• United States




How to prevent ransomware infection and recover if you’re hit

Jan 24, 20176 mins
CybercrimeData and Information SecurityEncryption

Ransomware has become the scourge of the internet 28 years after it first appeared. Here's a look at the evolution of (and solution to) ransomware.

ransomware at your service 1
Credit: Thinkstock

Contrary to popular belief, ransomware has been around for decades. The first malware program to lock up people’s files and ask for a ransom was the PC Cyborg Trojan in 1989. It was created by Harvard-trained evolutionary biologist Dr. Joseph Popp, who was working on several AIDS-related projects at the time.

Dr. Popp sent a floppy disk containing a program covering AIDS information, teaching, and testing to tens of thousands of mailing list subscribers. At startup, a crude EULA warned users they had to pay for the program—and the author reserved the legal right to “ensure termination of your use of the programs …. These program mechanisms will adversely affect other program applications on microcomputers.” Most people didn’t read the EULA and ran the program without paying for it.

After 90 boots, the program crudely encrypted/obfuscated the user’s hard drive data, rendering it inaccessible, and asked for a payment of $189 to be sent to a Panamanian post office box. (Check out a great analysis of the Trojan.)

Ransomware evolution

Early ransomware used symmetric key encryption, and the cipher algorithm was often poorly constructed. Encryption experts could frequently break the ransomware easily, and because the symmetric key was the same shared key in every infection, every computer touched by the same ransomware program could be unlocked at once.

Eventually, ransomware authors learned to use public key cryptography (where both a private key and a second public key is involved) and started to use popular, well-known, well-tested cipher algorithms. A different key pair was generated for each infection, which made ransomware a very difficult problem to solve.

By the middle 2000s, tough-to-break ransomware was becoming very popular, but the problem of how hackers would collect their money remained. Real money and credit card transactions can be traced.

Enter CryptoLocker, the first widespread ransomware program to demand bitcoin payments. CryptoLocker first appeared in 2013. When matched with randomly generated email addresses and “darknet” pathways, it became almost impossible to catch ransomware hackers. Ransomware writers and distributors are now making tens, if not hundreds of millions, of dollars off their victims.

These days ransomware keeps getting more dangerous and targeted. Ransomware programs are now being developed to attack specific types of data, such as database tables, mobile devices, IoT units, and televisions. This page chronicles all the significant developments from the last year or so.

Defeating ransomware

First, you need to verify that you’ve actually been hit by ransomware. Less sophisticated programs merely take over your current browser session or computer screen. They make the same blackmail claims as a more sophisticated ransomware program, but don’t encrypt any files. All you need to do is reboot the computer and/or use a program like Process Explorer to remove the malicious file.

Nothing beats a good backup. Nothing beats a current, offline backup. The “offline” part is important because many ransomware programs will look for your online backups and render them unusable, too.

Get patched. Making sure your system is fully patched is a great way to prevent any malware from infecting your computer. But also see if they are the real patches from the real vendors. Unfortunately, fake patches often contain ransomware.

Don’t get tricked. Don’t let yourself get socially engineered into installing ransomware. In other words, don’t install anything sent to you in email or offered to you when visiting a website. If a website says you need to install something, either leave the website and don’t go back—or leave the website and install the software directly from the legitimate vendor’s website. Never let a website install another vendor’s software for you.

Use antimalware software. Everyone needs to run at least one antimalware program. Windows comes with Windows Defender, but there are dozens of commercial competitors and some good freebies. Ransomware is malware. Antimalware software can stop the majority of variants before they hit.

Use a whitelisting program. Application control or whitelisting programs stop any unauthorized program from executing. These programs are probably the best defense against ransomware (besides a good offline backup). Although many people think application control programs are too cumbersome to use, expect them to become much more accepted as ransomware continues to grow, at least in business computing. The days of allowing employees to run any program they want are numbered.

What to do if you’re locked up

If all your critical data is backed up and safe, then you’ll be back in business in a few hours’ time. You’ll still need to reformat/reset/restore your device, however. Luckily, that process gets easier with each new operating system version.

Using another safe, uninfected computer, restore your backup. Apply all critical security patches, restore your data, and resolve never to do what you did that got your device locked up in the first place.

If you don’t have a clean backup copy of your critical data and absolutely need the data, you have two options: Find an unlock key or pay the ransomware demand. Using another safe, trusted computer, research as much as you can about the particular ransomware variant you have. The screen message presented by the ransomware will help you identify the variant.

If you’re lucky, your ransomware variant may already have been unlocked. Many antimalware vendors have programs to detect and unlock ransomware (if it recognizes the variant and has the unlock key). Run that program first.

It may take an offline scan to get rid of the ransomware. Several websites also offer unlocking services, free and commercial, for particular ransomware variants. Here’s an example of a ransomware unlocker. Also, believe it or not, ransomware distributors will even occasionally apologize and release their own unlocking programs.

Lastly, many people choose to pay the ransomware to recover their files. Most experts and companies recommend against paying ransom because it only encourages the ransomware creators and distributors. Yet quite often it works. It’s your computer and data, so it’s up to you whether to pay the ransom.

Be aware that in many cases people have paid up and their files have remained encrypted. But these cases seem to be in the minority. If ransomware didn’t unlock files after the money was paid, everyone would learn that—and ransomware attackers would make less money.

I hope you never become a ransomware victim. The odds of infection, unfortunately, are getting worse as ransomware gains popularity and sophistication.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author