This article covers:
- What ransomware is
- How to protect your computer against a ransomware attack
- How to remove ransomware in the event of a successful attack
What is ransomware
Ransomware has been around since 2013 but moved into the mainstream with the WannaCry attack in 2017 on the NHS in the UK and companies in around 150 countries.
That attack cost the NHS an estimated GBP92 million in recovery costs (the NHS did not pay the ransom). That was followed in 2018 with other high-profile attacks on the city of Atlanta (US$10 million estimated recovery cost) and Boeing.
But what, exactly, is ransomware?
Ransomware is malware that encrypts all the personal data files on computers it has infected and demands a ransom, usually somewhere between US$150 and around US$1,200, to give access to a decryption key that will unlock them.
There have been rumours of ‘smart ransomware’. This is able to adjust the amount being demanded based on the victim’s geographic location (entities in rich countries being charged more) and the size of the company. But I haven’t found any specific reports of instances where that happened.
It’s important to note that ransomware only affects data files, not system files. This is because the hackers want victims to be able to make the ransom payment, so locking the computer down completely would defeat their purpose.
How does a computer become infected?
Here are the most common ways a computer can become infected with a virus or malware of any kind, including ransomware:
- Downloading and installing programs, particularly freeware. Make sure you only install programs from known and trusted sources and avoid freeware exchanges
- Installing pirated software via a DVD or USB Flash drive. If you don’t know the source then, again, don’t install it!
- Email attachments. Be extremely careful of opening email attachments unless you know what they are. Hackers who have compromised a friend’s computer and stolen their address book can send you an email that looks as though it comes from your friend, but actually contains a virus-infected file.
- Visiting a compromised website. Be careful of following links unless you know where you’re going. Following a link to a hacked website can result in malware being installed in your browser from where it takes control of your computer.
- Not keeping all your programs up to date. Windows now pushes out security updates, so the risk of an out-of-date operating system has been reduced, but the other programs and applications you install also need to be kept up to date. See below for a tool to help with this
- Accidentally booting from an infected CD. Computers are usually set to ‘Autorun’ CDs and DVDs when they are inserted and can also boot from these if they are left in the computer when it is switched off. In either case you could be infecting your computer if you either insert a CD that you don’t know with ‘Autorun’ set as the default action, or leave a CD in your CD drive when you switch off the computer and later re-start it.
The message here is clear: you cannot be too careful about the sites you visit online and the software you install on your computer.
How can you protect yourself?
The first step in protecting your computer from ransomware is to thoroughly understand the ways it can be hacked. I covered the main ones in the previous section.
Awareness, in this case, is a major part of being able to successfully protect your computer.
The second step is to backup both your data and your system regularly.
A study done in 2016 by ZDNET found that 60% of those companies that suffered a ransomware attack, and refused to pay the ransom, could do so because their data was backed up. A further 25% refused to pay because the data that had been locked was not important and not confidential.
Since ransomware attacks only affect the data, not the system, backing up your data on a regular basis is a major step in protecting you or your company from the impact of a ransomware attack.
Not only do I back up my data (the really important stuff in real time with Backup and Sync from Google), I also backup my system once a week, and I’ll explain the importance of that later.
I cannot over-stress the importance of an effective, automated and efficient backup routine and I’m constantly staggered at how few organisations pay attention to this.
Apart from a good backup routine, making yourself familiar with how computers are hacked and addressing each of the points I listed earlier is going to greatly improve the security of your data.
How to recover from a ransomware attack
The first advice you will see everywhere is: Don’t pay the ransom!
It’s sensible advice, because paying the ransom only emboldens the criminals. But worse than that, there are a good number of cases where, even when victims paid the ransom, they still didn’t get their files back.
There were probably two reasons for that:
- The criminals made off with the money (after all, the fact that they perpetrated the crime in the first place indicates that they were not particularly trustworthy!)
- The decryption key didn’t work because it wasn’t programmed correctly (whether by design or poor coding)
The fact remains, though, that (again from the ZDNET study to which I linked earlier) many companies do pay the ransom. It can only be speculated as to why, but it probably has to do with protecting their reputation, or their share price, or avoiding the hassle of going through the process now required of companies that suffer data breaches.
None-the-less, don’t pay the ransom!
Think carefully about the order in which you carry out the steps I’ve described below, because your individual situation may require you to change the order in which you do the work.
So here’s what you need to do:
1. No data backup: Decrypt the files and clean your system
There are now plenty of sites online where you can download decryption keys for a wide range of ransomware threats – here are a two:
If you don’t like either of those a Google search for ransomware decryption keys will throw up plenty more.
Important: if you don’t have a backup of your data you need to decrypt your files before cleaning the system, because you need the ransomware on your system to release your files when the decryption key is run.
Once you’ve restored access to your data you now need to clean your computer in order to rid it of the ransomware code (decrypting the files does not remove the code).
Here are some good malware scanners and removers:
As before, if you don’t like those a search for Malware Removal Tools will produce a host of results you can try.
To be safe I always like to use two different malware removers in case one of them misses the errant code.
2. You have a good clean backup of your data
If you have a good, clean backup of your data (held on an external hard drive or some other storage, not on your computer) then I would reverse the process.
I would delete all the data from the computer, do the system clean up first and then restore the clean data from the backup.
In my case, because I backup my system each week, I would not actually bother with the malware removers. I would simply restore the system from the clean backup, making sure to select the option to reformat the disk in the process.
As long as your system backup is clean, reformatting the disk and restoring the system will ensure that the malware is removed.
Once the system has been restored I would then restore my data from the backup.
(I hope you now see the benefit of running a good backup routine!)
3. Make sure your programs are up to date
The final thing to do is to ensure that all your applications and programs are up to date.
I’m not referring to the operating system here (Windows/Linux/MacOS) because those now mostly update themselves automatically. This refers to the various programs and applications you have installed.
The most efficient way to do that is to install a software updater.
As I’ve said earlier, make sure you get this from a trusted source.
A software updater inventories the programs you have on your computer and then goes to the developers’ sites to check for the latest versions. If you have outdated versions on your computer it will list them for you and give you the option to update them.
If you select the option to update, the software updater will download and install the latest version.
They are very neat applications and will save you a lot of time, not to mention strengthening your computer’s defences against hackers.
Here is a list of software updaters: Lifewire
Again, do a search online for ‘software updaters’ and satisfy yourself that the program you’re about to install is safe..!
Ransomware is nasty, and the shock of seeing that notice left by the hackers can cause your head to spin, which usually leads to wrong decisions being made in the heat of the moment.
But if you understand how computers are hacked and have a good, thorough, automated and efficient backup routine, you will be able to resist many attacks and recover from those that do get through.
Have you been a victim of a ransomware attack? How did you recover? Leave us a comment below.
Owner – WP Security Basics
P.S. Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them and I’d be happy to answer any questions you may have):