amaysim nbn 12 Mbps for $40/month & 25 Mbps for $60/month. The first six month’s service are at a discounted rate. Hurry offer ends 30.11.17

Bonus Deals with Telstra Mobile Broadband

Bonus Deals with Telstra Mobile Broadband

Telstra Mobile Broadband plans include a range of deals such as bonus Foxtel Pack subscriptions, unlimited Telstra Air Data & Bonus Data

Unlimited Netflix Streaming

Unlimited Netflix Streaming

Teleron's Basic nbn plan includes unlimited Netflix streaming & data-free iTunes downloads until 30 Nov. New customers only, T&Cs apply

$70 credit with 18 month contracts

$70 credit with 18 month contracts

SpinTel's 18 month nbn™ broabdband plans now include a $70 credit which will appear on your first invoice...