As one of the most damaging types of malware, ransomware caused over $115 billion in damage in 2019. For businesses and individuals alike, a ransomware infection can mean losing irreplaceable files and spending weeks recovering computers.
In this article, we’ll explore the definition of ransomware, how it works, and how to get it off of your computer.
What is ransomware?
Like adware and spyware, ransomware is a type of malware. Unlike some other kinds of malware, ransomware has a very specific definition: it’s malicious software that encrypts the victim’s files and demands a ransom to decrypt them. Generally, the ransomware author requests their ransom in Bitcoin or another hard-to-trace cryptocurrency.
While most types of ransomware only encrypt a user’s files, others threaten to publish them as well. Because of this, ransomware can be hugely damaging to an organization, both in terms of finances and reputation.
How ransomware works
In a nutshell, ransomware abuses encryption, a technology for scrambling data, to prevent victims from accessing their data unless they pay up. After a victim unwittingly installs it, the ransomware follows a few general steps:
- In the background, the ransomware program encrypts (or scrambles) the user’s files one by one, deleting the originals.
- The ransomware displays the ransom message, either by changing the desktop background or by opening a custom application in full screen.
- In the ransom note, the user is given an ultimatum: either they pay up and have their files restored, or the attacker throws away the encryption key and the files are lost forever.
- On the same page as the ransom note, the program displays a Bitcoin (or other cryptocurrency) address. When the user purchases the right number of Bitcoin and sends them to the specified address, the user is given a file or password.
- The user inputs the unlock key into some part of the ransomware program. Theoretically, the unlocker decrypts the user’s files and deletes itself afterwards. However, this doesn’t always happen: sometimes the criminal just takes the victim’s money and does nothing.
Encryption is the same technology used to make online banking secure. It also secures your web browsing, instant messages, and emails (between major providers). However, hackers can also use encryption to lock their victims out of their own data.
How does ransomware spread?
Different strains of ransomware spread differently, but most arrive via infected downloads or email attachments. So-called document-based malware, where malicious Microsoft Office files house hidden malware, is becoming increasingly prevalent. All it takes is one click to “run macros” (and sometimes zero clicks, if the hacker uses a security bug) before your data is held ransom.
Some ransomware spreads like a worm once it gets inside a network. In other words, it uses security vulnerabilities in software on the network to spread from computer to computer. Hackers often target vulnerabilities in file-sharing and remote desktop protocols.
How to prevent ransomware
Most types of ransomware require some kind of user error to trigger. On occasion, ransomware will use security vulnerabilities in software or remote access protocols to spread.
Generally, preventing ransomware attacks is similar to preventing other kinds of attacks. Here are some more specific recommendations:
- Avoid opening downloads from untrusted sites.
- Be careful with emails—don’t open attachments or links from untrustworthy or unknown senders.
- Keep your operating system and software up to date. Make sure that your web browser, antivirus, and other security-critical software gets frequent updates. This can help to avoid ransomware that exploits security vulnerabilities.
- Use background scanning mode in your antivirus software to make sure that every download is scanned for malware. Since you can’t effectively remove ransomware after it gets installed without wiping your computer, occasional scans won’t work.
Other general security measures might keep ransomware at bay, but the user is the most important element of the security system. By being careful and skeptical of websites, emails, and other information on your computer, you can avoid ransomware.
How to remove ransomware
Since your files are completely encrypted, it’s impossible to remove ransomware without totally wiping and reinstalling your computer. You won’t be able to get back your files without having a backup from before the ransomware was installed.
Here’s how to wipe and restore your computer:
- On a clean computer, make a bootable recovery drive specific to your operating system. You won’t need to use a second computer if you use a Mac.
- Reboot your computer from the external or internal recovery drive. Follow the on-screen instructions to wipe your hard drive and reinstall the operating system.
- Reboot your computer when prompted and remove the recovery drive. On a Mac, don’t hold down any keys.
- Set up your computer like new. After you finish setting it up, move your files from your backup onto your computer.
- Avoid doing the same thing that caused the ransomware to get installed in the first place. If you weren’t following good security practices before, take the time to reevaluate your choices and be more careful next time.
If you don’t have a backup of your files, you might be out of luck. In the final section of this article, we briefly discuss why you shouldn’t pay the ransom. There’s no guarantee that the criminal won’t simply take your money without restoring access to your files. On the other hand, if you’re fine losing your files, just wipe your computer completely and don’t restore any backups.
In recent years, ransomware attacks have shown up in the news all the time. From the famous WannaCry attack that hit hundreds of major organizations to the Petya and NotPetya variants, ransomware has been a hot topic for a few years.
You can see a summary of the most significant ransomware variants here:
- WannaCry was the most well-known ransomware attack. By exploiting the EternalBlue security vulnerability in Microsoft Windows, it spread across the globe at an unprecedented speed. According to some estimates, the losses from this attack could top four billion dollars.
- SamSam attacked critical infrastructure using stolen Microsoft Remote Desktop credentials. Unlike many other kinds of ransomware, victims of SamSam did not necessarily commit any kind of error on their own.
- Locky arrived on victims’ computers through a fake Microsoft Word invoice that contained malware. The document appeared to be invalid and tricked the user into enabling macros to “re-encode” the document. After enabling Word macros, the victim’s computer would be locked with ransomware.
- Petya and NotPetya are variants of a similar ransomware program that overwrote critical boot sectors on its victims’ computers. Compared to other types of ransomware, Petya uses low-level, more complete technique that renders victim systems completely inoperable.
- Ryuk attacked enterprise systems in late 2018, more recently than many of these other ransomware examples. It uses fileless malware (including PowerShell scripting) to spread across corporate networks, quickly encrypting as many computers as it can.
Should I pay if I get hit by ransomware?
If at all possible, do not pay the ransom. By paying the ransom, you’re encouraging the ransomware authors to continue attacking other individuals and organizations. However, sometimes you can’t avoid paying the ransom because you don’t have backups and the value of your data exceeds the cost of the ransom.
Remember that the ransomware authors have no incentive to actually unlock your files if you pay the ransom. Although most of the time they do unlock victims’ files, there is no guarantee. When a Kansas hospital was hit with a ransomware attack, their data was not returned, even after paying the ransom.
Another reason to avoid giving in is the possibility that other malware was installed at the same time. Malware often comes in groups—even if you pay to remove the ransomware, your computer might still be infected with other, more subtle malware.
If you prepared well and you have backups, wipe every infected computer and restore from your backups. This way, you’ll still have your data and won’t encourage cybercrime in the future.