The Horror of Ransomeware

There’s a lot of wares going around nowadays. I miss the times when everything was called software. But it’s nice that software is now being classified like the plant and animal kingdoms. At first we had shareware, then freeware, then came adware, spyware and all malicious types of software fell into what we call malware. Aside from the most malicious Trojans and viruses made to wipe out systems, most malware are nuisances compared to ransomware. Ransomware can be really terrifying especially if you have sensitive data and are not in the habit of backing up. Like the name says, ransomware has something to do with ransom. What ransomware often does is that it locks or encrypts your system or data in such a way that it can’t be opened without the help of the ransomware author/s. Your system or data is basically kidnapped and held for ransom, and you’ll have to deal with criminals just to get it back or live with the fact that your system or data is gone.

Let me tell you about an epic horror story that happened to a friend of mine just recently. He was fine protecting his systems with a combination of Microsoft Security Essentials, Microsoft Forefront and Checkpoint Security Firewalls which is fine for protecting his systems from Trojans, viruses and worms. He didn’t think about protecting himself from other threats like hijackers and ransomware. So he doesn’t make use of MalwareBytes or ZoneAlarm. One of his users got infected with Locky, a fairly new piece or ransomware. In fairness to Forefront, it could have detected older malware but Locky is relatively new and is spreading like wildfire due to the method it uses. One of his users opened an email with an ‘invoice’ attached in the form of a macro-enabled Word document and voila! System compromised, files are scrambled. Many were recovered some weren’t and system formats were done the rest of the week. My friend now had all his users download Malwarebytes to function as advanced warning against threats like Locky and is pushing his organization to purchase the Pro version with active scanning to prevent a re-occurrence. They now also practice a periodic backup regimen for each user. Another lesson learned the hard way.

As mentioned, Locky transmits itself via email with an attachment written in Microsoft Word in a guise of an invoice document that has to be paid from what seems to be a reputable email address. Businessmen, accountants, and clerks are easy targets for this virus as emails with invoices are often opened on impulse. The Word document appears scrambled, and you’ll have to give Word your permission to run the embedded macro to unscramble the content. One given permission, the macro will download the rest of the Locky virus and starts crawling the user’s system looking for files to scramble. The user will see a set of files with long alphanumeric names with a text file where his/her files should have been. The alphanumeric files are AES encrypted versions of the originals. The text file has instructions on how to unscramble the files with links leading to invisible servers where the user pays the virus authors in bitcoin in order to get their files back. Needless to say, my friend was at a loss. No one in the office including him had a bitcoin account. Fortunately, most of the scrambled files had backups, albeit dated. Locky affects office files, DLLs, media files and even source code. Once infected, without the proper removal tools, the infected PC will have to be isolated and reformatted. Locky may have evolved since its February 2016 release as the manual procedure to remove it posted in various websites doesn’t seem to apply.

What makes ransomware terrifying is that victims are forced to deal with criminals when there’s no real hope of data recovery. The transaction is often anonymous but it’s still like handing over your wallet to a masked mugger. Security-conscious users protected by internet security software with good backup habits don’t need to worry much.

Locky is just one of many ransomware out there that continue to victimize unsuspecting users. These include CryptoLocker, CryptoWall and more recently KeRanger which targets Macs. Android and Linux users are also not immune to this rising scourge. Users are often on their own as law enforcement has a difficult time tracking and tracing perpetrators. Their best bet, is to keep their security software up-to-date, carefully inspect suspicious emails and keep away from suspicious websites. Users should also make a habit of backing up important files on portable drives and to prevent reformatting when infected, users should learn to use volume shadows or system restore points in order to restore their systems to a time before the infection took place.

If you’re a casual user with no knowledge of TOR or bitcoin, it might be time to brush up as ransomware authors lurk in the dark web and accept untraceable bitcoins as payment. That is, if you’re one of the unlucky ones with an un-backed novel manuscript, financial report or program source code.