A quick guide to crypto-ransomware - what it is, how it works, what happens when your computer is infected and what you can do to protect your computer
Encryption 'scrambles' the contents of a file, so that it is unreadable. To restore it for normal use, a decryption key is needed to 'unscramble' the file.
Crypto-ransomware essentially takes the files hostage, demanding a ransom in exchange for the decryption key needed to restore the files.
Unlike other threats, crypto-ransomware is neither subtle or hidden. Instead, it prominently displays lurid messages to call attention to itself, and explicitly uses shock and fear to pressure you into paying the ransom.
A few so-called crypto-ransomware do not perform the encryption at all, and just use the threat of doing so to extor money. In most cases however, the threat is actually carried out.
There are two common ways you can encounter crypto-ransomware:
Users most commonly come into contact with crypto-ransomware via files or links that are distributed in email messages:
Receiving the email itself does not trigger an infection; the attached or linked file would still need to be downloaded or opened.
Attackers often craft the email messages using social engineering tricks to lure the recipients into opening the links or attached files. For example, they use the name and branding of legitimate companies, or intriguing or legal-sounding texts.
If the attached file is a Microsoft Word or Excel document, harmful code is embedded in the file as a macro. Even if the user does open this file, the macro can only run if one of the following conditions is present:
Macros are disabled by default in Microsoft Office. If they happen to be enabled when the file opened, the macro code run immediately.
If macros are not enabled, the file will display a notification prompt asking the user to enable them. If the user clicks 'Enable Content', macros are enabled and the embedded code will run immediately.
Spam used to spread the CTB-Locker crypto-ransomware
Notification message in Word asking users to enable macros
Crypto-ransomware can also be delivered by exploit kits, which are toolkits that are planted by attackers on websites. There are numerous exploit kits currently delivering ransomware in the wild, such as Angler, Neutrino and Nuclear.
These kits probe each website visitor's device for flaws or vulnerabilities that it can exploit. If a vulnerability is found and exploited, the exploit kit can immediately download and run crypto-ransomware on the device.
When the crypto-ransomware is downloaded and run on a device, it hunts for and encrypts targeted files.
Some crypto-ransomware, such as older variants of TeslaCrypt, will only encrypt specific types of files. Others are less discriminating and will encrypt many types of files (for example, Cryptolocker). There is also one known family, Petya, that encrypts the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.
After the encryption is complete, the crypto-ransomware will display a message containing the ransom demand. The amount will vary depending on the specific ransomware, and the payment is often only in Bitcoins, or a similar digital cryptocurrency. Specific instructions are also provided.
In some cases, the attackers put extra pressure on victims to pay the ransom by allowing only has a limited time period to meet the demand. After the stipulated time, the decryption key may be deleted, or the ransom demand may be increased.
F-Secure Weblog: the ransom notice displayed by CTB-Locker crypto-ransomware.
If the affected files contain valuable data, encrypting them means losing access to that information. If the data is critical to a business - for example, a patient data in a hospital, or payroll details in a finance firm - the loss of access can impact the entire company.
If the affected files are used by the device's operating system, encrypting them can stop the device from working properly. If the device is critical to a company's operations - for example, a server, hospital medical equipment, or industrial control system - the business impact can be siginificant.
In recent years, there have been multiple cases of ransomware spreading through entire company networks, effectively disrupting or even halting normal business until the infected machines can be cleaned and the data recovered.
To pay or not to pay?
Ransomware works on the assumption that the user will be inconvenienced enough at losing access to the files that they are willing to pay the sum demanded.
Security researchers and law enforcement authorities, in general, strongly recommend that the victims refrain from paying the ransom. In some reported cases however, the crypto-ransomware infections have been so disruptive that the affected organizations and users opted to pay the ransom to regain the data or device access.
If the worst happens and crypto-ransomware does infect your device, there are a couple of steps you can take to contain the damage:
Once you are certain the infection is contained, you can then try to remove the infection, recover the device and the data saved on it.
Recovering files that have been encrypted by crypto-ransomware is technically extremely difficult; in most cases, it is simpler to wipe the device clean and reinstall the operating system, then recover the affected data from a clean backup.
You can take the following steps for recovery:
For certain crypto-ransomware families, security researchers have been able to obtain the decryption keys from the attackers' servers, and use them to create special removal tools that can recover the contents of files that were encrypted with the keys.
Do note however that these tools generally require some level of technical knowledge to use. They are also only effective for these specific ransomware families, or even just for threats that were distributed in specific campaigns.
For more information about these tools, visit the No More Ransom! project site. This initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and security researchers aims to help victims retrieve their encrypted data without having to pay the criminals responsible for the threat.
As an individual user, you can take a number of simple precautions to avoid becoming a victim of crypto-ransomware: