Why ransomware is a big threat for computer users, and how to prevent attack

Most people think that cybercrime is all about identity theft. A criminal tricks you into parting with information like your passwords and user names on a fake website – the process known as “phishing” – and uses the details to raid your bank account. But the last few years have seen the resurgence of a more direct form of internet theft: extortion in the form of malware known as ransomware.

Ransomware is a nasty business. It either locks your computer’s interface so you can’t use it (called locker ransomware), or encrypts your files so you can’t open them (called crypto ransomware).

As the name suggests, a ransom is involved. Money must be paid to the criminals in an untraceable digital currency such as Bitcoin before they free your computer, or decrypt your files.

For an individual hit by crypto ransomware, which is by far the worst of the two, the ransom is usually US$300 to US$400. For a company, or government organisation, the amount can be much higher. If the victim does not pay the ransom within a specified time period, the criminal destroys the decryption key, and your data becomes irretrievably lost. So it’s goodbye to those wedding photos and that picture of your pet beagle – and probably some much more important files.

According to figures released by the Hong Kong Computer Emergency Response Team Coordination Centre, reports of hacking (including of mobile phones) in the city rose to almost 5,000 incidents year on year, up 43 per cent, in 2015. IT experts believe ransomware extortion will proliferate.

Modern ransomware began to appear in 2005, but its use has risen dramatically over the last few years.

“Ransomware attacks grew 113 per cent in 2014 [globally] and continued to spread to devices beyond the PC, including mobile and network-attached storage,” Kurt Wang, senior sales engineer, GCR Consumer Norton Business Unit, Symantec, told SCMP.com. (Norton makes internet security software like Norton Utilities.)

“Forty-five times more people had their devices held hostage in 2014 than in the previous year, as attackers began to favour more vicious crypto-ransomware style attacks.”

The reason for the rise is simple – ransomware works. In the case of crypto ransomware, the encryption is so strong that only the criminals can decrypt the files. So victims are often willing to pay the ransom to get their data back.

“Criminals are motivated by money, and ransomware is making them money. It is also difficult to prevent, and bring them to justice,” says security consultant and tech journalist Nick Lewis.

Ransomware is generally delivered via phishing emails or through “exploit kits”, says the Taiwan-based Wang. “The phishing emails contain malicious attachments which include the ransomware, or will sometimes provide links directing the user to a compromised webpage hosting the malware.

“Exploit kits are a malicious tool that hackers use to look for security holes in software that has not been updated. Once the security vulnerability has been found, the attacker can then deliver the ransomware to the computer,” says Wang.

Among the most well-known ransomware are CTB-Locker, CryptoWall, Teslacrypt, and TorrentLocker, according to Lewis. “They all operate in similar ways, by exploiting a vulnerability in a computer where someone has opened a malicious attachment or browsed to a malicious webpage,” he says.

Users are advised to take extra precautions against this malicious form of malware.

“Never, ever open attachments or click on links from unknown senders,” says Wang.

Also get the best security software you can afford, too. “The best protection is offered by modern security packages that provide multiple layers of protection: anti-malware, anti-spam, and web reputation services,” says Christopher Budd, global threat communications manager at Trend Micro, a global security company.

It’s also important to install the most recent updates to any software, as these are always the most secure. If you are not using software, and it can’t be updated, uninstall it.

But the best defence against ransomware is to always back up your files, and store them on a “cold” hard drive that is not connected to your computer or network. That way, if your files do become encrypted, you have copies.

“The disconnected aspect is the most important, because if your computer is infected with ransomware, it will encrypt all of the data it can find, which would include any USB drives connected to the computer,” says Lewis.

Not much can be done to rectify the situation if you get infected. The encryption is very strong, using a “public” key on the victim’s computer, and a “private” key on the criminal’s computer. Even experts can’t decrypt it.

“Once the hostage data is encrypted, it cannot be decrypted without the encryption key. And because that’s under the control of the attackers, who may or may not give you the key, even if paid, you have to treat the hostage data as effectively lost,” says Budd.

Wang says: “This is an extremely serious threat, as there are not many ways to fix the situation once infected. There is no way to decrypt files without the original decryption key.”

The jury’s still undecided on whether victims should pay the random or not. Many people who have paid the ransom have had their files decrypted. The criminals realise that future victims will only pay up if they think that their files are really going to be restored, so they do it.

But there is, of course, no guarantee that every criminal is going to follow the rules. There are other risks, too. “There are known instances where attackers will come back and levy further attacks to extort further payments later,” says Budd.

Still, even some police departments in the United States have allegedly paid ransoms to get their data back. “If you want the data back, you may have no other option than to hope the criminal will decrypt your files if you pay them,” says Lewis.

For those who are lucky to have safely backed up when they are hit by ransomware, don’t connect the USB disk with the backed up data to the computer until you are sure that the ransomware has been removed, as it will become infected.

Remember that even if the malware (ransomware) is removed, you won’t get your files back. “Malware can be removed in many different ways by using an anti-virus program or dedicated anti-ransomware utility. But it is safest to re-install your computer and software from the original media, or by re-downloading the software,” says Lewis.

For many reasons thieves cannot be traced and caught. Bitcoin, for instance, is a digital currency that works like cash, and is, therefore, relatively untraceable. There are also shady Bitcoin launderers, who work like money launderers. Sometimes criminals are based in countries that don’t cooperate with the international community.

There are no ransomware threats targetting specifically the Asia-Pacific region – everyone is equally at risk.

A white paper by Norton/Symantec, The Evolution of Ransomware, noted that Japan had the second highest number of ransomware victims for the period August 2014 to August 2015. India comes in ninth, but no other Asian countries are in the top 12 list.