MTE Explains: Ransomware and Its Comeback

In the late 90s there was a time when you would probably be met with that one download that completely ruined your computer and forced you to reinstall your operating system. Some of these downloaded applications went as far as to lock you out of your computer partially or completely and ask you for a sum of money to restore everything to the way it was. Malware takes many different forms, but some argue that the worst kind is ransomware, an old method of extorting money from individuals, a method that started falling out of favor until recently. It has since made a comeback.

ransomware-blocked

It’s in the name, really. Ransomware holds your computer hostage and asks for ransom money to give it back to you. It will lock you out of certain features that leave you, at best, with a computer that works halfway. At worst, you’ll end up with nothing more than a fancy brick on your desk until you’ve ponied up the cash. Some of the software rubs your nose in it further by pointing you to a “support forum” meant to help you make the payment. You can already see how this can become very annoying.

This all disappeared in the early 2000s, and we were hoping to never see it again. Unfortunately, hackers don’t share that sentiment. Ransomware has been making a comeback, and according to the BBC, it is a very profitable market. Unlike most viruses, which quietly turn your system into a drone for some hackers, ransomware has a strong financial incentive. It is tempting for hackers to start branching out into a market, and this presents an opportunity. I’d say that its return was inevitable.

To effectively infect someone’s computer with ransomware, it has to be executed. That means that the victim must purposely, voluntarily open it. Would you do that, knowing what awaits you? Of course not! This is why they lie. The key to spreading any kind of malware is deception. Ransomware can pose as any type of software. Back in the 90s it mostly took the form of a fake antivirus program. These days hackers have gotten more creative and injected it into very innocuous and seemingly harmless pieces of software that seem to pose some utility. Among piracy circles, this kind of software is rampant.

Once the program has been executed on your computer, it will begin advertising a “solution” to the problems it’s causing. In the case of ransomware, the solution is a sum of money sent from PayPal or your credit card. More savvy individuals who are afraid of being robbed by giving away their financial information will opt to format their systems and start from scratch. That’s not always an option, however, since you may possess some very important files. In this case, my suggestion is to run a “LiveCD” distribution of Linux, and copy all of the data you need onto a USB drive or other supplementary hardware before formatting. At the end of the day, once you’re infected, you have very few options, and formatting might be the only way out.

It’s safe to assume that this kind of malware is something you personally would want to avoid like the plague. On that note, I have one central piece of advice: Scrutinize everything. Ransomware is spread often through messaging attachments, “direct” download links for “free” copyrighted software, and a plethora of other web links. Although they are not often sent via email, you should be suspicious of unwarranted emails (even from people you know) containing attachments. As long as you do that, you are 99.999999% safe. Ransomware prays on the unaware. Just keep your eyes peeled and be as prudent and suspicious as possible when encountering unknown or non-trustworthy sites (if you can’t avoid them by all means).

Do you have any interesting ransomware stories? Share them in a comment!

15 comments

  1. “run a “LiveCD” distribution of Linux, and copy all of the data you need onto a USB drive ”
    Unless you know the exact the location of the ransmware infected file, isn’t there a strong possibility of copying the infection too?

    Is ransomware a Windows-only problem or are other O/Ss (Linux, BSD, OS/X) in danger also?

    • These (most) infections are windows specific. Also, it is highly unlikely that the infection itself resides in your home folder, but it would be advisable to leave all the Downloads behind and not copy that folder at all. Of course the best practice would be to leave any installers or executable files behind, along with unknown or suspicious looking MS Office documents, as these can use malicious macros. To make sure the infection did not make it to your USB, after copying your files, it would be a matter of scanning the backup with an up-to-date ant virus tool, probably even a LiveCD (there are plenty of those available)

    • If it’s an executable file, it’s probably hidden somewhere in the Windows directory. So copying your files in your c:\users\username directory is probably pretty safe. The malware has to be executed on the new PC to infect it, so there’s a good chance your files would be safe.

      That is, unless the malware encrypts your files and demands money for the key. In that case, you’re el-screwed-o!

      • Not necessarily. Malware does not always spread “secretly” (in fact it almost never does). Executable files need to get past Windows UAC so malicious files often disguise as genuine installers, or genuine installers could be infected with malicious code. MS Office VB macros can also access Windows COM, so letting your spreadsheets (or other document files) execute macros could also lead to an infection.

        True, after an infection the working malware lives in the system directories, but copying over all your files, even just from the user folder, can mean that you carry the file, from which the infection originated, over to your new system. This in turn could lead to running the infected .exe file again, which would result in a new infection. If this sounds like how viral diseases work, it might be a clue why it was originally named a “computer virus”. ;)

        Anyway, most infections originate from the internet, so the first place to abandon would be the Downloads folder, especially the executable and macro enabled files in it. All the rest of the copied file should be scanned, just in case, because you never know where the originating file resided. Safety means active precautions, and never assumptions. In Windows, safety is mostly an illusion, but one can lower the risks by not taking any chances.

        • I was referring to an already infected computer. Most malware does bury itself once it’s installed so it’s hard to remove. If most malware infections stayed in the user’s home folder it would be easy to clean; it adds multiple entries in the registry (Windows directory) and runs using rundll, svchost, etc in many cases, making it even harder to tell which is a legit running program and which is an infection. This isn’t true with all malware but it’s a common practice.

          True macros in spreadsheets can infect computers, but that kind of malware is much more rare these days. One, later Office versions disable macros by default, and two, a lot of people are aware of that. This isn’t 2002 anymore.

          Most malware installers (like the ones you describe) often come from faux installers for something that looks more attractive. And you’re right, the downloads folder does appear in the user’s folder so it should be avoided. I meant the user’s Documents folder which is (usually) separate from the downloads folder. I should have been more specific; my bad.

          The idea that “safety is an illusion in Windows” is a myth. Many of the mass infections now are happening on servers. Last year we had ghost, heartbleed, etc, which affect Linux servers. The “I love you” or “Melissa” type infections don’t happen nearly as much as in the past. Again, it’s not 2002 anymore; the average user has caught on.

          In 2013 South Korean banks got hit with a MASSIVE outbreak; the banks Windows servers AND Linux servers were completely hijacked. Even ATMs were brought down.

          • *sigh*… OK, let’s break this down.

            OK, before we go into it, I need to disclaim this: I know of Windows. Being 5 times Microsoft certified takes care of this (MCTS and MCITP exams). I also know of Linux, 10 years of professional experience takes care of that. I have some experience in security and development and testing, a former IT management career has taken care of that.

            In short: I have managed both Windows and Linux (and other UNIX) servers in a massive corporate environment, I’ve overseen library development, have seen many user PCs that were in an “ugly” state, and just have a professional opinion about the effectiveness of both OP systems in question. I now write short informational pieces for this very website…

            That said, this discussion has nothing to do with Linux. Windows is not secure on its own, and that is a fact. Its main vulnerability is not poor code, but poor user practices, e.g. assuming something is safe, instead of taking precautions. Just like what you have originally suggested in the first comment, that “you can just go ahead and copy”. No. You can never just go ahead and copy, not if you want to stay safe. You should always check first.

            Now, point to point:

            “If most malware infections stayed…” – Nobody talk about this, you just need to read my comment more carefully.

            “later Office versions disable macros by default, and two, a lot of people are aware of that. ” – Yes, it is disabled, but what stops people from enabling them? Especially users that rely on macros heavily? The second part is… well just because you are aware of that, does not mean everyone else is. Assuming what people know or think leads to bad design and UX choices, AND worse security practices… whether it’s 2002 or not… Safety comes from precautions not from assumptions.

            “Most malware installers (like the ones you describe) often come from faux installers” – Yes, I already said that, needless to repeat it. But I must add: Nothing stops a user to copy an installer from the Downloads folder, or even download a file to e.g. the Desktop or elsewhere. Even into the Documents. Just because it is called Documents, you can put there anything, and believe me people do. People do the weirdest things with their computers…

            The ONLY safe practice is precaution and scan for extra security. Again assuming, that it’s just safe to proceed, because it usually should be, leaves the door open for something to slip. If you copy over the cause of infection, your work is undone. It does not cost money and takes very little extra time to stay REALLY safe…

            “The idea that “safety is an illusion in Windows” is a myth.” – No, it is not. Windows is known to be vulnerable, always has always will be. Regardless of how much you like/dislike a system, it will have its features and limitations. Windows, by design has never been strong on the security front. If you want something secure you go for BSD…

            The infections you mention that affected Linux servers are not malware. They are exploited bugs, caused by poor code design implementation and the aforementioned bad security practices. (You know, when a developer takes it light-heartedly it is even worse than if the end user does it.)

            BUT: While I’m not saying Linux is 100% safe, as nothing is, you should compare the number of known viruses, malware and spyware on the two systems. Windows will win by 99% to 1% (by virtue of who has more). We are not talking servers, but personal computers. And one important thing is: We are not talking about the safety of Linux here, but the security problem of Windows. One has nothing to do with the other.

            Yet again, you mention the “user has caught on”. And what if she didn’t? Whether it is 2002 or 2020 there will and always will be users who just do not pay attention. Again, we cannot just assume what other people know or think!

            The example of South Korean banks is interesting, but brings nothing to the conversation. The average use does not run bank servers and few people have ATMs at home. Just sayin’…

          • O and by the why, the encryption problem is a valid point. Another good reason to use *nix type systems, it is not easy to gain such system level access on those. windows on the other hand makes this a breeze. The best way to stay safe is to unplug your Windows machine and throw it out the Window(s). :P

            (Or just run Windows in a sandboxed virtual machine on a UNIX host, if you absolutely MUST have it)

          • Dang, dude, you really need to shorten your posts. I just got bored and stopped reading. It would also help if you stop acting self-righteous, too.

            If you think you’re the only one with experience and qualifications then you’re as inexperienced as you are rude. I’ve been using computers since before you were born.

            It’s funny you mention about the topic while you go GROSSLY off topic. My main point was that a LiveCD won’t help you if the files are encrypted. You’re the one who went on an irrational rant about Windows. Stay focused. As a suggestion, cut back on the caffeine.

            Until you can learn some manors, I’m not replying anymore. You may know a lot about systems (though you’re not the only one) but you sure know very little about courtesy. People like you drive people away from Linux and Unix. Microsoft thanks you.

          • I’m deeply hurt now. :) You have not read my first comment either I’m afraid. :D With your one valid point I agree (encryption)
            .

          • BTW if someone points out that you are wrong, it is not self-righteousness. :) My qualifications were mentioned, because for someone who was been using computers before a time he knows little about (my birth date), you seem to have little hands on experience, judged by the misconceptions in your answers, That does not make you a bad person or me rude. It means you are wrong. It happens. Get over it. Some people do and will know more about IT than you. It is my profession, it’s quite normal that I understand some things better. Nothing to do with my manners (I cannot afford to buy manors I’m afraid)

            BTW it’s funny you tell me to stay focused when a, you cannot stay focused long enough to read my reply, and by, Go off topic with Linux, and accuse me of going off topic. Nicely done. :)

  2. Some of these types of infection also encrypt your disk drives, in which case copying your data is impossible.

  3. One more thing, have a backup strategy. I do full backups of all my computers at least once a month. All important docs are on a trusted cloud site ie, gdrive, onedrive, etc. If I get hit with ransomeware I just to a full restore to the last full backup for that machine. You can even include incremental backups to the mix if you make lots of changes to your computers.

  4. I backup all important files immediately after modification then archive their
    folder with 7Z with AES 256 password encryption then send them off to dropbox.
    Of course using Linux instead of Windoz greatly reduce my chances of getting ripped off.

  5. Unfortunately the “LiveCD” trick won’t always work. Ransomware will encrypt files on your hard drive and only by paying the money will you get the key. If this is the scenario you’re facing, using a LiveCD will only copy encrypted files off the hard drive to another PC. Without the key, you can’t decrypt the files.

    The best strategy is to have a valid, frequent backup and of course, avoid this type of malware.

Comments are closed.

Sponsored Stories