What would you do if a U.S. Federal government agency locked your PC until you paid a fine? While the PC may be locked and seemingly unusable, it’s not the Department of Justice or FBI that has done this to you. Quite the contrary, the lock was placed by malware distributed by a cyber criminal that the FBI would like to catch. In effect, your PC has been hijacked and held for ransom.
As forms of malware go, ransomware is not extremely common, but it is out there and making the rounds. Cyber criminals have found it to be a very effective means to make money. Scared or frustrated users are often willing to pay hundreds of dollars to avoid “the fine” or to free their PC again. It’s conservatively estimated that more than $5 million a year is being extorted from victims.
[SLIDESHOW: Head-spinning history of Propeller Beanies]
There are various ransomware schemes in the wild, but all have the same purpose: to scare or shame the victim into paying money to have the PC returned to a normal state. One scheme pops up a message that says that a virus has been detected on the PC, and the user can pay a nominal fee to have it removed. (Yeah, there’s malware all right. It’s the software that’s projecting the frightening message.)
Another scheme threatens the user with arrest or prosecution because child pornography or other objectionable material has been found on the machine. The user can make this go away by paying a “fine.” A much more overt scheme simply tells the user his PC has been locked and/or his files have been encrypted and the only way to restore the computer is to pay a ransom. Of course, paying the “fee,” “fine” or ransom has one simple effect: it makes the criminal slightly richer and the victim is out the money.
Ransomware is a global phenomenon, but the criminals have learned to localize and customize their software to make the threat seem scarier so that victims act quickly before they have time to think. For example, in the U.S. the message may display a logo for the FBI, while in Germany the logo would be for a German law enforcement agency, and so on.
I asked John Harrison, Group Manager at Symantec Security Response, for some pointers on how to deal with ransomware. Here are his best practices if this type of malware makes its way into your company:
* User awareness – Even before you see ransomware invade your company, let end users know this type of malware is making the rounds. Awareness is critical because people whose machines get attacked may be afraid to come forward for help cleaning the machine. Think about it. If you believed that the FBI detected child pornography on your PC and it had the nasty images to prove it, would you want to report the situation to your manager? When stressed, people don’t think rationally and they may fall for the scam and pay the ransom — thus doing more harm than good. Instruct end users to call the help desk immediately if they get hit with ransomware.
* Do not pay – No matter what the on-screen message says, do not pay the money or do anything else that the message says to do. You must remember that this is malware and it doesn’t have your best interest in mind.
* Malware incident – Treat the appearance of ransomware as you would any other malware incident. Investigate how it got on the system and look for signs of other malware, Trojans or backdoors that might have accompanied the ransomware. You want to prevent an attack from spreading beyond the initial infected computer.
* Clean the system – The ransomware may lock the PC or even encrypt some files on the hard disk. IT professionals have access to free and paid tools and services to clean the afflicted computer. Symantec has some tools that may be able to help decrypt files. Harrison says it’s rare that more than a few key files get encrypted, but you never know when a cyber criminal is going to up his game and follow through on the threat to encrypt the disk and hold it hostage.
* Increase the defenses – If this malware slipped through your regular network defenses, it’s time to build the wall a little higher and thicker. It’s important to understand how the infection occurred so you can try to prevent a recurrence.
Ransomware has shown up in both enterprise and consumer environments. Symantec provides a number of free tools and steps to clean up an infected computer. The vendor also has a couple of videos that show you how to remove this type of malware. Check out these resources to help you get rid of ransomware.
Linda Musthaler is a Principal Analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.