Ransomware is becoming a bigger problem, especially now that some form of ransomware has also been found for Mac OS. In this article we describe what ransomware or cryptoware exactly is, how to prevent it, and what to do if you eventually become a victim of it.
What is ransomware?
Ransomware is a form of malware that traps your files. The word 'ransom' in Dutch means 'hostage', which is exactly what ransomware does. It 'captures' files or even your entire computer, and you can only regain access by paying the attackers money. If you don't, your files will be destroyed and you're out of luck.
The difference between ransomware and cryptoware
There are different forms of ransomware. The term 'ransomware' is the umbrella term for all forms of viruses that hijack your software, but within that term there are also different versions known. For example, there is ransomware that locks your entire system, where you can no longer even boot your computer. A more advanced form of ransomware is 'cryptoware'. It encrypts files on your hard drive, such as documents or even movies and music, and you only get the key to bypass that encryption after you pay money.
Cryptoware encrypts files on your systemRansomware is now being spread more and more, and although that doesn't seem very positive, it also has advantages. Many anti-virus programs have taken measures against this form of malware, and security companies like Kaspersky even make databases with keys public. On the other hand, the malware also changes often, so you might be hit with a new version of the ransomware that there is still little or nothing you can do about it.
How do you become a victim of ransomware?
There are two ways ransomware gets on your computer and takes it hostage. The most common way is through an executable file that installs the ransomware on your computer. The file can come in via an unsafe link, email attachment, advertisements or (illegal) downloads.
The file you download is usually an executable (.exe) that resembles an image or text file by name. 'catimage.jpeg' appears to be an image, but if you have extensions enabled you can see whether it is really a jpeg file or is secretly 'catimage.jpeg.exe'. In the latter case, you do not activate an image but an installation file that could very well contain ransomware.
The best way to protect yourself is to stay up to date and keep thinkingAnother way ransomware can get onto your computer is through programs already installed on your PC. For example via Flash, your browser or javascript. In order to place ransomware on a computer via this route, hackers must find a leak in the software. This is done by scanning for outdated software, so it is advisable to always keep your software up-to-date.
Preventing Ransomware
Ransomware can be removed stubbornly, and that is not always successful. Studies show that as many as 5% of ransomware victims pay to get files back - far more than most other phishing or malware.
Unfortunately, we have to kick in a bit of an open door, but good protection against ransomware is the best way not to become a victim. And to kick in another open door: There are no special tricks to protect you from ransomware other than updating your system.
You also need to be well protected against phishing attacks. We have written in this article how to recognize a phishing email.
Here are a few things you can do anyway:
Use the most recent operating system
Pretty logical, but make sure you use a version of Windows that is still officially supported by Microsoft. At the moment these are Windows 7, Windows 8 (and 8.1), and Windows 10. Windows Vista also receives critical security updates from Microsoft, but if you use Windows XP you really need to upgrade.
Also, make sure to download all critical updates. We understand that sometimes isn't very appealing due to Microsoft's aggressive push to Windows 10, but important security updates are recommended.
Keep your programs up to dateUpdate your software
Not only your operating system, but also the software on your computer must remain up-to-date. Flash, for example, is notorious software with many holes in it, just like Javascript in your browser. You can also disable software like Flash. In any case, make sure that you regularly check programs for updates.
Making backups
Hopefully we don't have to explain to you that you have to back up your files regularly, for example to an external hard drive or in the cloud. You can find some useful tips here. Make sure you make your backups regularly, or that you create a program to do that automatically.
You can also consider getting a NAS ('Network Attached Storage'), a hard drive that you connect to the internet, but that is not a watertight system. Some forms of ransomware scan your system to look for files that can be encrypted, and if you connect a NAS to a system, there is a possibility that a NAS will also be infected.
What should you do if you have ransomware on your computer?
First determine what exactly the problem isDespite all precautions, it can always happen that you unexpectedly become a victim of ransomware. Not fun, but maybe there's still something to do about it! These are steps that may help resolve your issue. Success is not guaranteed, and in the worst case scenario you will have to factory reset your device - that's why backups are so important.
1. First determine what your problem is
The first reaction is probably startling, but you can't solve a problem until you really know what the problem is. So check that out first: What's going on? Have hackers locked your computer? Or is it just specific files? What do the hostages want? Then decide what your next step will be.
2. Always file a declaration!
Always report to the police. This is cybercrime and is punishable by law. Indeed, maybe it makes no sense and in practice nothing will be done with your tax return. But in the unlikely event that this is the case, you can benefit from it later.
3. If you have ransomware:
With ransomware, your entire system is locked with a screen-filling message that often resembles a phishing message. A good example of this is the Ukash police virus, which states that you have downloaded illegal files and therefore your computer cannot be opened. It is important with ransomware that you never pay, because there is a good chance that your computer will still not open. The trick of ransomware is often to let you use certain payment apps that meanwhile also try to steal your credit card information. So don't!
Do a virus scan
What you can do if you have been affected by ransomware is to run a virus scan. Many ransomware is recognized by antivirus programs and can be easily removed. If you can still get into your computer (but, for example, your files or your browser are blocked), use a (free) program like MalwareBytes, which recognizes most ransomware.
If possible, run a virus scan firstCan't get into your system at all? Then use HitmanPro. You can install it on a USB stick and run it on your computer before the system boots. You can read how that works here.
Create a (system) restore point
You can also restore a system restore point. This will take you back to a slightly older version of Windows, which may not yet contain the virus.
Back to factory settings
If all that doesn't work, unfortunately there's only one thing to do: factory reset your device. You will lose all your files, so hopefully you have made enough backups.
4. If you have cryptoware
If you are affected by cryptoware, some or all of the files or folders on your system are encrypted, and you will be asked to pay a ransom to decrypt your files. Paying that is a very last resort, which we'll get to in a moment, but try to solve the problem first.
Sometimes there is no other option but to reset your system to factory settingsDeclare
First of all: File a declaration here as well. This often makes more sense with cryptoware, because there is always a chance that the hackers have already been arrested. If so, often the keys to remove your cryptoware have also been confiscated by the police. You might just get the right key right away.
virus scan
If not, you can also run a virus scan with MalwareBytes, but the advice is to run as many antivirus programs as possible. It may just be that one program has the keys for the specific cryptoware, while another program does not. Kaspersky is heavily involved in cryptoware, and the company has previously made public a database containing a large number of keys. Here too there is a chance that the key you just need is in there.
Restore backup
If that doesn't work, you can of course also take your pick and delete the infected files, as long as you have a backup. Make sure that that backup is not also infected and that the cryptoware does not remain somewhere on your system, so do a virus scan or restore your PC to a restore point.
As a last resort, you can still consider payingPay
We strongly advise against the very last resort, but you should consider paying. With cryptoware, there is a good chance that the attackers will give you the key after payment - although there is no guarantee, so paying remains a gamble. However, if you really need your files and you don't have backups, consider this.
In most cases, the extortionists demand money in the form of bitcoins, the virtual currency that is virtually untraceable. There are various options for buying and storing bitcoins, but the easiest and fastest way is to use an online bitcoin bank that immediately offers you a 'wallet' in which the bitcoins are stored. One of the best known is Coinbase, which also clearly tells you how to buy bitcoins. Note: You do not necessarily have to buy 1 Bitcoin (currently about € 375), but you can also buy 0.66 bitcoins for the amount that the blackmailers ask you. Again: Think very carefully about whether you think it is worth paying. We advise against it in any case, but the choice is really up to you.
5. Disable TeslaCrypt
TeslaCrypt was one of the most common forms of ransomware. Fortunately, the makers have decided to stop their criminal activities. At least, with this malware form. Security researchers at ESET have released a tool that makes encrypted files accessible again. Just a matter of downloading and running.
6. No More Ransome - run a decryptor
The Dutch police, together with Interpol and Kaspersky, among others, have set up a website where software can be downloaded that gives access to encrypted files - decryptors. Maybe you're lucky and just happened to release the keys to the ransomware that has been holding your files hostage. Please take a look at this site.
Want to know more about online safety? On this page we collect all articles on this theme for you.
