What to do if your PC or network has been infected by GoldenEye, WannaCry or other ransomware.
Ransomware first hit the headlines a few years ago as one of the nastiest types of malware yet, taking control of a victim's computer, encrypting their files and extorting money to remove it.
Sadly, the threat of ransomware has grown worse – much worse, in fact – culminating in the latest GoldenEye and WannaCry.outbreaks. Not only has it spread from PCs to phones, tablets and Macs, but there has been a massive increase in the number of instances of ransomware detected. Moreover, the methods that hackers use have become more devious and more difficult to deal with.
In this feature, we provide a guide to understanding, detecting, removing and recovering from ransomware. Of course, it's far better to avoid an infection in the first place with the steps that we've explained in our ransomware defence guide.
But if you are infected, don't panic. We'll explain what to do if you've been infected, but first, a quick primer on what ransomware is.
Your ransomware questions answered
What is ransomware?
Ransomware is a particularly virulent form of malware that locks your computer and encrypts your files so that you can't access them. The exact details vary, but it may stop you using Windows or certain programs such as your web browser. Once your files are encrypted, the ransomware will ask for payment to unlock them, usually in the untraceable virtual currency Bitcoin. Although removing ransomware is actually quite easy, your files will remain encrypted. There's also another spiteful trick the malware uses to get you to pay up: if the money is not paid on time, the ransom is doubled.
How do I get infected?
As with most forms of malware, the primary source of infection is an email attachment or malicious link. The senders use con tricks to get you to open the attachment, such as pretending that it's an invoice for something you've bought from a reputable company. This tactic preys on your fear of being charged for an item you didn't buy, so that you'll open the invoice without thinking about it.
Where does ransomware come from?
Ransomware in its modern form originated in Russia and Eastern Europe. Thanks to decentralised digital currencies such as Bitcoin, which make it easy for attackers to demand a ransom and be paid without leaving a trace, ransomware is now so lucrative that it's become the primary revenue stream for some cybercriminals.
It doesn't even take much skill to create your own ransomware. Last year, a Turkish security researcher called Utku Sen created a strain of ransomware called Hidden Tear and published the source code online. It was described as being "for educational purposes only" (as were some early viruses) and ostensibly designed to teach security professionals how to defend against such threats. However, it provided a quick way for anyone with average computer skills to get into the ransomware business.
What does it look like?
Once your PC has been infected and your personal files encrypted, a message appears telling you what's happened and provides info about how – and how much – to pay. The look of this message will vary depending on which ransomware family is behind the attack.
Is it really that common?
Sadly, yes. In 2016, the number of ransomware attacks increased 300 percent from 2015, with over 4,000 attacks detected per day, according to US government statistics.
However, Kaspersky Lab warns that "the real number of incidents is several times higher", because it can't always distinguish ransomware from other forms of malware.
As we saw with the WannaCry outbreak, there have been several high-profile victims, including The UK’s National Health Service (NHS), global delivery service FedEx and Spanish telecommunications company Telefonica.
Are only Windows PCs at risk?
Not anymore. Ransomware developers have started targeting Linux, too, because a lot of web servers use that operating system. There have also been attacks on Macs and Android devices.
Why don't the police stop it?
It's very difficult for law-enforcement agencies to track down the source of ransomware because the criminals use state-of-the-art encryption and routing tricks to make their location impossible to identify.
What happens if I pay the ransom?
If everything goes to plan, once the ransom has been handed over, a key will be generated that you can use to decrypt your files. But first, you should read our full advice on the next page.
How can I be sure I'll receive this key?
You can't. Some ransomware, such as KeRanger and CTB-Locker, lets you decrypt one or two files to prove that the key exists and works, but there's no guarantee that once you've paid a ransom all your files will be unlocked.
What happens if I don't pay?
Your files will remain locked and unusable, unless the encryption has been cracked and there is a program you can use to unlock the files for free. Such tools are rare but they do exist, so you might get lucky.
What to do if you've been infected
Do you think your PC or network may have been infected by WannaCry or another ransomware threat?
First and foremost, don't panic. Being hit by ransomware is a frightening experience, but you can survive it.
Disconnect the locked PC from your network to prevent the ransomware from spreading, by removing the ethernet cable or disconnecting from your WiFi (or both), but do NOT turn it off. There may be a chance of rescuing files if you disconnect from the network but leave the computer switched on. For example, researchers are offering tools that can bypass WannaCry encryption on Windows XP and 7, but only if it's done quickly and the machine hasn't been rebooted.
You should probably do the same with any other devices on the network, in case they are already infected.
Next, find out what type of ransomware you've picked up. You might be able to discover this from the message on screen, or by searching for the exact message contents on Google. You can also upload a ransom note or encrypted file to ID Ransomware.
Once you know what's hit you, you’re in a better position to find possible solutions. We strongly recommend immediately calling in the experts – either your work’s IT support team or a specialist information security firm.
If you’ve done regular backups as recommended, you should hopefully be able to get up and running reasonably quickly. If not, you may find some answers from sites such as MalwareTips.
Should I pay the ransom?
The short answer – and the answer given by every security firm (even the FBI) – is no. The theory is, if people don't pay, ransomware will become unprofitable and the attackers will move on to something else.
That said, even if only a very small proportion of infected users end up paying, it still makes it worthwhile for the cybercriminals to continue their endeavours.
If you've got your personal files backed up online, you don't need to pay. If, however, the ransomware has encrypted the only versions of your files that you have, you may feel that there's no alternative but to give in to the criminals' demands.
Are there decrypters available?
Although the files locked by ransomware can sometimes be decrypted using tools from the likes of Avast and Emsisoft, there is no guarantee that in future versions, the attackers won't fix the flaw that allows this.
Just as software gets patched, so does ransomware, because the cybercriminals are always looking for ways to make their malware harder to defeat. One example of this is CryptXXX, which was recently updated to prevent a decryption tool from working. This reiterates the need to remain vigilant about opening emails, clicking links on the web and keeping your security software up to date.
This feature includes information from an article that originally appeared at IT Pro.