How to deal with a ransomware attack

Ransomware

Davey Winder delivers advice for those who find their data has been taken hostage

The ransomware threat has grown over the years as criminals seek ways to monetise their malware endeavours by holding your data to ransom.

Symantec reckons it’s a crime that turns over more than £3 million a year, and the evidence suggests it has spread far from its original eastern European base (where it was concentrated until fairly recently). Indeed, to the best of my knowledge, there are now approaching 20 different ransomware malware families, each with many variants and all active out in the wild.

It isn’t all good news for the bad guys, though: in the run up to Christmas, the Police Central e-crime Unit (PCeU) announced the arrest of three people involved in the ransomware business in the UK.

The "unlock" file they tell you to download may infect your PC with yet more malware

In this case, it seems the criminals were using a splash page featuring Metropolitan Police and PCeU logos that claims the authorities are monitoring your online activity and have detected offences being committed. As a result, your computer is put in a locked-down state until you pay the "ransom" – a £100 fine.

Of course, the actual implementation of such ransomware attacks varies considerably, but they all have similar roots and exit points: malware or malicious links to infect, and monies to be paid in order for locked data to be released.

Actually, it isn’t quite as simple as paying the ransom and getting your data back, for several reasons. First, remember you’re dealing with criminals – why should they care about your data? They only care about your money and have no incentive to unlock your PC after you’ve paid up. Second, these criminals will be keen to maximise their profit from every victim, so if you pay by credit card or provide your bank details they can commit further fraud using this information, or sell it on to other scammers. In addition, the "unlock" file they tell you to download may infect your PC with yet more malware.

A ransomware attack is a lose-lose scenario for the victim (unless, that is, you have a hitman to hand). It’s far better to avoid being infected in the first place, which means employing the usual kinds of common sense and security software. Better, too, to have all your data backed up, so you can restore it without paying any ransom, or a nice clean disk image to drop back into place. Of course, not everyone is so well prepared for disaster, and the folk who are most at risk are the ones who are least likely to keep backups. So what can be done if your computer is infected and you’re not prepared to pay up?

One big problem following a ransomware attack is that unlocking your data isn’t easy. It can be done, most often by re-booting the computer to run a Linux environment from which the rogue files can be identified and deleted.

But this isn’t straightforward nor always successful, since it’s often difficult to uncover the files without the "live" ransomed Windows environment running to provide forensic clues. This is where the hitman comes in, or more precisely, the HitmanPro.Kickstart functionality that’s been added to the latest version of an anti-malware "second opinion" file scanner called HitmanPro.

HitmanPro.Kickstart enables the victim of a ransomware attack to create a bootable USB flash drive with which to reboot the infected machine and recover from the lockdown by clearing up infection without further manual interaction. It looks good, so you might want to make a note of the Kickstart download site should you – or one of your friends or family – become a victim.