One of the leading experts in the industry explains the best way to deal with this type of attack: paying and complying with the demands of digital extortionists is (almost) never a good idea.
Recently, a coordinated attack by a single group of cybercriminals laid siege to the computer systems of 23 Texas cities, in some cases blocking computers in the registry office and municipal tax offices. The authors of the malware are demanding $ 2.5 million in ransom to decrypt the obfuscated files on the computers of the Texan authorities, perhaps thanks to a security flaw in a small software that, according to the investigators, was provided by an unspecified “External provider”. The FBI is also investigating the matter. Some systems have already been restored, others still remain locked down and it is unclear if and when they can be restored.
Ransomware, the ransom virus
The one recorded in Texas is only the latest and most striking case in which a ransomware has been used to launch a large-scale attack. But viruses of this type, which encrypt the files on the computer and then ask for money to release the key needed to decrypt them, infect the computers of ordinary users every day.
But what should you do if your computer is hit by such an attack? We asked Fabian Wosar , CTO of security company Emsisoft and one of the world’s leading ransomware experts. Wosar has dedicated his career as a “good hacker” to fighting digital extortionists. To protect himself from the threats of the authors of the ransomware he helped defeat, he had to leave his hometown in Germany and moved to England, to a place no one knows exactly, not even his colleagues. His popularity among the “bad guys” is such that his enemies hide threats addressed to him directly in the code of their viruses, knowing that Wosar will read them in an attempt to disassemble their digital weaponry piece by piece.
“If you think your computer has been hit by ransomware”, Wosar explains to La Stampa, “the first thing to do is disconnect your PC from the Internet and disable any cleaning program you have installed, such as CCleaner, for example . Then proceed immediately to create a backup or disk image: it will be used in case the ransomware ends up corrupting or deleting the files or if the files become unreadable during the recovery process. Finally it proceeds to scan everything with an antivirus and quarantine the ransomware, but without deleting it ».
Identifying the ransomware
The last step, says Wosar, is very important. The ransomware file is in fact necessary to be able to understand which specific malware attacked the computer. There are two very useful online tools to do this. One is No More Ransom , a Europol-run project that recently turned three. The other is ID Ransomware , an independent system developed by Michael Gillespie, a colleague of Wosar at Emsisoft.
Both work in the same way: just upload one of the files encrypted by the ransomware to the site and within a few seconds it is possible to know if an “antidote” already exists for the virus that hit our PC, that is a free decryption tool that can free files without having to pay any ransom.
“In the unfortunate case that decryption software is not yet available,” says Wosar, “there are two possibilities: keep the backup of the compromised system safe while waiting for a tool to decrypt that specific type of ransomware to become available, or try to pay the ransom, but that’s never a good idea. ‘
Paying is not a good idea
The leading experts in the sector, including Wosar, suggest never giving in to the blackmail of the authors of the ransomware. In fact, paying is never a good idea, especially in the case of a single private user not supported by an investigation by the authorities or a team of experts. Primarily because giving in to extortion favors cybercrime and contributes to providing funds with which authors of this type of virus can continue to develop increasingly sophisticated attacks. Then because the payment does not offer any guarantee that the files will be actually restored: the authors of the ransomware in fact do not always provide the tools to decrypt the files even after receiving the ransom. And in many cases, if a tool for freeing documents is provided, it doesn’t necessarily work.
«In the case of companies that find themselves in the position of necessarily having to pay», continues Wosar, «it makes sense to turn to companies specialized in handling these cases. These companies know in advance whether a specific group of attackers will provide an effective solution – as mentioned, not all of them do – and can guide victims safely through the process. But be careful: it is important to carefully choose the agency to rely on, because even in this sector there have been cases of deceptive practices against the victims ».
Prevention is better than paying
But what should be done to avoid a ransomware attack or to be more likely to fix it without paying? As always in the case of securing an IT system, prevention is essential.
“The best way to avoid falling victim to a ransomware attack is to use an antivirus, keep your operating system up to date, exercise extreme caution with any e-mail attachments, do not install pirated software and make sure that your remote control RDP software of the desktop are always up to date and offer an adequate level of security. The most important thing, however, “concludes Wosar,” is to prepare for the worst by constantly maintaining a backup of your PC. An online service that offers a “versioning” mechanism is perhaps the best option. Versioning simply means that previous copies of the files are kept in the backup along with the most recent copies.