How to deal with a ransomware attack
Posted on 18 Mar 2013 at 10:34
Davey Winder delivers advice for those who find their data has been taken hostage
The ransomware threat has grown over the years as criminals seek ways to monetise their malware endeavours by holding your data to ransom.
Symantec reckons it’s a crime that turns over more than £3 million a year, and the evidence suggests it has spread far from its original eastern European base (where it was concentrated until fairly recently). Indeed, to the best of my knowledge, there are now approaching 20 different ransomware malware families, each with many variants and all active out in the wild.
It isn’t all good news for the bad guys, though: in the run up to Christmas, the Police Central e-crime Unit (PCeU) announced the arrest of three people involved in the ransomware business in the UK.
The "unlock" file they tell you to download may infect your PC with yet more malware
In this case, it seems the criminals were using a splash page featuring Metropolitan Police and PCeU logos that claims the authorities are monitoring your online activity and have detected offences being committed. As a result, your computer is put in a locked-down state until you pay the "ransom" – a £100 fine.
Of course, the actual implementation of such ransomware attacks varies considerably, but they all have similar roots and exit points: malware or malicious links to infect, and monies to be paid in order for locked data to be released.
Actually, it isn’t quite as simple as paying the ransom and getting your data back, for several reasons. First, remember you’re dealing with criminals – why should they care about your data? They only care about your money and have no incentive to unlock your PC after you’ve paid up. Second, these criminals will be keen to maximise their profit from every victim, so if you pay by credit card or provide your bank details they can commit further fraud using this information, or sell it on to other scammers. In addition, the "unlock" file they tell you to download may infect your PC with yet more malware.
A ransomware attack is a lose-lose scenario for the victim (unless, that is, you have a hitman to hand). It’s far better to avoid being infected in the first place, which means employing the usual kinds of common sense and security software. Better, too, to have all your data backed up, so you can restore it without paying any ransom, or a nice clean disk image to drop back into place. Of course, not everyone is so well prepared for disaster, and the folk who are most at risk are the ones who are least likely to keep backups. So what can be done if your computer is infected and you’re not prepared to pay up?
One big problem following a ransomware attack is that unlocking your data isn’t easy. It can be done, most often by re-booting the computer to run a Linux environment from which the rogue files can be identified and deleted.
But this isn’t straightforward nor always successful, since it’s often difficult to uncover the files without the "live" ransomed Windows environment running to provide forensic clues. This is where the hitman comes in, or more precisely, the HitmanPro.Kickstart functionality that’s been added to the latest version of an anti-malware "second opinion" file scanner called HitmanPro.
HitmanPro.Kickstart enables the victim of a ransomware attack to create a bootable USB flash drive with which to reboot the infected machine and recover from the lockdown by clearing up infection without further manual interaction. It looks good, so you might want to make a note of the Kickstart download site should you – or one of your friends or family – become a victim.
Earlier this year my brother lent his HDD to someone only to find his data 'missing' and his AV removed an autorun malware (so I don't know for sure if it was ransomware).
After I looked at it, it turns out that the malware had just changed the file attributes to system files (which were hidden by default on his system).
I managed to make the files normal by changing their attributes in cmd.
By tech3475 on 18 Mar 2013
If you are a fan of CSI, be it the Gil Grissom original or the various spin-off shows, it's probably better if you don't get called up for jury service as there is a very good chance that you have become a victim of the dreaded 'CSI effect.' This article addresses what the CSI effect is and its impact within the court room.
By Glennon on 10 Sep 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Will HP finally split into two companies?
- Chromebooks get version of Photoshop
- Toshiba beats retreat from consumer PC market
- Ellison steps down: but who's really running Oracle now?
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports