Ransomware

What is it?

Ransomware was inspired by the movie Alien (1979). I genuinely did not know this before doing the research for this article, though I am an avid fan of the movie series. Anyone familiar with the eponymous creature can immediately understand the kind of damage this implies ransomware can inflict.

Typical computer viruses destroy or steal data, or abuse our machines to spread for more nefarious and complicated purposes like Distributed Denial-of-Service attacks. Ransomware is pretty direct, in that it does exactly what it says on the tin: holds your data captive for money. Ransomware is a form of malware that attempts to keep you from accessing your local data and then asks for money to get out of your way, sometimes with a limited amount of time before the data is simply deleted.

Image source Wikimedia

How does it work?

Some ransomware can be easily bypassed by a knowledgeable computer user, for instance by moving a hard drive to another machine (preferably another OS like a flavor of Linux) and copying files directly. The infected system can then be formatted and the OS reinstalled, destroying the malware and saving the files. However, most new ransomware has a much more insidious design.

Under normal circumstances, strong encryption is your friend. It’s what keeps your data safe from attackers, keeps your internet traffic from prying eyes, and keeps your sensitive information locked up, unreadable, in databases. However, ransomware turns this on its head by using asymmetric encryption to mug your hard drive. Attackers distribute small programs that hide on your machine and encrypt your data in the background. Eventually, the programs completely encrypt all non-system data on your machine, and your files are entirely inaccessible. Hypothetically the attackers could have access to those files, but usually the contents are not worth the effort for them compared to their end goal.

Now the ransomware will enter its second phase, where it aggressively blocks off access to the machine with popups (not internet popups--*system* popups that cannot be dismissed or closed) demanding money lest your data entirely be lost. Some ransomware has a different twist, which is the threat to instead publish your data online.

These demands usually include (hypothetically) untraceable bitcoin addresses to which you are to send money in exchange for the key to your data. However, this is often a sham. Some ransomware either has no facility to decrypt your data or has no decryption key at all. Once the attackers get your money, you’re just left poorer, less money and no more data.

Another tactic ransomware favors aims to make the user panic by displaying prominent warnings and accusations that the user and their computer have been involved in criminal activity. The ransomware variously offers not to report this activity in exchange for a payoff or claims to be a way for the user to simply pay a “fine” and avoid any legal process.

How does this happen?

Malware of all kinds usually finds its way into your system by tricking you. A common method of distributing malware is to hide it in a legitimate program by distributing that program freely on a secondary channel. For instance, a free program like VLC could have malware hidden inside it and the malware creator could put the infected VLC up for download in a free download link (like file.io or megaupload or any of thousands more) which they popularize by posting on Reddit or some other site as a convenience for users looking for the software.

Sometimes this trap is sweetened by using proprietary software that otherwise requires a purchase. The infected copy is cracked, allowing the end user to bypass the purchase, but the cracked download is actually intended to be a host for the virus. Long story short, you might think you’re getting a free copy of Photoshop, but you’re really getting an uninvited guest that will cost you much more.

Rarely, but often enough to be worrisome, malware finds its way into legitimate software distribution channels. Any channel where software is downloaded can find itself subject to malware. Links can be hijacked, requests redirected, emails with convincing language copied from mainstream sources like Microsoft or Amazon but with links to malware-containing executables--practically every corner of the internet is potentially creeping with malware. It is analogous to insect control in a house: you can’t be rid of them, ever, because they’re all around in the environment; instead, you must persistently enact controls and policies that keep them out.

What can I do?

Fortunately, there are simple ways to thwart ransomware, and they are simple security protocols that have other benefits as well. Here is a simple list:

1. Have backups.
2. Have backups.
3. Have backups.

It’s that simple, but I’m not being silly in repeating myself. Not backing up data is the most common error most users make. Or, failing that, they have very inconsistent backups of only some important data. Additionally, users often fail to backup crucial data.

First, backup passwords and other cryptographic keys. These should ideally be stored in a password manager, and the backup should be both local and remote. Also, a versioned backup is ideal: keeping older versions of the data accessible in case newer versions are corrupted. In the case where it is feasible, keeping a small notebook with a password history can be a reasonable substitute or additional measure. Keeping your passwords and keys stored securely and redundantly will help diminish the effect of any data loss, especially if those passwords or keys are for your backed-up (possibly encrypted) data.

Organization of your data can also help. Any kind of administrative or sensitive data is best kept in encrypted storage both locally and remotely. You can usually achieve this with an encrypted folder that’s also backed up by something like Dropbox or Resilio Sync--any kind of remote or cloud storage. The encryption will keep the stored data safe should the cloud provider be compromised, and the cloud backup will keep your data accessible should your local copy be compromised. However, keeping this data *separate* from your non-critical data is the primary feature that will allow you to back it up reliably. After all, sensitive data is rarely huge--usually less than a few MBs for most people--and it’s very fast to encrypt and decrypt as needed, and to copy into storage. However, this process will be slowed or prevented if you back up the sensitive data alongside non-critical data, which can be giant. So keep your data separate, back them up separately, perhaps the critical data first, then the rest, or back up the critical data more often even.

For all other data, if you keep data that is unimportant--data that you could feasibly lose without missing it--separate from data that you would like to keep, but is not necessarily absolutely private (that should go with the previous section’s data), then it is also easier to back up, and more affordable. You might not bother encrypting this data, though you might consider compressing it if feasible. You also might not bother having a cloud backup, which can be pricey, and just keep around a cheap USB HDD to plug in periodically to copy these files over. Mainly you want to be sure that data that might be missed--digital photos of grandparents, for instance--is not lost to malware in a way that compels you to consider paying off attackers.

A technical option, where available, is to use a versioned file system like ZFS, which is entirely immune to ransomware attack because its versions are immutable and can be readily rolled back to an earlier state. Tools also exist that aim to try and decrypt ransomed files, but they are hit and miss, and newer ransomware especially will likely be resistant.

Backing Up Data & Security

Abstractly, there are two parts to your backups: cloud and offline. Cloud backups help keep your data distributed in multiple copies so that it is never lost. This is especially helpful if you have something that syncs that data between multiple computers. Offline backups help keep your data inaccessible to attackers. A USB drive (either a small flash drive or a larger portable HDD) is a good option for this data, as long as you don’t just leave it plugged in where it could get bundled into a malware attack!

If you keep your data backed up, and keep your keys to the backup inaccessible to attackers, then your data will be safe even if your computer is completely destroyed, or even if its memory must be entirely erased in order to restore it after a ransomware attack. It’s worth taking the time to make these backups now, lest you lose critical data that could cost you personally, professionally, or even cause a nationwide gasoline catastrophe.