Unfortunately, we’ve had cause to write rather regularly in recent times about ransomware, and what it can do to you.
As straight-talking Naked Security writer John Zorabedian put it recently:
Ransomware is about the bluntest sort of malicious software you are likely to experience.
Ransomware shoves itself unavoidably right in your face.
It deliberately locks you out of your computer or your files, and then demands money to let you back in.
There are two main sorts of ransomware:
- Lockscreen ransomware. Pops up a window that takes over your computer or mobile device, so you can’t use any other applications, make calls, or run your anti-virus. This ransomware usually accuses you of some sort of crime, but offers to let you keep on working once you have paid a “fine.”
- File-encrypting ransomware. Leaves your applications running just fine, but scrambles your data files so you can’t open them any more. This ransomware usually pops up a window offering to sell you the decryption key.
The good news is that with a bit of technical savvy, or help from a friend that has the savvy, it is usually possible to work your way past most lockscreen ransomware without paying up.
The bad news is that with most recent file-encrypting ransomware – well-known ones are CryptoLocker, CryptoWall and TeslaCrypt – there isn’t a savvy shortcut.
Loosely speaking, if you don’t have a backup of your scrambled files, you are stuck.
If the crooks have implemented the encryption process properly, the only way to get your files back is to to pay them for a copy of the decryption key.
Public-key cryptography
Most modern ransomware uses public-key cryptography, which is where you have separate keys for locking and unlocking a file.
The public key can be given to anyone to encrypt files, but only the private key can later decrypt them.
So, the crooks generate a public-private keypair on their own servers, and send only the public key to the ransomware running on your computer.
That means that the malware can scramble your data, but the key needed to unscramble it never shows up on your computer – not on disk, and not even in memory.
There’s no point in scouring your computer in the hope of finding a local copy of the private key: your private key exists only on the crooks’ servers until you pay up.
No-one else’s private key will work for your files, either, so there simply isn’t a shortcut.
You need that private key, and to get it, you have to pay the ransom.
What to do?
So the big question, usually left unanswered in technical discussions of ransomware, is, “Should you pay?”
At a typical price point around $300 to $600 (£200 to £400), ransomware can be expensive.
On the other hand, think about what might be in those scrambled files: your baby videos; those tax return documents you were supposed to keep for seven years; the dissertation you need to turn in on Friday…how much are those worth?
For better or for worse, most ransomware gangs have acquired a bit of an “honour among thieves” reputation, so that if you do pay over the money, you almost certainly will get your files back.
On the other hand, law enforcement and security experts are very likely to say, “These are crooks! This is extortion! If you can possibly take it on the chin, we urge you NOT TO PAY!”
But those are easy words to say if it’s not your data on the line.
Interestingly, one reason for not paying extortionists is that there is often no way to ensure that they won’t come back to gouge you for a second payment, or a third, and so on.
But, as described above, modern file-scrambling ransomware doesn’t actually steal your files.
The crooks don’t have a copy of anything of yours, just the private key to unlock the scrambled files on your own computer.
In theory, then, once you’ve paid up, decrypted your files and disinfected the malware, you and the crooks are back on an even footing, and they can’t come back for more.
Should you pay?
We’re not going to moralise about whether it’s always unacceptable to support criminality by paying up, even if you are in a difficult position.
We’ll leave you with plainer advice, namely, “It’s OK to pay, but it’s much better not to.”
So, keep these two points in mind:
- Don’t pay if you can possibly avoid it, even if it means some personal hassle.
- Take precautions today (e.g. backup, proactive anti-virus, web and email filtering) so that you avoid getting into a position where you ever need to pay.
Remember: if you don’t have backups and you lose your laptop, you’re in the same trouble – worse, actually – than you would be with ransomware.
After all, there’s no-one you can pay any amount of money to in order to get your data back if your hard disk is at the bottom of Sydney Harbour. (It happens.)
(Audio player above not working? Download, or listen on Soundcloud.)
Find and remove malware with the free Sophos Virus Removal Tool
The free Sophos Virus Removal Tool is a simple tool for Windows users that works alongside your existing anti-virus to find and get rid of any threats lurking on your computer. Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
Anonymous
If you do pay, and it actually decrypts your files, rescue everything immediately and re-image your system. Because if the ransomware got on your system, there’s no telling what else is there or what other nasty things it may have left behind.
Paul Ducklin
Sometimes – this was frequently true in the CryptoLocker days – the ransomware gets implanted thanks to malware already on your computer being used to download and install the new threat :-)
So, indeed, don’t pay for the key, decrypt the files and assume, “That’s that.”
Anonymous
There’s also always the possibility that down the road the encryption might be broken or details leaked, as happened with Cryptolocker (and decryptcryptolocker.com) . So, if the data matters, regardless of whether you are able to pay for it or not, you may wish to back it up and keep in around just in case.
Andrew Ludgate
Indeed. I was going to comment on “If the crooks have implemented the encryption process properly, the only way to get your files back is to to pay them for a copy of the decryption key.” There *is* another way to get your files back — if the gang running the operation is busted and all the keys are retrieved, as happened with cryptolocker. Unless the keys have already been destroyed, the encrypted data is no different than any other encrypted data except that they keys are stored remotely (meaning that your files have extremely good data protection, as the keyholders have no access to the files and the fileholders have no access to the keys).
Keep the data, and it could be usable again someday.
Paul Ducklin
Point taken. But to a first order of approximation, maybe even a second and a third, I think my statement will do fine, namely that it’s “pay or nothing.”
After all, _if_ the crooks had done the crypto properly, then even seizing their servers wouldn’t have recovered the keys :-)
So I’m not sure about your emphatic use of “*is*” above…I prefer your closing comment that the scrambled data “could be usable again someday.” Then again, I am _hoping_ that the laptop I have at the back of my cupboard from 2005 “could be useful someday,” but I am _expecting_ that it won’t be.
John
Getting a proper key to a victim has nothing to do with honor among thieves, it is all about marketing and reputation. If there were no stories of successfully decrypting ransomed data the payments would soon dry up.
Paul Ducklin
You missed the “air quotes,” I guess :-)
Anonymous
I’m interested in knowing what backup options are now recommended for the average user. If I connect a hard drive or a network drive to do the backup, what prevents the ransomware from encrypting that? I currently have a backup server that my computers rsync over ssh on my local network. I also do interval backups, so if I get ransonware and it starts backing up the encrypted files, I can go back a day/week/month/year to pick up my files. I’m an advanced user though. What should I recommend for my family/friends/neighbors?
Andrew Ludgate
In the TeslaCrypt article mentioned above, John had some good advice: keep your backups disconnected when not in use. On OS X on a laptop, this is really easy, as Time Machine will automatically keep your backups going on a local cache, and copy the entire hour/day/week/month set of backups to your backup drive the next time it connects; so plugging in (or connecting to) a backup Time Machine vault once a day is a possibility. This caching can also be enabled for desktop Macs.
I add to this by having multiple Time Machine volumes that I rotate; I always keep one available and one off-site, so that my most recent backups can be easily restored, but I have a total disaster recovery plan as well that keeps my life’s worth of data except for the last few months safe and ready for recovery to a new computer.
As long as you’re hardlinking your files and keeping diffs a la BackupPC, rsync/ssh is a good method, as it sends your data to a remote location instead of opening a remote location to write to locally — this means that the ransomware never gains access to the filesystem you’re backing up to, other than to back up encrypted files. Since this makes the difference between the old and new versions of the files pretty obvious, it makes rolling things back to known-good files relatively painless.
HOWEVER,
As has been pointed out on here, ransomware is often dropped by other malware as a “let’s see what else we can wring out of this system before it’s useless to us” final ditch attack. This means that if you restore your backups and clean up the ransomware, it’s likely that your system still has malware on it that can do identity theft, mass mailing, remote access, and self updating. As such, it’s probably a good idea if you get hit with ransomware to totally wipe your system, install a clean system, and do a *selective* restore of your backups, being careful not to restore any other malware lurking in your backups.
Peter
I know this is a grey area and if my data was on the line my morals would probably go out the window but I don’t think your advice of “It’s OK to pay, but it’s much better not to.” is wise.
This is the scenario…the bad guys have held hostage something of yours and are threatening to never give it back unless you pay them money. That money will then presumably be used to fund similar attacks or possibly worse. How is that any different from a terrorist group like IS kidnapping a westerner and threatening to cut their head off unless you pay the ransom?
Paying for your files just perpetuates these types of attacks. If nobody ever paid then these attacks wouldn’t happen.
I think my advice would be:
1. if the files are important to you then you should have them backed up on a remote device that doesn’t remain connected to your computer.
2. That’s it, assume nothing is safe and get into the habit of keeping backups!
Paul Ducklin
I think what you said sort of boils down to “It’s OK to pay, but it’s much better not to.”
Perhaps I could have used a less positive-sounding word than “OK,” but it seemed fairly bland and neutral, which is what I intended.
Mike
If you do get hit and pay, what’s not to say Bad Guy #2 will not infect your computer and encrypt your files?
Paul Ducklin
Nothing can guarantee it, but if you’ve been hit and paid up then it’s a good reminder to read up on what you could have done before you got hit, and doing it before you get hit by Bag Guy #2!
(We frequently hear of ransomware that was injected onto a computer *by means of other “zombie” malware that was already there*, had probably been there for some time, and almost certainly could have been detected and removed by any of a number of decent anti-virus tools before the crooks decided on their “last roll of the die” by sacrificing the zombie PC for a final chance at that $300 ransom.)
Jubbahey
Would bitlocker on windows 10 on an external hard drive stop a rogue program from writing to it ?
Paul Ducklin
The answer is, “It depends.”
Bitlocker is what’s called “full disk encryption.” When you plug in a removable drive, *nothing* is accessible until you put in the passphrase. But when you do, the encryption is automatically stripped off when the device is read, and put back when it is written. This means the encrpytion works for every file, in every application, just like that. It also means that when the disk is mounted, you can write to it *as if it were not encrypted*, whether you are a real user running Word, or a malware author running ransomware.
Priyanka
Hi
I’m in a big situation.
I have somebody s wedding video (.mxf format) rushes that has gotten encrypted and has landed up becoming .mxf.xml I would be happy to pay and recover the files. But I have no way to do it.
I’m not even sure why I got into such trouble, I’m a Mac user. The data was under circumstance copied from a windows machine and into HDD. Now on my mac it stares at me on 55gb size.
Please can anyone help me.
This is very important as my brother’s wedding was a very memorable one.
Arunraj
never pay for ransom
recently i have infected with ransomware and i paid 500$ as bit coins to the address mentioned in the image file stored in all my folders but even after i didnt received any decrption tool or key. so dont pay its a waste of money.
and i found a tool for decrypt my documents finally.
RBS
Where? What? Which decrypt tool did you use. None work for me.
I am ready to pay the ransom. I am desperate. I figure anything is better than the decrypt tools that don’t work.
Foo
There are many types of ransomware and decryption tools exist for a small number of them. First you need to know what ransomware you have. Google the website “ID Ransomware”. Upload your ransom note or an encrypted file to that website to find out what kind of ransomware you’ve got. If there is a way to decrypt your files, it will point you in the right direction. Be prepared for disappointment though – most ransomware cannot be decrypted.
Anonymous
Arunraj,
Could you please share what tool it is you found that was able to decrypt your files?
From everything I’ve read up til now (& I’ve researched this a lot) no such tool exists for the Cerber Ransomware that has infected my PC.
Thank you
RBS
Can you please tell me how to pay the ransom? I am desperate at this point and need my files back. I have gone through every link and help tool and nothing works, either the links are broken or just worthless do-nothing crap. I have given up doing this the legitimate way. It’s late Sunday and I need these files back now.
I have visited Interpol, “No More Ransom Project”, BitDefender and their tool to remove this… I give up.
Does anyone have any information how to pay these bastards? At this point I really don’t care how much this costs me. Yeah, save your lectures for someone else, I can only deal with one bastard at a time.
Can someone help with how this payment is exchanged? Thank you.
Yes, the email is legit, created for the exchange of payment.