Sunday, 21 February 2016


I think this is getting more and more common. I've recently read of a couple of organisations who paid the ransom, and they are probably just the tip of a larger iceberg - who would want to admit they've been had? So I want to talk about this a bit.

First, what is ransomware?

It's malware that you unknowingly install on your computer. It encrypts all your data with a two-key cryptosystem. Two keys means that there's one key to encrypt (and you might be able to locate that on the computer) and a different key to decrypt. Knowing one key doesn't help you know the other. So how do you get the decryption key? You pay the criminal. Yuck. How much? A few hundred dollars. Per computer.

It's become so common, that it was the main plotline in a recent episode of an American series "The Good Wife".

So how do you prevent the problem?

Backups are a really good idea, of course they are. Your hard drive will fail, the only question is when. But backups might not protect you from ransomware. because the whole point of backups, is to copy your files from your main computer, onto someplace else. And if those files are encrypted, your backups are too.

So any moderately cunning ransomeware, will do the encryption, then silently sit in the background decrypting files on the fly as you call them up, and do that for a few weeks, before telling you you've been got. And delete the decryption key, so you're forced to buy it from the criminal, or say goodbye to your data. because your backups are also encrypted. I don't know if existing ransomeware does this, but it is an obvious thing to do.

To avoid ransomeware, you have to avoid malware. Antivirus products won't help you here, as you've seen in my blog over the last several months.

Some people suggest user education. This is, sadly, contradicted by experience. Users really don't care about computer security, they don't see it as their problem. And especially if they are running some sort of security software, such as an antivirus - they'll shuffle all responsibility off to that software. "Hey, it wasn't my fault, I was running Splendid Antivirus".

There's two major sources of malware coming in to your system, and a minor third.

The first is email. You can't block all incoming email. You can try to block spam, good idea. But not all malicious emails identify as spam. Again, in previous blogs, I've explained that you should block enclosed zip files (and other archivers), block incoming PDF files, js files and sanitise incoming Word and Excel files. The average incoming malware email is flagged as clean by 90% of antiviruses, so don't expect your antivirus to help with this.

The second is malvertising. Again, I've explained this in blogs; the answer is to block ads using a good ad blocker (I use two, the hosts file and uBlock).

The third (but minor) source is compromised web sites. I've seen this happen a few times. A computer that's used to update the web site is compromised, and that adds javascript to the web site so that when a user accesses that page, the javascript compromises that user's computer. To prevent this, use a javascript blocked (I use Noscript). This means that there's some web sites that you can't access. Well, that forces you to think about whether you really need that site - I find that usually I don't need it.

No comments:

Post a Comment