By Wayne Fischer, Sr. Information Security Analyst, UC Davis. Ransomware is a type of malicious software (malware) that denies a user access to their system or files and demands payment to regain access. It is a threat to everyone because it targets everyone. Victims include individuals (e.g., students, faculty, and staff), corporations, non-profit organizations, health care providers, governments, and educational institutions.
The use of ransomware has increased staggeringly since it first appeared approximately six years ago. From January through June of 2016, ransomware increased in volume by 172% (Trend Micro, 2016), surpassing the totals for all of 2015. The most likely reason for this incredible growth is that so many people pay the $250 – $350 fee to regain access to their files, especially if they do not have a viable backup or don’t have time to recreate or restore the data. It is estimated that roughly 1% of infected victims pay the ransom; out of millions of infections this is a lot of instant money.
How does ransomware work?
Ransomware malware is unique in that it encrypts files on a computer so the files can’t be used, but typically leaves the computer intact. Affected files can include documents (Word, Excel, PowerPoint, PDF, etc.), pictures, and configuration files needed to do work. Most types of ransomware can encrypt files located on your computer and anything connected to your computer, such as a fileserver, attached USB sticks, external hard drives, and cloud-based file storage (Google Drive, Microsoft OneDrive, Box, DropBox). Ransomware also attempts to encrypt backups of files so you can’t recover them on your own.
When ransomware encrypts your files it’s like locking them behind a door and only the bad guys have the key. The only recourses are to “crack” the key, obtain it by paying the criminals, or hope some researcher has found a flaw in the cybercriminals’ encryption process and shared the key with the public.
Once the ransomware encrypts your files, the bad guys present you with a message and demand money as ransom for your files. They promise to give you the “key” to get your files back and often provide instructions, in some cases even help desks, to show you how to unencrypt them.
How can I protect myself?
The FBI provides numerous recommendations. I summarize main points from the FBI and other cybersecurity experts here:
- Back up your important files regularly. Keep important data in at least two places AND make sure the OTHER place is not directly accessible by your computer.
- Patch as soon as possible; keep your programs updated by installing the latest security patches as soon as possible. Cybercriminals often attack new vulnerabilities within 24 hours.
- Install, use, and keep antivirus, antimalware, and antispyware programs up-to-date.
- Do not open unexpected emails, attachments, or visit website links in messages (email, chat, texts, etc.) unless you know who is sending them and why they have been sent.
- Don’t click on links in pop-ups while browsing.
- Use an account that is not “Administrator” or “root.”
- Enable features to “show file extensions” on your operating system.
- Disable Macros in email programs and editing programs like Microsoft Word and Excel. If you do need Macros, enable them on a file-by-file basis.
- For administrators: Practice the principle of “Least Privilege;” minimize file access to files needed to do your job or work.
What do I do if I get infected?
Don’t panic or rush to pay. Help is often available, and there are considerations to take into account regarding paying a ransom. For large-scale attacks, report ransomware incidents to the FBI or the Secret Service. If it’s a work machine, contact your IT department for assistance. There are numerous types of ransomware for which cybersecurity researchers have cracked the encryption and provided a “master key” to decrypt infected systems. Your campus security team, the FBI, or the Secret Service might be able to help.
If all else fails, and your executives, or you individually, decide to pay the ransom, keep in mind that there are cases where individuals and organizations have paid the ransom and the criminals either have not provided the information or have attempted to extort more money out of the victim. Sometimes criminals come back for second or third instances of infection and attempt to extort more money from a victim. The FBI and many cybersecurity experts recommend that victims not pay the ransom as this encourages further ransomware use by bad guys and continued innovation on new ways to hold our data hostage.
The best practice is to back up your important files and store these off-site or disconnected from your active computer. Follow this one rule if you do nothing else and ransomware won’t ruin your day or your data.