What to do when your data is held hostage for a ransom

Malware that blocks access to your computer and then demands you pay a ransom, to some criminal in a foreign country, can be a problem. Before you call the FBI and CIA first try to understand  what type of attack has occurred. Symantec had a nice overview of the different variants you might run into.

Some variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically has to send a text message to a premium rate number. A message containing the unlock code is then – hopefully – sent back to the user. (Trusting someone who has just compromised your computer and is holding you to ransom is generally not very reliable.)

In the case of the Trojan.Ransomlock.F variant, not only does it lock the desktop, but it also changes the desktop background to an explicit pornographic image. This additional trick has been included by the authors of the threat in order to play on the user’s insecurities. Having a graphic pornographic image emblazoned across a monitor is guaranteed to give anyone a red face. They are less likely to seek technical help from another person to solve the problem in an effort to avoid embarrassment.

Another approach that ransomware threats typically employ is holding a user to ransom for files on their computer. This is a relatively common tactic, but has evolved over the years, utilizing encryption in smarter ways. The general approach is to search for files on the compromised computer. When user-specific files such as .doc, .xls, .jpg, etc. are found, they are then encrypted by the threat. The encryption renders the files inaccessible. Only by obtaining the correct key can the files be decrypted and accessed. Of course, to get the key, the owner of the compromised computer has to pay out.

Unfortunately, unless the ransom money is sent to the malware authors (which has no guarantee of success), the only way to retrieve the encrypted files is from backup. Always backup!

Boot blocking
The most basic computer resource that an attacker can attempt to obtain a ransom for is access to the operating system itself. No operating system means no antivirus and no assistance from the Internet. Trojan. Bootlock achieves this by overwriting the master boot record (MBR) with custom code. The MBR is responsible for starting a computer’s operating system. By overwriting it with custom code, the malware authors deny a user access to the operating system.

In the final analysis, the best way to defend against such threats is up-to-date antivirus and a regular backup routine.