If a bot slips past the defenses erected by your antivirus utility, it will sit awaiting instructions from its command-and-control server. It may not take any action before an antivirus update wipes it out. An actual virus that flies under the radar could infect many files on your system, files that get disinfected once your antivirus learns to handle this new threat. But if ransomware evades the protective efforts of your antivirus, you’re sunk. Even if the antivirus gets an update a mere hour later, it’s too late. Your files are encrypted, and the ransomware squad has won.
It’s not great to have a virus or Trojan infest your PC, wreak havoc for a few days, and then get eliminated by an antivirus update, but it’s survivable. When ransomware is involved, though, it’s a different story. Your files are already encrypted, so eliminating the perpetrator does you no good, and can even interfere with your ability to pay the ransom, should you opt to do so. (Pro tip: don’t pay the ransom!) Some security products include protection layers specific to ransomware, and you can also add ransomware-specific protection as a helper for your existing security.
What Is Ransomware, and How Do You Get It?
The premise of ransomware is simple. The attacker finds a way to take something of yours and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn’t pose the same level of threat as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately, this last type is uncommon.
If you’re hit by a ransomware attack, you won’t know it at first. It doesn’t show the usual signs that you’ve got malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company’s domain. That seems to be what happened with the WannaCry ransomware attack a few years ago. If you have the slightest doubt as to the legitimacy of the email, don’t click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you’re lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.
CryptoLocker and Other Encrypting Malware
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker ages ago, but other groups kept the name alive, applying it to their own malicious creations.
A Dwindling Field
Several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of those have since vanished, for one reason or another. For example, Acronis Ransomware Protection used to be a free standalone tool, but now it only appears as a component in the company’s backup software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page used to say “RansomOff will be back at some point.” Now there’s no mention of the product.
Trend Micro telegraphed the end of life for its free, standalone RansomBuster product more than a year in advance. RansomBuster no longer exists as a separate product. However, its ransomware-fighting skills live on, embedded in Trend Micro’s full-blown antivirus utility.
A few ransomware protection tools come from enterprise security companies that decided to do the world a service by offering just their ransomware component as a freebie for consumers. And quite a few of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer with us, and Cybereason RansomFree has likewise been discontinued.
Bitdefender Anti-Ransomware is gone for a more practical reason. While it existed, it took an unusual approach. A ransomware attacker that encrypted the same files twice would risk losing the ability to decrypt them, so many such programs leave some kind of marker to avoid double-dipping. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, “Move on! You’ve already been here!” This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished, leaving the CryptoDrop domain name up for grabs.
Ransomware Recovery
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn’t get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there’s a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus (or the ransom note) gives you a name, that’s a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are several different approaches to accomplish this goal.
Read more:The Best Ransomware Protection for 2022