How to protect yourself from ransomware

Ransomware has been a growing trend for the past few years, it can hold your computer and your data hostage with the threat of losing your data for good unless the ransom demand is paid.

It’s such a profitable scheme that experts say traditional cyber thieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials in favor of ransomware. Paying a ransom has ethical implications and does not guarantee that encrypted files will be decrypted.

What is Ransomware?

As name suggests ransomware is a type of malicious software designed to encrypt your computer or critical files until you pay a ransom to unlock them.

Different types of ransomware

File encrypting Ransomware

This is the most feared type of ransomware incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content.

Examples include: CryptoLocker, Locky, CrytpoWall and more.

Locking Ransomware

This type of ransomware locks the victim out of the operating system, making it impossible to access the desktop and any apps or files.

The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.

Examples include: the police-themed ransomware or Winlocker.

Master Boot locking Ransomware

The Master Boot Record (MBR) is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the computer boot process can’t complete as usual and prompts a ransom note to be displayed on the screen.

Examples include: Satana and Petya families.

Ransom Scareware

This is one of the milder forms of ransomware with the greatest chance of being able to be removed from your system by anti-malware products.

A scareware is a form of malware that poses as a security program, pretends to scan for threats and malware on your computer, and then lures you into paying real money in exchange for solving the imaginary threats.

There has been many examples of ransom scareware over the years, just do a search on the internet for scareware examples.

Ransomware key characteristics:

  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  • It usually requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies;
  • Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever;
  • It can spread to other PCs connected to a local network, creating further damage;
  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks. Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.

Tips for preventing ransomware

1. Back up your files regularly and keep a recent backup off-site

Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.

2. Enhance the security of your Microsoft Office

A lot of ransomware is distributed in Office documents that trick users into enabling macros. A macro is a single instruction that expands automatically into a set of instructions to perform a particular task.

It’s important to disable macros and ActiveX. Additionally, blocking external content is a good practice to keep malicious code from being executed on the PC.

3. Just Say No—To Suspicious Emails and Links

The primary method of infecting victims with ransomware involves phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware secretively crawls into your machine.

Most phishing attack email messages are filtered out by anti-spam software, but since these types of messages are constantly changing as the phishers try to keep ahead of the spam blockers, there are sometimes messages that do get through to end users.

Please note that phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution. So be extra careful when viewing emails and clicking on links.

4. Keep your system and apps up to date

It is very important to patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.

5. Adjust your security software

Adjust your security software to scan compressed or archived files, if this feature is available. Many Anti-Virus vendors have in-built feature that would decompress files in memory or use algorithms that can decipher the compression without needing to actually expand the file itself.

6. Stop the internet / network connectivity if suspicious process is detected

In the event a suspicious process or application is spotted on your computer, instantly turn off the Internet / network connection.

This is particularly efficient on an early stage of the attack because the ransomware won’t get the chance to establish a connection with its Command and Control server and thus cannot complete the encryption routine.

7. Install trusted ads and popup blockers

Many ransomware creators have adopted another highly successful method “malvertising” which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust.

It’s recommended to install a browser add-on to block popups and ads as they can also pose an entry point for ransomware.

8. Switch off any unused wireless / network connections

Switch off any unused wireless / network connections, such as Bluetooth or infrared. There are cases when Bluetooth got exploited and machine gets compromised.

9. Define Software Restriction Policies

Define software restriction policies that keep executable files from running when they are in specific locations in the system. The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.

10. Never plug in a flash drive of unknown origin

Hackers will sprinkle infected USB flash drives in parking lots and company lunchrooms, counting on someone curious to plug it in, and bang, there’s your ransomware. Never plug in a flash drive of unknown origin.

11. Provide user training on cyber security practices

Train your computer users (staff, family and friends) on cyber security practices, emphasizing not opening attachments or links from unknown sources. Develop a communication strategy to inform them if a virus reaches the computer network.

How can I remove a ransomware infection?

If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen, if you act very quickly you might be able to stop communication with the C&C server before it finish encrypting your files. If you disconnect yourself from the network immediately, you might mitigate the damage.

Some ransomware infections are relatively easy to remove, while others are hard.

The easiest ones are “scareware” browser screens that claim your laptop has been locked by the hackers or a local police force. This is never true. You can usually stop them by using the Windows Task Manager (hold down Ctrl + Alt + Delete) and close / end your web browser process, or force quit on Macs (Command + Option + Esc), then run an anti-virus program to remove them.

Great free anti-malware software like Malwarebytes and SUPERAntiSpyware in most cases will be able to clean your scareware infection.

More nastier ransomware programs encrypt files or hard drives with high strength encryption. Where possible you best and the most safest option to remove a ransomware infection is to wipe your machine clean and restore from your latest backup.

However, this is not always possible but fear not, all is not necessarily lost. There are many free programs designed to decrypt ransomware encrypted files, from companies such as AVG, Emissoft, and Kaspersky Lab. The Windows Club has a good List of free Ransomware Decryptor Tools to unlock files, with links to each individual tool. If you are on Microsoft Windows you might want to try free Malwarebytes Anti-Ransomware beta version.

It’s also theoretically possible to rescue files by using an undelete program such as EaseUS’s Undelete (Windows or Mac) or Piriform’s Recuva. However, untangling and identifying more than a few files could be a huge task this is why offline and possible offsite backups are essential for protecting valuable data.

Other useful free Anti-Ransomware products:

BitDefender Anti-Ransomware will immunize your computer. It basically does not allow executable files from %appdata% and %startup% to run.

RansomFree is a powerful tool that comes to you from a company formed by former military cybersecurity experts.

CryptoPrevent is a robust anti-virus/anti-malware software supplement, filling a huge gap that exists with traditional security solutions to provide protection against a growing multitude of new and emerging ransomware and other malicious software threats.