‘Ransomware’ a game-over scenario unless you have backups

October 11 23:40 2015

This year’s most depressing reader e-mail took the form of this testimony from a victim of “ransomware” — malware that encrypts files on your computer, then demands an extortionate sum to unlock them. “Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server,” read the note left in every directory on this reader’s PC by the CryptoWall ransomware program.

I asked a handful of security experts if my reader had any alternative between paying up or saying goodbye to those locked files. Their answer: sorry, nope. That’s because the strain of ransomware that hijacked this person’s PC, CryptoWall, resists the counterattacks outlined in such ransomware-defense guides as this Microsoft support document and another maintained by the Clearwater, Fla., security firm KnowBe4. CryptoWall — described in June by the Federal Bureau of Investigation’s Internet Crime Complaint Center as “the most current and significant ransomware threat targeting U.S. individuals and businesses,” responsible for more than $18 million in reported losses — doesn’t reuse encryption keys between attacks or leave decryption keys on a victim’s computer.

Johannes B. Ullrich, dean of research at the SANS Technology Institute, suggested booting the computer from a flash drive running an anti-malware toolkit such as the one Trend Micro offers, then trying to recover the “shadow” copies Windows’ System Restore function automatically generates. But CryptoWall comes set to wipe those files too. Coughing up the ransom is no answer, wrote Jerome Segura, senior security researcher at Malwarebytes Labs: “Paying the crooks […] only contributes to fuel this underground economy.” Besides, as Buckholz wrote, “even if a victim pays, there’s no guarantee they’ll get their files back.”

Your only safe recourse is to have backups of your files — but not just any backups, since CryptoWall will attack any drives connected to the computer by a cable or network connection. And that’s where this reader had one iota of luck: He had an external drive that was unplugged during the attack. As for the attacked computer, you pretty much have to nuke it from orbit. “The machine affected has been compromised and cannot be trusted anymore,” Malwarebytes’ Segura wrote. HIs advice: “Restore the box to a clean state but also to change all existing passwords (email, banking, etc.) which may have been compromised already.”