17 November 2016

Ransomware – the dangers of the kidnapping Malware

Ransomware? Many people have probably never heard of that phenomenon. But they should because Ransomware is one of the most devious and mean technics cybercriminals use. It is a Malware, which shut users out from their own computers. It encrypts data or completely blocks the access to the devise. Only who is willing to pay a certain amount of money, which is demanded from the extorter has a chance of getting back his valuable documents and precious family photos any time.
But not only private people are suffering from the spreading computer-plague. Even businesses are concerned including law firms. Especially for them Ransomware can be dangerous and even fatal, because law firms save very personal and confidential information about their clients on their computers, which must be accessible at all time and especially mustn’t be published. That could cause unrepairable harm to the client as well as to the image of the law firm. Therefore it is very important to protect yourself from Ransomware attacks.

Definition
Ransomware is a harmful program, which blocks your Computer, Tablet or Smartphone or encrypts data and then demands ransom for the save return. Basically there are two forms of Ransomware.

The first type are Encoder, which encrypt data whereby no one can access them anymore. To decode the data you need the key with whom they were encoded in the first place – for this you pay the ransom.

The second type are the Blocker; they block the whole computer or another device and make it unserviceable. But Blocker aren’t as bad as Encoder, because the chances for the victim to gain back access to a blocked device are better than gaining back encoded data.

How high is the ransom usually?
There is no “usually”. A few Ransomware-programmer only demand $70. Others demand thousands of Dollars. Companies and other big organisations, which normally get virus-infected because of spear phishing, rather get higher ransom demand.
But you should have in mind that paying money to the hackers doesn’t guarantee the save return of your data.

Can I decode encrypted data without paying ransom?
Sometimes. Most of the Ransomware-programmer use tough encrypting algorithms, therefore trying to decode the data without the right key can take years.
Sometimes the criminals, which perform the Ransome-attack, make mistakes. Because of this the prosecution can confiscate the server, which contain the encrypting keys. If that’s the case, they can develop a decoder.

How do you pay the ransom?

Usually the ransom is paid in cryptocurrency i.e. Bitcoins. This electronic currency can’t be tampered. Everyone can inspect transaction histories, but it is not easy to trace the owner of the “wallet”. That’s why cyber criminals prefer Bitcoins: they improve the chance of not being caught.
Some Ransomware-programmer use anonymous online money exchanges or even mobile payment. The most surprising paying method, which was yet observed, were iTunes cards of $50.

How does the Ransomware get on my Computer?
The most common conveyers are emails. Ransomware can pretend to be important or useful attachment (an important invoice, an interesting article, a free App). As soon as you open the attachment your computer is infected.
Ransomware can invade your system, while you are just surfing the internet. The hackers are searching for weak spots in the system software, the Browser or Apps, to take control of your computer. Therefore it’s very important to constantly update the computer software and the operating system.
Some Ransomware-programs can even spread in local networks. If a Malware infects one device in your home or business network, every other device in this network will be infected as well. But that’s a rare occasion.
Of course there are infecting scenarios that are predictable. You download a torrent, install a plugin… and there you go.

Which data type is the most dangerous?
The most suspicious data are executable data (just like EXE or SCR) with Visual Basic Scripts or Java Scripts (.VBS- and .JS-extensions). Usually they are packed as ZIP- or RAR-Archives to hide their harmful nature.
Another dangerous data categories are MS Office-Data (DOC, DOCX, XLS, XLSX, PPT, etc.). They can contain dangerous Macros; if you are requested to activate Macros in a word document you better should think about it twice.
Be careful with shortcut data (.LNK-extensions), too. Windows is able to display them with every symbol, which you link with seemingly innocent data names, but they can get you in big trouble.
Please note: Windows opens data with known extensions without informing the user about it and hide those extensions standardly at the Windows Explorer. So if you see a document with a name like “Important_info.txt.”, it actually could be “Important_info.txt.exe, a Malware-installer. Improve your safety by changing Windows so it displays extensions.

Can I avoid infections by staying away from suspicious Websites or attachments?
Unfortunately even cautious user can get themselves infected with Ransomware. For example it is possible to infect your computer while you are reading news on a big and famous News-Website.
Of course the Website wouldn’t transfer the Malware on the visitors – unless the website would be hacked but that’s a different case. Instead commercial networks, which were impaired by criminals, serve as distributor, and the Malware can be loaded just because of one untreated weak spot. So again: Having the latest software and a completely patched system software is essential.

Do I have to worry if I go online with my Smartphone?
Yes. There are Encoder and blocker for Smartphones as well. It is not paranoid to have an antivirus system on your Smartphone.

How do I know if my Computer is infected with Ransomware?
Ransomware isn’t subtle. It will introduce itself as soon as it’s finished with big, penetrating messages popping up on your desktop, telling you that your files are captured and encrypted and what you have to do/pay to get them pack. You honestly can’t miss it.

What shall I do, if I am infected with Ransomware?
First you have to delete the Malware with the help of your antivirus program.
The next step is about getting back your data. The easiest solution by far is to have a backup of your data and to just recover it.
If you don’t have a backup, you can try to decode the data with special programs, so called decoder.
If you can’t find the right decoder you can either pay the ransom or say goodbye to your data. But we recommend against paying the ransom. Statistics say that 20% of the Ransomware-victims, which paid their ransom, never got back their data. Further by paying ransom you support the business of cyber criminals and help thieves. And of course the hackers get the idea that you will pay any ransom to get your data back, this makes you a target for such Malware attacks.


I’ve found the right decoder, why isn’t it working?

Ransomware-developer react quickly when a new decoder is being published and modify the Malware by making it more resistant against available decoder. It’s just like the game “Whac-A-Mole”. Unfortunately no encoder comes with guarantee.

Am I save if I make regular backups?
A backup is - without doubt – helpful, but still no 100%-guarantee. If you don’t pay enough attention it can happen that your backups are getting encrypted as well as your other data. So backups are extremely important, but you have to take one step further in protecting your data.

Is an antivirus program enough to avoid infections?
In most cases, yes. But it depends on the antivirus-solution you are using and no antivirus program is 100% effective. In many cases an automatic detection depends on how new the malware-infection is. The Malware can be recognised by a properties analysis, if the signature hasn’t been added to the antivirus database yet. If it tries to damage the system it’s going to be blocked immediately.

Are there any settings I can optimise to improve my protection?
A. Install an antivirus-program. But I already mentioned this, didn’t I?
B. You can deactivate the script execution in your Browser (that’s the favourite tool of cyber criminals).
C. Make data extensions in your Windows Explorer visible.
D. Make Notepad the standard App for VBS- and JS-data. Windows usually marks dangerous VBS- and JS-scripts as text data, so less skilled users can open them.