What is Ransomware?
Ransomware is malware which typically encrypts a person’s data, and then the ransomware will request that you pay money (a “ransom”) to get access to your data. For more information please see the Wikipedia Ransomware entry.
How did I get ransomware on my computer?
Ransomware is spread as a Trojan, where the file is disguised a legitimate file. The most likely method in which you will come into contact with such a file is from attachments to spam emails. Compressed files (usually .ZIP) can contain the active malware. Within the .ZIP file there can be JavaScript code which when run downloads and installs the malware which will begin the encryption of your data.
Ransomware is getting more sophisticated
Just like other software developers, the makers of ransomware look to ‘improve’ the software and to reduce the number of bugs and loopholes. CDR received its first ransomware affected hard disk drive back in 2010. Back in 2010 the ransomware might lock the computer, or apply a hidden attribute to the files. It was very straightforward to recover the data in full.
Since 2010 ransomware has been developed significantly. Variants in 2016 use sophisticated encryption to make it impossible in many cases to decrypt the data.
An IT Support / data recovery company have advertised they can recover all my data? Is this true or is it a scam?
There are some older variants of ransomware where software has been developed to allow decryption of the data, This is free software and can be found online readily. Alternatively, it is possible to restore data from the ‘shadow copy’ function within Windows. However, in most current cases of Ransomware, there is no method to decrypt the data, other than to pay the ransom.
In June 2016 one of CDR’s regular customers got in contact, as one of their organisation’s computers had suffered a ransomware attack. He reported that the type of ransomware variant was the newly released ‘Bart’. Moreover, he also reported that a company a colleague of his had contacted had guaranteed that they could recover the data. At CDR we thought this was unusual and also unlikely. Given that the ‘Bart’ variant or Ransomware was newly released, and reports in technical forums suggested that it is very sophisticated with no known method to decrypt the data.
How could the IT support / data recovery company claim that they could decrypt the data? The clue was in the price that they charged for the service. Our regular customer revealed that they wanted a data recovery fee which was 50% higher than the ransom fee. Readers will have probably worked it out by now – the IT support / data recovery company simply pay the ransom for you and then add on a 50% commission for their effort.
Please note, that as of July the 19th AVG have developed software to decrypt Bart ransomware files. You can download this for free to decrypt your files.
Update May 2019 – Scam Data Recovery Company Pays the Ransom
As outlined above we have always been suspicious of IT Support companies which claim to be able to recover any Ransomware. An investigation by ProPublica has proven the scam run by some IT companies. Full details are published in the Guardian.
Backup your data
Ransomware can spread easily across computer networks. Moreover, if your network/computer is using a ‘Mapped Drive’ function, then the ransomware malware can run on a colleague’s computer and then encrypt files on your computer. Consequently, even if you are diligent in your own computer usage, it can mean that such malware can affect your computer.