Ransomware – what is it?
Since January we have had a number of our retail and trade customers approach CDR about data loss due to malware. The BBC have just covered this, please see:
Essentially the malware locks your computer for a number of minutes and hours. You will see a splash screen telling you that either your data is being encrypted, or even more worryingly that authorities have found indecent images of children and that shall be reported to the please. It is during this time that your personal data is being encrypted.
Over the 7 years that CDR has been trading we have not seen such an aggressive and sophisticated piece of malware as this. There are a number of different versions of the software, with ransom demands that range from 100 US dollars up to 5000 US dollars. When CDR has inspected the hard disk drives of affected computers we notice that the malware has used WinRAR to create self-extracting executable files (.EXE) which have a password attached to them. Then a command has been used to securely delete the original files. A secure delete in this case involves writing new data to the area of the hard disk drive where the original file was. This makes recovery impossible by trying to find the original version of your files.
The malware targets files based on the file-type / extension. Usually office documents, jpeg images, pdf files and other user created data is affected. Audio and video tends not to be. We have also noticed that applications which use a non-specific file extensions are unaffected because of this, for example Sage Accounting data and backup files. This has come as a relief to the businesses we have helped.
What can be done?
Firstly, if you see your computer with the splash screen threatening encryption of your data or other splash screen that has locked your computer, then power down your computer immediately. The longer the splash screen is showing the more data will be encrypted. Do not turn your computer back on, doing so will continue the encryption process.
Cheadle DATA Recovery LTD can recover data in many cases of this malware. In this case it is necessary to try and find the ‘shadow copies’ that are created by many operating systems. Windows often keep a file revision of your files. Most people are unaware of this useful function. However, if this function of the operating system has been turned off then it will not be possible to recover the data.
Do not under any circumstances provide your credit card details or transfer money to the malware creators. Usually they will not provide you with a decryption code or your working data.
The National Crime Agency said that anyone infected with this malware should report it via actionfraud.police.uk.
If you require advice on this matter please contact CDR on 0161 408 4857.