What to do if you were hit by Ransomware
The newest evolution of computer viruses has been around for several years, and we all heard about it – on the news, from friends who were unlucky enough to catch it or even experienced it first hand.
Before we explore the options available to ransomware victims, let us quickly dive into how this specific type of attack came to life.
A brief history of Cyber Crime
With the widespread use of computers dates back to the 1970s, a widespread of computer crime began – the first major incidents were spotted in the 1990s – early cases of extorsion, cyberbullying, fraud, data and identity theft, corporate mischief, spousal infidelity and illicit content distribution. Up until 2009, the growth of those cases was slow but steady. In 2009 though, something happened – the bitcoin was revealed. Those were the early days of cryptocurrency, and most of us didn’t realize the potential of this new currency. Most of us, but not criminals.
Think about it for a second. In 2009, if somebody got some leverage on you – either by finding some data you hold valuable and demanding a ransom or by tricking you into believing that you need to send him money for some reason, how would you pay? Bank transfer? Western Union? Credit Card? Leave the money in the dumpster under the old tree in the park? All of that is traceable, and the chances are that the criminal would get caught.
All that has changed shortly after bitcoin was released. Suddenly, the cybercriminal had a great new way to get paid, completely untraceable. That leads to a sharp jump in the number of reported cybercrimes and, with time, to a new type of digital kidnapping called Ransomware.
How Ransomware gets transmitted
To successfully infect our systems, Ransomware has to penetrate it first. Often enough, it’s done the “old-fashioned” way – either by copying and running infected files on our system or by opening and running a fraudulent email attachment.
There are also targeted attacks oriented towards a specific organization or individual – what we would call in our jargon – “Spear Phishing.” Those attacks are skillfully crafted by someone with some knowledge as per how the organization works and operates. The attack is orchestrated to be launched by an individual from within the organization.
As an example, let’s assume a hacker was able to penetrate the communication network of a certain organization and read all the emails going in and out. He takes his time, learns how the company operates, and one day he will send an email using the CEO’s account to someone else in the company. He will copy the CEO’s writing style and make the email look very authentic and genuine. The recipient will open the email without suspecting anything, and this will cause a chain reaction that will launch a ransomware attack on that organization.
What Ransomware does to our data
Once engaged and launched, the Ransomware virus starts to encrypt our user data – office documents, text files, pictures and videos, accounting databases and more – every Ransomware is configured differently. It works seamlessly in our systems, affecting all the internal and the external drives connected, and often enough stays undetected unless the user had special detection or prevention tools installed.
Following the encryption of the files, the vires usually delete/overwrite the original files and delete any backups it may find. By the end of the process, the user will usually get a pop-up notification saying, “all your files are encrypted now. If you want to get them back, it will cost you this and this much cryptocurrency”. When checking out the user data folders, the user will find that all the files changed their extensions to something not very clear to him, and most of the time, he will find a copy of the ransom note in a “readme.txt” file inside every folder.
Another common thing the Ransomware does while attempt to scare further and pressure the new victim is announcing that not only all the files were encrypted and demanding a ransom, but also claiming that the most sensitive/personal/confidential files were uploaded to the hijacker server, and will be released to the public or the victims’ contact list if the ransom is not paid. 99.99% of the time, those claims are false and only scare the victim into paying. Think about it – no one will spend time carefully selecting and sifting through your data, uploading and storing it, before unleashing the ransomware virus in your system. Not to mention that this type of attack will require a much higher level of sophistication and access permissions and will probably be easily detected.
In yet another attempt to spread fear, the ransomware note will also claim that you have 3 (or any other number) days to pay before the ransom fee gets higher or before the option to decrypt your files is completely gone. Unfortunately, it may be true sometimes, but most of the time, it is used to scare the victim into paying faster.
How does the payment process work?
In most cases, the ransom note will provide the victim a unique numerical key and guide him/her to install a Tor Browser (used to browse the dark web ammoniumyls) and browse to a certain website. The website, in turn, will present the ransom amount, usually in bitcoins, and the public address of a cryptocurrency wallet to which the amount must be sent.
Once a transaction is performed and proof of transaction is provided to the hijacker, he will provide you with a key or a tool to decrypt your data.
There are caveats to this. Over the years dealing with ransomware encryptions, we had numerous clients saying that they paid the ransom and got nothing in return, or those who got a follow-up message demanding more money – and even after paying the extra cost, they were left with nothing. Without saying, you cannot rely on integrity of someone who criminally hijacks your data and expect him to be a gentleman of his word.
What can we do to help you?
In TeraDrive data recovery, we have developed several unique approaches to help our clients cope with ransomware attacks, and we have been successfully implementing them over the years.
As the first step, we will always try to decrypt the files. Over the years, we have collected and developed many decryption tools and software, which often allows us to perform full decryption of the data.
If that doesn’t work, we put our expert data recovery skills to work and do our best to extract all the original deleted files, their backups, previous versions, and anything else found on the drive. That will usually provide us with about 70%-80% of the user data lost.
What should you do if your devices were infected by Ransomware
- 1. Shut down your desktop/laptop/server and remove all the connected external devices.
- 2. Don’t plug them into any other systems. You might infect them with the virus
- 3. Contact us for a free evaluation of your devices. We can help!
