How to deal with a ransomware attack
Posted on 18 Mar 2013 at 10:34
Davey Winder delivers advice for those who find their data has been taken hostage
The ransomware threat has grown over the years as criminals seek ways to monetise their malware endeavours by holding your data to ransom.
Symantec reckons it’s a crime that turns over more than £3 million a year, and the evidence suggests it has spread far from its original eastern European base (where it was concentrated until fairly recently). Indeed, to the best of my knowledge, there are now approaching 20 different ransomware malware families, each with many variants and all active out in the wild.
It isn’t all good news for the bad guys, though: in the run up to Christmas, the Police Central e-crime Unit (PCeU) announced the arrest of three people involved in the ransomware business in the UK.
The "unlock" file they tell you to download may infect your PC with yet more malware
In this case, it seems the criminals were using a splash page featuring Metropolitan Police and PCeU logos that claims the authorities are monitoring your online activity and have detected offences being committed. As a result, your computer is put in a locked-down state until you pay the "ransom" – a £100 fine.
Of course, the actual implementation of such ransomware attacks varies considerably, but they all have similar roots and exit points: malware or malicious links to infect, and monies to be paid in order for locked data to be released.
Actually, it isn’t quite as simple as paying the ransom and getting your data back, for several reasons. First, remember you’re dealing with criminals – why should they care about your data? They only care about your money and have no incentive to unlock your PC after you’ve paid up. Second, these criminals will be keen to maximise their profit from every victim, so if you pay by credit card or provide your bank details they can commit further fraud using this information, or sell it on to other scammers. In addition, the "unlock" file they tell you to download may infect your PC with yet more malware.
A ransomware attack is a lose-lose scenario for the victim (unless, that is, you have a hitman to hand). It’s far better to avoid being infected in the first place, which means employing the usual kinds of common sense and security software. Better, too, to have all your data backed up, so you can restore it without paying any ransom, or a nice clean disk image to drop back into place. Of course, not everyone is so well prepared for disaster, and the folk who are most at risk are the ones who are least likely to keep backups. So what can be done if your computer is infected and you’re not prepared to pay up?
One big problem following a ransomware attack is that unlocking your data isn’t easy. It can be done, most often by re-booting the computer to run a Linux environment from which the rogue files can be identified and deleted.
But this isn’t straightforward nor always successful, since it’s often difficult to uncover the files without the "live" ransomed Windows environment running to provide forensic clues. This is where the hitman comes in, or more precisely, the HitmanPro.Kickstart functionality that’s been added to the latest version of an anti-malware "second opinion" file scanner called HitmanPro.
HitmanPro.Kickstart enables the victim of a ransomware attack to create a bootable USB flash drive with which to reboot the infected machine and recover from the lockdown by clearing up infection without further manual interaction. It looks good, so you might want to make a note of the Kickstart download site should you – or one of your friends or family – become a victim.
Earlier this year my brother lent his HDD to someone only to find his data 'missing' and his AV removed an autorun malware (so I don't know for sure if it was ransomware).
After I looked at it, it turns out that the malware had just changed the file attributes to system files (which were hidden by default on his system).
I managed to make the files normal by changing their attributes in cmd.
By tech3475 on 18 Mar 2013
If you are a fan of CSI, be it the Gil Grissom original or the various spin-off shows, it's probably better if you don't get called up for jury service as there is a very good chance that you have become a victim of the dreaded 'CSI effect.' This article addresses what the CSI effect is and its impact within the court room.
By Glennon on 10 Sep 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday
- Microsoft to block old ActiveX controls in security push
- Samsung and Apple call off all legal disputes, except in the US
- Microsoft ordered to hand over European data
- Will the next Windows 8.1 update arrive next month?