Ransomware: Paying for Your Own Files

We have discussed computer security on this page before. Making sure your IT systems—even of that translates into a humble desktop unit that dates to the Clinton Administration—are safe and secure is important for any business of any size. After all, any loss of data can easily have repercussions far larger than the loss itself. But what if something happens—some nasty bit of malware infects your computer—and instead of losing your data, you are forced to pay to be able to access it?

Yes, you read it right: What if your files were being held for ransom right on your own hard drive?

They call it ransomware, for obvious reasons. It works by hitching a ride on a Trojan horse virus or some other piece of malware your system isn’t ready for. Once there, instead of shutting you down or having all your personal information e-mailed to the hacker that sent the thing to you, it works by making encrypted copies of your files and then erasing the originals. Think of it like a safe: copies of your files are inside the safe and to get to them, you need a combination to open the lock. That combination is the encryption code and if it is done right, you are not going to crack it.

Once your files are safely under lock and key, when you try to access one of them, a message pops up reading something like this:

Your files are now fully encrypted with the new and unbreakable RSA-1024 algorithm. To view and work with these files, you must purchase our decrypting tool, which is available for purchase at….

Sometimes you are told to pay directly for the decryption software, sometimes you have to make one or more purchases at certain other websites, but either way they want you to spend money to get access to your own files. It is one thing to accept the idea that your data was stolen. It is quite another to know that your files are still there, on your hard drive, in your computer, and that you cannot reach them. What do you do? You have two options:
1. Pay the hostage-taker (Yes, your data is being held hostage).
2. Get around the hostage-taker and rescue as much of the data as possible.

Millions for Defense, Not One Cent for Tribute
There are a number of problems associated with paying the ransom, not the least of which is the fact that the bad guy wins. That is unacceptable. Another problem is that once you pay, you risk sharing your financial information with a criminal who will continue to take as much as they can from you. Finally, this creep is a criminal, not a boy scout. What in the world makes you believe that paying the ransom will lead to getting your files back? He could just as easily take the money and run. Remember, the more contact he has with you, the greater his exposure to capture. Keeping an agreement with you to release your data isn’t going to be worth the risk that comes with it.

Working the Problem
Not paying the ransom and trying to break the encryption or work around it certainly feels better on a number of levels, but it does have its drawbacks as well. Early versions of ransomware had weak encryptions and so their codes could be broken fairly easily. They had gaps in the programming that could be used as an opening to reverse engineer the malware and uncover the code. The latest version, which uses the RSA-1024 encryption algorithm, does away with these problems and is so proving to be a very tough nut to crack. The other major issue is data loss or corruption. Whatever route you take to solve this problem puts your data at risk, but if you cannot crack the code that is a risk you will have to face.

The Nuclear Option
After trying everything else you may find that you have no choice but to reformat your hard drive and start fresh from your computer’s original, out-of-the-box configuration. Considered a kind of “nuclear option,” doing this would wipe out the malware and its nasty encryption, but it would also wipe out everything else including all the software you have installed since getting the machine and any other files that were not effected. There are, however, less destructive ways to proceed.

Try to Find the Code
While the very latest version of this malware hasn’t been hacked yet, that doesn’t mean that previous versions, which are still floating around out in cyberspace, haven’t had their codes revealed. So, the first logical step is to get on the Internet and see what you can find. Start by googling the name of the virus and see what comes up. For example, enter the name Trojan.Archiveus and see what comes up. The first listing on the search results is Symantec’s page, which includes the codes you will need to release the effected files as well as instructions on removal. If you can’t find what you need online, there are other alternatives.

Restore from a Clean Back-up
Depending on how long ago you backed-up your files, this could be a minimally invasive fix with most files being restored properly, or it could be nearly as destructive as a reformatting. If the back-up itself is clean, however, you will certainly get rid of the malware and the encryption problem. On the other hand, you will be restoring the configuration that was vulnerable to the viral attack in the first place, so make sure your antivirus software and firewall are up-to-date and that you and your employees are practicing “safe surfing” when out on the Internet.

Data Recovery
The funny thing about Windows is that when you delete something, it is never really gone. What gets deleted is the tag used by the system to identify it. It isn’t so much that it’s gone as that Windows just can’t see it. As long as you don’t reformat your hard drive, such deleted information should still be there. Now, doing this yourself can be tricky and having a professional do it can be expensive but depending on the value of the files, it might be worth the expense. Just remember that data recovery is not perfect and some file corruption may take place. Also, if you don’t get rid of the virus before you recover the files, you risk reinfecting them.

Protect Yourself
However, as mentioned in previous posts, if you have gotten to the point where your systems are so infected, then you have not been running a tight enough operation. Take a few moments to look at your IT protection efforts—a good, hard look—and learn from what you find. There are two components to any effective IT security strategy. Unless they are both fully engaged, then you are not secure, period. These components are technological and human.

Bear in mind that antiviral software works by playing catch-up to the viruses. In other words, a new virus comes out, it is identified, analyzed, a solution is found and it is added to the list on the next update. That is a little like closing the barn door after the horse has bolted. It does nothing for the most recent viral attacks, but it will keep previously known viruses from infecting your machine. That said, keep your firewall, your anti-virus, anti-spyware, anti-adware, anti-this, anti-that, anti-everything software fully up-to-date and functioning so that you can have what protection it offers. For the cutting edge threats, however, you should try something called whitelisting.

Making the List. Anti-virus software, child protection software, anti-spam utilities, anti-spyware software and the like all function by a principle called blacklisting. When something is blacklisted, it is placed on an exclusionary list and when something tries to do something, it is checked against the blacklist. If it is on the list, whatever it is trying to do is forbidden in some way. Spam, for example, is removed from the rest of the e-mail and placed in a special folder. Whitelisting works in exactly the opposite way: Only applications that appear on the whitelist are permitted. If it isn’t on the list, it doesn’t get to do anything. The great thing about this is that it not only works with programs, it also works with devices.

That means a file piggy-backed to an email or smuggled in on a downloaded image from a website will be prevented from running since it is not on the whitelist. It also means that the sales manager’s teenage son can’t install something he downloaded onto his mother’s computer or plug an unauthorized peripheral device into the machine. This enhanced end-point security and IT policy enforcement are two additional reasons why whitelisting technology is something to consider.

The Human Factor
People are the weakest link in any security-related situation. You may have totally honest people working for you. In fact they may—each and every one of them—be shining paragons of light and virtue. Unfortunately, honesty and Galahad-like virtue do not translate into responsibility, much less intelligence. Even the best people do foolish and irresponsible things.

From an IT security point of view, these foolish and irresponsible things are usually done in complete innocence. They include downloading unapproved software, like a cool new screensaver, or installing software from a disc; plugging strange devices, such as a USB thumb drive, into their computer, just to see what it is; and other, similar activities.

Another innocent source of trouble is found when employees take their laptops out and access the Internet from the wireless networks available in airport lounges or coffee shops like Starbucks. Places like this open the user to a variety of attacks, most of which are very hard for the user to even detect.

By employing a whitelist solution that covers both hardware and software, you mitigate problems caused by well-meaning but irresponsible employee activities. To learn more about this kind of security, visit http://www.lumension.com.

The Bottom Line
Viruses in general are annoying. They waste time and money, they spy on your activities, steal your personal information, and depending on the systems that are effected or the information taken, they can do a great deal of damage. We understand these things and accept them as part of the risk we run when we connect to the Internet. Ransomware, on the other hand, is something else, something purely infuriating. It isn’t simply anonymous theft. You don’t get mad for a while and then pick up the phone and start canceling your credit cards and taking other steps to mitigate the damage. There is no damage done, yet. In fact, any real damage is damage that the creator of that evil piece of code, not that he has you trapped, is forcing you to do to yourself. Think the movie Saw, but on your computer, and your credit card instead of a hacksaw, but the principle is essentially the same. The crime here is something we associate with gangsters—simple extortion—and that makes it personal. The question I have is whether law enforcement will see it and treat it that way or will they treat it like any other virus? We will see.