Ransomware is a type of malicious software, or malware, that blocks a user from accessing their files or operating system. This malware will either threaten to publish the victim’s data or perpetually block access to it through encryption. Encryption is a security mechanism that protects your computer files and information from being read or stolen by converting it into unreadable code that requires a password to unlock. It essentially is used to prevent unauthorized access to data. In this case, the benefit of encryption is used against the victim of this crime, as computer and/or its files are locked and will not be unlocked unless a ransom is paid.
Apple has a built-in anti malware software called XProtect in order to protect Mac users from ransomware. However, any new version of ransomware that is unknown to the anti-malware community may not be picked up by XProtect, and would leave a Mac user unprotected until more information is known about a new version of ransomware. All told, ransomware also can find its way on Mac computers.
There are a few ways that Ransomware can make its way onto your computer:
- Malicious spam will send an email with questionable links or attachments to a prospective victim. These attachments or links, if clicked on, will place the ransomware on the computer in question, with little to no user interaction. Cybercriminals will pose as reputable organizations such as the FBI, Microsoft, or McAfee Antivirus (to name a few) in order to scare users into paying them a sum of money to unlock their files.
- Malicious advertising is another common method to distribute malware with little to no user interaction. White browsing the web - even on legitimate websites - a user can be redirected to a criminal website without clicking on an ad. Similarly, a pop up can come up without clicking on an ad. If the user clicks on this compromised page, the malicious code placed on the page will attack the computers system by downloading itself onto the computer. This is commonly known as drive-by download.
There are different types of Ransomware and, although they should all be taken seriously, they have varying degrees of danger to a user:
Scareware is malicious software that typically comes in the form of pop-ups. They will appear as warnings coming from legitimate companies, claiming that the computer files have been infected, or that action must be taken immediately to keep the computer safe. They are very well crafted to look legitimate, and the user is supposed to be frightened into paying a fee for software to fix this “problem”. What the user ends up downloading is malware intended to steal information and, in many cases, ransomware.
A widespread form of scareware is a pop-up that claims to be from Microsoft Support, and will prompt you to call a fake support line to resolve your computer’s stolen data.
Another way that scareware is distributed, as mentioned earlier, is through spam emails. The delivery is essentially the same - they scare the user into downloading their software, and the ransomware will then take over, in addition to stealing credit card information.
The above image shows a phishing email cleverly disguised as a friendly message from Chase bank.
These attachments and links are harmless unless you download or click on them. You will likely continue to get bombarded with emails or pop-ups like these, but they cannot access your computer unless you click on them.
If you are unsure if a communication is legitimate, it is important to note that a legitimate cybersecurity software program would not communicate with customers in this manner. If you don’t have the software of the company in question currently on your computer, they would not be monitoring you for ransomware infection. If you do have the software of the company on your computer, you would not have to pay to have the infection removed - you have paid for the software already to protect you.
Screen lockers are forms of ransomware that will lock the user out of their computer altogether; instead, what comes up upon booting of the computer is a page from what appears to be an authoritative institution such as the FBI, local police, or another government body stating that the user is accused of a cyber crime and must pay a fine in order to regain access to their computer.
This form of ransomware is downloaded onto the computer in a similar manner to scareware - a pop-up will appear from the cyber criminal posing an authoritative institution, and the pop-up will not leave the screen. Shutting the computer off and on will simply bring up the same message, and nothing else can be brought up on the screen.
Screenlockers can look very legitimate, like this example that shows a scam posing as the FBI.
If you are unsure if this communication is legitimate, rest assured that the FBI, police, or any government institution would not lock you out of your computer and demand payment - they would go through the appropriate legal channels.
This type of ransomware is the most severe, since once the cyber criminal using this software encrypts your files, they cannot be saved by any software or system restore without the decryption key or password. Even if payment is made, there is no guarantee that the cyber criminal will return the files.
Encrypting ransomware finds its way onto a computer from attachments or links from spam emails, or a download made from a pop-up that appears on a computer while on the internet.
Last year Wannacry encryption ransomware quickly spread to over 57000 machines in over 150 countries.
When ransomware was first introduced, the initial victims were regular people on their home computers. As ransomware has become more sophisticated, cyber criminals have begun attempting to target businesses as well. Geographically, the US, UK, and Canada are the top three countries in terms of ransomware attacks according to a 2016 State of Ransomware report conducted by Osterman Research.
If a computer has been infected by ransomware, there are a few actions that could be taken in order to help. The most important thing to note is that a ransom should never be paid to the cyber criminals in exchange for a decryption key or access to a computer. This is recommended by the FBI. According to FBI Cyber Division Assistant Director James Trainor:
“Paying a ransom doesn’t guarantee an organization that it will get its data back - we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The first step to take is to deal with the ransomware infection using the FixMeStick - as a device that can be booted directly into, you can run a scan and remove the piece of ransomware from further infecting the computer. Files will still be encrypted, and may never be recovered, but access to the computer will be restored.
For screen locking malware, a full restore of the operating system may have to be run in order to fully regain functionality of the computer.
In order to regain encrypted files, a computer technician will be required. They may be able to use decryption utilities in order to save the files, depending on the type of encryption that is being used. In some instances, depending on the type of ransomware, a solution to decrypt the files simply doesn’t exist.
It is clear that ransomware is a very serious issue that can arise on any system. The most effective way to protect from ransomware is to prevent it from happening in the first place. The first step in protection is to have real-time protection that’s designed to stop malware attacks such as ransomware active and up-to-date. We recommend using McAfee Total Protection to offer real-time protection against any major malware threats. The second step in protecting any important files is to back them up in a secure place on a regular basis. We recommend using a secure, encrypted cloud storage backup to protect files in SOS Backup, so that any important documents, pictures, etc. are taken care of. The third step to take is to be sure that systems and software are updated. A recent ransomware outbreak took advantage of a vulnerability in the Microsoft software. While the company released an update that took care of the security loophole, anyone who did not install the update were left open to attack.
Finally (and most importantly), stay informed, and run a regular FixMeStick scan! Any lingering virus on your computer can be damaging, and running a FixMeStick scan regularly will give you peace of mind that your computer is safe. Being aware of all scams that are run in order to gain control of your computer is equally important. We have a blog article discussing common social engineering scams available here.