What is Ransomware?
In short, cybercriminals would pressure us by encrypting our important and irreplaceable data and then demand a fortune with the promise of recovery. We show you how to defend against them.
In detail: They no longer just try to blackmail you with the promise of returning encrypted data: they also steal files and threaten to publish their contents on the Internet. According to security experts, two thirds of the ransomware attacks currently active involve data theft. This leaves victims in a new situation: while backups have been the best protection against ransomware, they cannot help prevent the blackmailers from publishing the data. Hence the term ranshameware, a contraction of ransom and shame. Fortunately for the average user, this method is more effective for the time being against companies that want to protect their trade secrets from public disclosure. Learn how can you protect yourself against Ransomware.
Earlier this year, Europol investigators dealt a major blow to international cybercriminals by taking control of Emotet’s servers and arresting several people. Emotet was one of the most dangerous malware because it allowed criminals to create undetected access to unsuspecting users’ computers, which they could use to smuggle ransomware into the system.
Ransomware is one of the worst and most malicious of all the malware that has been released in the world in recent years. Once infected, the malware encrypts important personal files (based on their type) on all accessible drives, deletes the original files, and then displays a ransom message. Victims are left in dire situations, whether they are private users who lose irreplaceable memories or companies that lose access to their business data. Without a properly established, working backup, they cannot get their data back – unless they are willing to pay the often very high ransom that criminals demand. There are a number of security measures to protect against such attacks. These range from ways to detect ransomware, through Windows 10’s built-in but in most cases unactivated protection technology, to a backup plan.
We’ll also show you where to get help once disaster strikes, and answer the question of whether or not to pay in such a situation.
Fighting back Ransomware
In the first section, we describe steps you can take to prevent a ransomware infection early on so that the malware does not have the opportunity to encrypt your data.
In most cases, ransomware uses Trojans, such as Emotet, to get onto our computers. The malware mentioned at the beginning of this article spreads mostly through spam messages. These emails are sent out in a largely random manner, covering entire countries. Hundreds of thousands of recipients receive exactly the same message, for example from banks and online shops with which they have no connection. These fake messages can therefore be easily detected and deleted. The key is to never click on the link or open the attached files. Targeted spam messages are much more dangerous.
These can be countered by spam filters, such as those provided by Thunderbird. The filter is already active by default, but it needs continuous training to ensure that it works well in the long term and protects us from dangerous mail.
Most e-mail providers also have their own spam filters, but most of them need to be activated or configured. In return, these filters are usually much more effective than more general collections, as they are constantly maintained by specialists, adding to the list the IP addresses of the servers that are currently being used to send spam.
If your computer is connected to the internet, it is better to have an antivirus on it, which will monitor system processes in the background and intervene if suspicious activity is detected. However, despite advances in heuristic scanning, it is only really effective against malware that it already knows about. Therefore, we should not rely solely on antivirus and assume that it can prevent all infections. Windows 10’s built-in protection has evolved a lot in recent times. And with the EICAR test file, you can check that the scanner is working properly. The harmless text file can be downloaded from www.eicar.org. More precisely, hopefully, it will not be downloadable because it is blocked by the protection.
When it comes to protection against ransomware, security updates should be at the top of your to-do list. Yes, Windows too, and especially Windows, even though it sometimes has problems with patches. Ideally, software vendors build automatic installation of updates into their programs. This is the case with most browsers and Thunderbird for example.
For other applications, we have to take care of installing patches ourselves. In any case, it is not recommended to close update notifications or to keep promising to install them later. These patches can close serious security holes that ransomware can exploit to get into your system. When it comes to updates, it’s also worth thinking about our other devices, such as smartphones, tablets, routers, and any other networked devices. All of these can be exploited by attackers to gain access to the local network, from where they can start spreading malware.
Activate Windows protection
Since the Fall Creators Update 2017, Windows now has built-in protection against ransomware, but it’s not active by default because it could easily confuse less experienced users. The protection prevents unauthorized applications from accessing protected folders, which is why the feature is called “folder access control”. However, it only works when Defender’s real-time protection is active, i.e. not with external scanners.
Go to the Settings, then in Update and Security, switch to the Windows Security tab and click on the “Virus and Threat Management” line. In the window that opens, scroll down to ‘Anti-malware protection’. Click on the Manage protection line and activate the protection. Then click on the Protected folders link to specify where the system should disallow unauthorized changes. Microsoft has its own, somewhat secret list of trusted programs that can still access the folder, but we can add software to the list using the “Allow application to control access to folders” link.
From here, no other program can access the files stored in the folders, so the ransomware cannot encrypt them.
The perfect backup
Backup is the last line of defense in case an attacker manages to bypass all other security measures. However, there are a few aspects to consider for comprehensive protection.
Use the 3-2-1 plan
Nowadays, many users back up their important files to a separate hard drive from time to time. However, this is not enough to provide adequate protection against ransomware encryption. However, the so-called 3-2-1 plan has been proven to be effective. The scheme is simple: keep at least three copies of all your important data: the original on your machine, and two separate backups.
Use different storage technologies for the backups and keep them in different locations. All media used for backups should be disconnected as soon as the backup is done, and should not be accessible over the network, for example as a permanently connected NAS. Otherwise, the ransomware may have access to them and destroy the backup of your data just as it did the original files.
Opinions are divided on encryption. Although it has little to do with ransomware protection, it remains an important factor when making a backup plan. Experts recommend always encrypting your backup – just don’t forget or lose the password used to do so. When backing up to cloud storage, make sure to encrypt the data before uploading it.
Selecting the data to save
What to back up depends on what data you have and where you store it. Regardless, we should back up all important documents, whether private or business-related. By default, Windows stores them in our user folder, which can be found at “C:\Users\< our username>”. You can save the entire contents, or if it’s too big, you can select the essential items.
The Documents folder is usually a high priority, and Pictures or Music may also be essential. If you also use cloud storage, you may want to include their folders in the list. It is better to be careful with Virtual Machines and the Downloads folder, as they can become very large, significantly increasing the time needed to back them up and running out of space. On the other hand, it may be worth backing up the AppData folder, as many programs save their settings there. You can easily find the folder by typing “%appdata%” in the Windows Explorer address bar. And Mailstore Home is ideal for backing up emails.
Making a backup
Now that we have everything we want to back up, let’s start the process. There are many great programs for this, but we were most impressed with Duplicati because it’s open-source and easy to use for beginners. Download and install the program from the internet, then launch it and mount the external storage medium to be backed up.
Then click Add Save, confirm with Next, and follow the wizard, which speaks pretty good English. On the first page, you can turn off or set encryption and, in the latter case, enter the password. Next, you can select the external disk as the destination drive, and then specify the folders and files to save. During scheduling, you can set up automatic, recurring backups.
However, this only works if the target drive is permanently connected to the computer, so it can protect against hardware failure but is useless against ransomware. And on the last tab, depending on how much data you want to back up and how much free space is available on the target drive, select “Keep all backups” or “Smart backup delay” under the slightly turned Save delay. In the latter case, Duplicati will delete backups deemed unnecessary over time but will ensure that a fully recoverable version will always remain. If everything is OK, click on the Save button and then immediately make the backup by clicking Run Now. The first backup can take quite some time depending on the amount of data selected and the speed of the drives used.
Don’t forget to disconnect the disk drive from Windows at the end of the process. And if you want to stick to the suggested 3-2-1 plan, make another backup as soon as possible on a different mobile storage device, kept in a different location.
Check the recovery
Before we say our data is safe, we should test the copy to make sure it can be restored if there is a problem. To do this, click Restore in Duplicate and select the last backup you created. Select a few files to test, or all of them, and specify where you want to restore the files. Since our purpose is only testing, we should use a separate, temporary folder for this, not the original. Finally, start the process with the Restore button and check the result by opening the files in the folder.
If all these security measures have failed to protect you against ransomware and you don’t have a viable backup, you have two options. If we are lucky, a security company has already developed the right decryption tool against the very ransomware we have fallen victim to.
The site https://www.nomoreransom.org/en/index.html, run by the Dutch police, is a collaboration between Europol and several IT security companies.
The “Crypto Sheriff” on the site can help identify the malware by uploading some encrypted files or by pasting the text of the ransom note. If no solution is found here, we will have to wait. The last option would be to pay the ransom, but this is not recommended as it encourages further attacks.