Ransomware – A Primer

computer desktop infected

Ransomware is malware that in some way disables the user’s computer or encrypts files and then offers the victim an opportunity to reclaim their stuff for a price – a ransom.  There have been variants of this for as long as there have been Internet connected computers. However, over the past couple of years this malware has gotten quite a bit more sophisticated.

When I first encountered ransomware, it was the FBI virus – maybe 4 to 5 years ago. It was a simple thing and relatively easy to fix. Basically, the virus took over the user’s display with a warning that some illicit material was detected on their computer and they could make it all go away by paying a “fine.” There were several variants of the malware, growing ever more sophisticated in both the way the perpetrators acquired the ransom and in its difficulty to be removed. Eventually, most of the command and control servers (computers that provided instructions and additional payload to the virus) were tracked down by authorities and shut down or commandeered for further investigation.

The latest wave of ransomware uses a much more nefarious method – it encrypts the files on your hard drive – mainly those types of files that contain personal data, such as pictures, text files, documents, spreadsheets, PDF files, videos and music. There are myriad ways in which the ransomware virus manipulates the files. Some simply encrypt the file and leave the file name the same. Others obfuscate the file name with seemingly random characters, rename the file extension or a combination. There have also been variants that do not encrypt, but simply rename the file extension, but still produce a message to the victim that their data is being held hostage for ransom.

Generally, ransomware targets Microsoft Windows computers, however, there have been recent incidences of ransomware infecting Mac OSX.

How Ransomware Gets on Your Computer

There are several ways, but most require user intervention – that is, the user has to click a link to a malicious website, download and run a file attachment or program. Most of the entry points for the recent rash of ransomware seems to be coming from email attachments disguised as official documents – such as an invoice, receipt, or package tracking slip. The file may be a Microsoft Word or Excel document, Adobe PDF, an executable program or script.  There are occasions, too, where the malware is introduced through a vulnerability (security flaw) in and email client program or web browser. In this scenario the user opens an email that contains special, embedded code that bypasses special checks in the software and executes instructions that drops the payload on the user’s computer. The user may also be directed to a malicious website that accomplishes the same end.

Most often the ransomware requires some user action to launch. This is due to the regular security updates and patches that Microsoft and Apple distribute, as well as modern anti-virus software. In most cases, there is little in the way of a computer user from running a program; therefore, the malware is delivered in a way that convinces the user to download and run the infection.

Other malware that may be running on the user’s computer may also be coopted into loading ransomware on a computer. The Poweliks virus started in mid-2014. When launched from an email attachment it would then contact a command and control server to get its instructions. These instructions were mostly a list of website addresses and advertisements to “click” on. The software would run in the background, unbeknownst to the user and simulate clicks on an advertisement. These ads were tied to an advertising affiliate account held by the malware writers. These clicks generated revenue, but since they would quickly be found out and have their accounts blocked, they needed to have as many unique computers clicking in a short time – thus the virus. However, the virus was poorly written and consumed much of the computer’s resources, making it slow to a crawl. This made it fairly easy to detect, and ultimately remove. Adding insult to injury, one of the last commands Poweliks received was to download and install crypto-ransomware.

Peer-to-peer software, like BitTorrent can also pose a threat. Users may think they are downloading a desired piece of software, but are, in fact, downloading a trojan virus with a crypto-ransomware payload.

There are numerous ways to get ransomware infection, as well as any other malware. Most require some user interaction. Because of its illicit nature, quite a bit of malware is introduced in so-called “cracked” software – that is, commercial software that has had the licensing feature disabled, license key generator programs and pirated music or videos.

How to Avoid Becoming a Victim

Avoiding ransomware is no different than avoiding any malware.

  • It is critically important to ensure that your operating system is up-to-date and properly patched. The latest versions of Windows and OSX give the user little choice in this matter these days, but it is still important to check from time to time.
  • Anti-virus software is hit or miss, but is still a very good idea to have modern, up-to-date antivirus running at all times. Malware programmers are writing their code with anti-virus in mind and test against protected systems, which is why they tend to use social engineering to trick a user into running the malware themselves.
  • Never open an attachment that you didn’t expect. If in doubt, and you know the sender, contact them and ask if they actually sent it – but don’t reply to the same email. If that person is unaware that their email address has been used to send malware, you might inadvertently send that malware to them. Instead, call that person, or write a new email.
  • Malwarebytes is an excellent program with a free version, but the freeware isn’t nearly as robust – in fact, the free version is really only good for removal, not protection. Since there really isn’t anything else like it on the market, I will go ahead and recommend getting the subscription version. It is well worth the cost versus the heartache and pain and cost of malware removal – or worse, the loss of all of your personal files. Personally (at the time of this writing), I use the built-in Windows Defender anti-virus in conjunction with the latest, paid version of Malwarebytes. Coupled with caution, I have yet to get an infection on my personal computer.
  • Backup, backup, backup. As long as a computer is connected to the Internet, especially now that almost every connection is broadband, full-time, it is vulnerable. The social engineering that accompanies the malware is getting better and better and harder to spot right off. Con artists are called “artists” for a very good reason. Keep backups of anything you cannot live without. Keep backups of everything – storage space is cheap. Keep multiple backups on external hard drives, thumb drives (that you remove after you’ve copied your files to them) and online cloud storage. There are dozens of free cloud storage options, like Microsoft OneDrive, Google Drive, iCloud, DropBox and so on. There are also some very good online solutions that come with software that runs on your computer and backs up all the important documents and media files, as well as settings – and they keep versions – so if you make a change to a document or delete one, you can easily get it back. Carbonite and CrashPlan are excellent options with reasonable fees.
  • Use a login password. A lot of people believe that since they’re the only ones who use their computer, they don’t need a login password. This is a false assumption. A login password secures your user account – and most users’ accounts are system administrators – meaning they have total access to the computer file system. Ideally, you would want a password protected administrator account, and a password protected user account that you’d normally log into. However, because this is somewhat inconvenient (and a lot of sloppy programming makes it difficult to run certain software if not an administrator) most people setup their user account as an administrator. In fact, this is a requirement for a new user setup on most operating systems. OSX and Linux tend to aid the user in setting up a standard user account, separate from the admin, but Microsoft – well, they just don’t. The bottom line is this: use a password.
  • Hacker in front of his computerBeware of strangers bearing gifts. A very common scam lately is someone calling disguising themselves as Microsoft, your Internet service provider (ISP), or perhaps a government agency. They’ll say something to the effect that they have detected a system problem, malware or some other hack attack on your computer and that, if you let them remotely connect to your computer, they will fix it for you. After they are in, they’ll pull up normal system logs or performance monitoring software built into the operating system and “demonstrate” that there is a problem. It is perfectly normal for a well running computer to have numerous errors, but the scammer uses this to demonstrate a problem. From there they’ll say that they can remove it, but it will cost you X amount of dollars. Now, while they were fiddling about with the demonstration, they were either setting up the computer to lock you out, or installing malware to achieve the same end. If you refuse to pay for their “services,” they attempt to reboot your computer – and then you’re locked out – with little chance of recovery. At least not a cheap one – professional data recovery is quite expensive.  Even a reasonable fee for a service technician is a couple hundred dollars.
  • To add to the previous point – legitimate software companies, ISPs or the government will NEVER call you directly to tell you there’s something wrong with your computer. Even legitimate remote technical support companies will NEVER call customers unsolicited. Anyone who calls you out of the blue to offer remote tech support is a liar and scam artist. No exceptions.
  • Never let your kids have an administrator account. Kids like to experiment and try new things – and play games. Children often get duped into downloading and installing some “cool new game” or some cheat or hack for a game they like to play – but it is, instead, malware. Unless your child has extensive experience in malware removal, keep it simple and make sure they have standard user accounts.
  • Watch out for signs of malware. Computer running abnormally slow, browser homepage changes to an unfamiliar search engine, advertisements popping up in odd places on web sites, browser redirected to a page other than what you typed into the address bar, pop-up warnings on the desktop – these are all common signs of malware. It is often best to have a professional look at it. Your local computer store can usually perform this service for $300 or less. There are also subscription services that provide remote technical support – the large office supply chains usually have some very good deals on these services.
  • Did I mention keep backups?

We will be posting more information and reviews of the software mentioned in this article and others, as well.

About John Boatner 9 Articles
John is currently a technical lead for a major remote technical support company and has over 30 years of experience working with personal computers, servers and networks. John also blogs on his personal, socio-political website https://johnboatner.com

Be the first to comment

Leave a Reply

Your email address will not be published.