Ransomware: What is it, and how do you defend yourself against it? (Part 3)

This entry is part 1 of 6 in the series Computer Security Made Simple

In the previous two posts, I discussed what Ransomware is and how it attacks your system. In this post, I’ll go into what exactly happens when you’re infected and what happens if you pay (assuming that the attackers keep to their word). It should be noted that in the cases of true ransomware, the attackers do keep their word. It’s in their interests to have you get your data back because that encourages others to pay. But in some cases, the attackers’ ability to decrypt your data is blocked before you pay, or they have no intention of letting you have the data back.

So what happens when you’re infected?

The first thing that happens is that the infection is loaded into memory and the original file is deleted. This is meant to avoid detection by antivirus programs. But, I should step back a second. In the case of WannaCry, it first checked to see if a particular domain was active (the kill switch). If so, it didn’t infect your computer at all. In other cases, it looks for a particular file on the hard drive. If that’s present, then it doesn’t infect the computer. And still, in other cases, it checks to see if your computer is infected with something else. Then it removes that infection and infects it with the ransomware (or other malware).

Once the file is loaded and starts running, it starts encrypting all of the files on any local drive. A local drive is one that’s directly connected to the device through a cable (internal or external). Typically it will avoid the Operating System files, but encrypt Applications. This is because it needs the OS in order to provide you with the ransom (and a means of paying). It might simply encrypt the Master File Table, and create a backup of it somewhere else. And it might install its own bootloader, and not even let you boot into your Operating System at all (this is called full-disk encryption). If your computer is backed up after it’s infected, then the encrypted versions of all of your files will be copied. Since the original infection file is removed, and you’ll reboot in the process of restoring your files, you’ll potentially lose the ability to decrypt them. This is why you need to have multiple backups, but we’ll discuss that later on. The filenames may be changed to a hashed version (encrypted), along with the extension of the ransomware that’s infecting them (Eg. DKLWEIOSKDS;2[P.locky).

It removes the Volume Shadow Copy (VSS Copy) of the files, so you’re not able to restore to a previous version (this is why you can go into Properties on certain files and see a tab for “Previous Versions”). And depending on whether you have the proper permissions, it starts looking for network connected drives and encrypts the files on them.

Regardless of which method it uses, it will present you with a ransom note–either by changing the wallpaper on your desktop or by making that the image you see when the computer boots up with their bootloader. It might put an unencrypted file on the desktop, with the instructions for how to pay. There might be sirens and be flashing signs to create a sense of urgency. There may be some form of “proof of life”, in which a file is decrypted–so you know that they can decrypt your data. The instructions and any audio indications are localized into your specific language–a testament to how evolved the ransomware is becoming.

Also, they may alert you to the fact that after a certain period of time, one (or all) of your files will be deleted. And that the ransom will increase after a certain period of time. Then after the period of time, they will delete some of your files as proof that their threats are real.

What happens if/when you pay?

So when you decide to pay, you might encounter something along these lines. You’ll be presented with a page, in which you’ll either enter a User ID or upload one of your files. They’ll make the User ID copyable, as mistyping it doesn’t do anyone any good. Once you’ve completed this, you’ll be taken to a page with instructions on how to convert your money to bitcoins (or another crypto-currency), along with what to do after that. After you’ve paid, you either receive a program (decryptor) or a key, in which to decrypt all of your files.

If you’ve rebooted the computer, there’s a chance that you’ll lose the User ID or address to send the bitcoins to.

Should you pay?

The easy answer to this is “No.” But, it’s never really that easy. Even security researchers, who are opposed to the idea of enriching criminals, have considered paying for the initial exploits that are used. It’s all about the ROI (Return on Investment). If you have recent and effective backups, you can get away with not paying. But if your business or service is a time sensitive one, it might be quicker and more effective to pay. Even the FBI has started recommending that you pay the ransom. At the end of the day, it’s your choice whether or not you want to pay.

In tomorrow’s post, we’ll finish up with some defensive measures that you can take. And I’ll discuss some other aspects of ransomware, and how it’s evolving.


Series Navigation<< Ransomware: What is it, and how do you defend yourself against it? (Part 4)Ransomware: What is it, and how do you defend yourself against it? (Part 2) >>

Leave a comment

Your email address will not be published. Required fields are marked *