Ransomware, also commonly referred to as "cryptolockers", after the most notorious of them, is a computer threat designed to make victims pay a ransom. Typically, they prevent access to the personal files of compromised users. A more recent variant, called "extorsionware", threatens to block access to online accounts, or release compromising personal data or videos.
Upon installing on a machine, the ransomware will encrypt the files one by one, making them unreadable and protected by a key that is passed to the ransomware operators. This key will only be given out for a ransom, usually paid for with a cryptocurrency such as Bitcoin. It allows operators to cover their tracks easily.
Ransomware thrives primarily on two factors.
Private individuals, companies and the industry are a target of choice for ransomware, as it was the case during the WannaCrypt outbreak.
As a first step, our recommendation is to analyze the situation with an expert, and not to pay the ransom. Paying ransom encourages these kinds of attacks, and provides financial income to criminal groups that also engage in other forms of crime. Nor is there any guarantee that the attacker will give you the key, or that you will be able to decrypt your files afterwards. This is the case of the PwndLocker/ProLock ransomware, which decryption tool sent by the attackers after the ransom was paid has a bug and doesn't decrypt files heavier than 64 Mo. A similar situation occurred with the Lorenz ransomware, for which the encryption process renders any file with a weight of multiple 48 bytes unreadable, even after decryption by their tool, and also allows decryption of any popular file type (Microsoft Office files, PDF files, as well as some types of image or video files) without paying the ransom.
Furthermore, with the development of extorsionware, ransomware operators may deliver the key... but ask you to pay an additional cost to not release your files publicly. This is the case of the ChaCha/Maze ransomware, for which attackers ask for two ranswoms: one of them for the decryption tool, the other one for not publishing stolen files.
Thus, paying ransom should be the last resort solution.
Not all ransomware is created equal: they are written by different developers, and like any computer program, some have flaws. Thus, depending on the type of ransomware, it will be possible in some cases to recover the files without paying the ransom, by exploiting a vulnerability in the ransomware. The NoMoreRansom site lists a list of decryption tools for certain ransomware.
Security researchers are working hand in hand to identify every ransomware, classify it, study it, understand how it works, and then if possible, come up with a free decryption tool for each ransomware. All the data from this research is put to the benefit of the ID Ransomware site, which allows, from a sample encrypted file, and the information note left by the ransomware, to know if it has a decryption tool.
If the ransomware you've been infected with does not have a decryption tool, there are several solutions.
Of course, the choices below only apply if you don't have any backups of your data. Which brings us to the question of what safeguards you could put in place to protect against this kind of incident in the future.
Various measures can be implemented to protect you from this kind of computer threat.
Generally speaking, protecting yourself from ransomware requires time and investment in skills and tools. So, is it worth it? It all depends on how important your data is to you, and how much time loss and stress you are willing to accept in the event of an infection.
You're infected with a ransom but aren't sure what to do? Don't hesitate to contact us, we'll do our best to help you.
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.