Ransomware returns for an encore
Certain attacks seem cyclical. Even when defeated for years, they’re too easy and tempting for cybercriminals to abandon forever. For example, in 2012, Sophos saw a resurgence in ransomware attacks that lock users out of their computers, and demand payment to restore access.
Ransomware is far from new. Way back in 1989, primitive ransomware was distributed on floppy disks by postal mail. Users were promised advanced software to advise them about HIV/AIDS, but instead found their hard drives scrambled. Users were told to pay $189 to an address in Panama via bankers draft, cashier’s check, or international money order.
Today’s ransomware arrives via more modern techniques, such as social engineered email and poisoned webpages. One sort of ransomware merely freezes your PC and asks for money. This leaves your underlying files intact. Although an infection is disruptive, it can usually be repaired. The other sort of ransomware scrambles your files, so it is as catastrophic as losing your laptop altogether or suffering a complete disk failure.
As of this writing, the most widespread ransomware is of the first type. Reveton, for example, also known as Citadel or Troj/Ransom, hides the Windows desktop, locks you out of all programs, and displays a full screen window with an FBI (or other national police) logo. You see an urgent claim that illegally downloaded copyrighted material has been found on your computer, and that you must pay a fine (typically $200) to restore access.
This attack can be defeated by rebooting to an antivirus tool that contains its own operating system, bypassing Windows (for example, Sophos Bootable Anti-Virus). Once this tool is running, users can scan their systems, remove the infection, and restore their systems.
Unfortunately, we’ve also seen growing numbers of infections that fully encrypt users’ hard drives using strong encryption, and securely forward the only key to the attackers. In July 2012, we saw a variant that threatened to contact police with a “special password” that would reveal child pornographic files on the victim’s computer.
In nearly every case, updated antivirus software can prevent ransomware from installing and running on your computer. But if you’ve left your computer unprotected and you get hit by encryption-based ransomware, it’s probably too late. Some ransomware encryptions can be reversed (Sophos has free tools which may be able to help), but only if the criminals have made cryptographic mistakes. There may be no cure, so prevention is always better.
< Back Next >