What is ransomware?

Ransomware is malicious software that secretly encrypts the files on your PC to try to force you to pay the ransomer it order to obtain the decryption key needed to regain access to your digital life.

While large corporate and government organisations have been the most famous targets of ransomware attacks, they also affect private individuals. In 2021, ransomware cost businesses an estimated $20 billion in 2020.

Ransomware is frequently spread through malicious and sometimes highly targeted email attachments and links, as well as malicious ads that download malware when you interact with them, drive-by downloads that automatically download the payload, and across local networks where an infection has taken hold. Malicious ads and drive-by downloads can appear on otherwise legitimate sites.

Many notorious attacks, such as those by the Conti group, have stolen data before encrypting it, leading to private data being released online. Other ransomware attacks lie about the decryption aspect, leaving those who pay the ransom with inoperable computers.

While Windows remains the most popular target, attacks have also affected macOS and Linux systems. Ransomware even exists for mobile devices and embedded systems.

A brief history of encrypting ransomware

Ransomware hasn’t always used the challenging asymmetric full-file encryption we see today. The first recorded ransomware attack, created in 1989 and intended to disrupt the work of AIDS researchers, encrypted file names to prevent them from being accessed, making the system unusable unless a $189 decryption key was purchased from the malware’s creator.

In 2005, a family of viruses known as PGPCoder or GPCode emerged, trojan horses that encrypted all the document and archive files it could find, leaving a text file containing instructions for paying a ransom via online gold trading sites to get the decryption key.

Researchers at Kasperksy were able to identify GPCode’s creator based on their IP address. The malware creator actually contacted the antivirus firm and tried to sell them a tool to decrypt the PGPCoder malware. Kaspersky obviously refused and, after investigating the systems of multiple victims to resolve proxied IP addresses the malware used to phone home, pinpointed the perpetrator’s location. To this day it’s not clear whether police ever acted on the information Kaspersky provided. The last known version of GPCode was released in 2010.

As new payment methods became popular, ransomware developers embraced them. In the 2010s, the WinLock malware family used premium-rate SMS messages to extract cheap-by-modern-standards ransoms of around £10.

The popularisation of crypocurrencies, particularly Bitcoin, created in 2008, gave criminals a relatively hard-to-trace method of receiving ransomware payments, and now the majority of attacks demand payment via cryptocurrency.

Perhaps the most famous ransomware was 2017’s Wannacry, used in a vast attack that affected some 200,000 computers worldwide, according to Europol, until a kill switch was discovered by British security researcher Marcus “MalwareTech” Hutchins.

We currently see hundreds of ransomware attacks every year, and there’s little sign of the trend abating.

Non-encrypting ransomware

Ransomware is scary stuff, and some criminals try to use the threat of locking your PC, reporting your to the authorities, or destroying your most precious files to extract a ransom without actually doing anything.

Reveton, the “police virus” that claimed your system had been locked by local authorities until a “fine” was paid actually just used a registry key to lock up your system. The gang responsible for that one was caught by Europol in 2013, but not before having scammed vulnerable users out over over €1 million a year.

Just last week, a colleague in IT security saw a new, but very old-school in-browser “screen locker” attack that seized window focus and instructed the user to call “Microsoft” for assistance, which would obviously lead into a fraudulent and expensive “computer repair”. The message threatened dire consequences for rebooting… which is hardly surprising, given that rebooting and clearing all open browser tabs was all that was needed to do to get rid of that particular irritant. To make sure the screen locker wouldn’t return, the system was thoroughly virus scanned using both bootable and installed anti-malware tools, and its registry and startup applications were checked.

What to do with suspected encrypting ransomware?

If you suspect that you’ve been infected by ransomware but not everything has been fully encrypted yet, immediately shut down or turn off your computer. Rebooting is unlikely to prevent your data from being encrypted, as the encryption process will restart with your PC. Scan the drive for malware without booting the OS, for example by using a rescue disk.

If the rescue disk can identify the ransomware, but not decrypt the files that it’s locked, all is not lost. Ransomware is constantly being analysed by security security specialists. You first ports of call should be Emisoft, which specialises in creating decryptors, and Europol’s No More Ransom, which will help you identify your ransomware and find a decryptor for it.

If you have to boot the system, disconnect it from all wired and wireless networks. This can prevent the ransomware from encrypting network drives, stop it from spreading to other deivces of the network, help prevent copies of your personal files from being stolen, and block secondary activites of the malware, such as using your PC for cryptocurrency mining.

If your system disk has already been fully encrypted, and you can’t decrypt it, you’re left with two choices. If the hard disk contained genuinely important or irreplaceable files, you can remove it, label it, store it somewhere safe, and keep an eye out for the release of a decryptor. These might be reverse engineered, released by ransomware groups when they cease business, or even stolen and released by security researchers working against the malware creators, as in the case of March 2022’s Conti leak.

If you’ve been keeping backups, by far the best and quickest way to deal with a ransomware-infested PC is reinstall the operating system and restore your data from backups.

If you’re in the UK, report the attack to the National Cyber Security Centre.

Don’t pay the ransom. Your money will prop up organised crime and there’s no guarantee that you’ll ever get a functional decryptor.

How to protect against ransomware?

• Make sure your antivirus software, such as Microsoft Defender, is up-to-date.
• Enable ransomware protection in Windows’ security settings.
• Make sure you keep backups in at least two places, one of which is kept off-site (out of the house, for home users). Cloud backup and sync services are ideal for this.
• Don’t leave your local backup disk plugged into your PC, or its contents could be encrypted, too.
• Use version control in your backup software to ensure that, even if you accidentally back up files after they’ve been encrypted, an older version will be available to download.