Ransomware works by encrypting a victim’s files and then convincing them that the only way to retrieve their files is to pay a ransom. The attackers further this appeal to fear by setting a short deadline for payment, and telling the victim that their files will be gone for good if the deadline is missed. Ransomware is so successful because victims continue paying these ransoms.
The Cyber Threat Alliance reports an estimated $325 million in payments for the CryptoWall 3 ransomware alone during 2015. These payments provide both incentive and financing for further ransomware development by the bad guys. A recent report by McAfee shows a sharp increase in detected ransomware samples over the last two years.
Taking steps to prevent ransomware infections will always be the best defense strategy. Unfortunately, no protection is perfect, which means your systems may eventually fall victim to a successful attack. If you find yourself infected and without proper backups, you may think that paying up is your only option. Thanks to a few cyber security organizations, there may be another way out.
This week, Emsisoft launched a webpage dedicated to ransomware decryption. The webpage helps ransomware victims identify which flavor of ransomware infected their system and then provides a free downloadable decryption tool. Emsisoft is not the only one providing these tools. Kaspersky also maintains a page full of ransomware decryption utilities (and other malware removal tools). If you need help identifying exactly which version of ransomware locked your files, ID Ransomware is another tool you can use.
Ransomware decryption is a cat and mouse game. These utilities typically exploit errors in the ransomware encryption code to decrypt the affected files. When the attackers fix these errors and update their ransomware, the decryption utilities are no longer effective. Because of this, you should not rely on ransomware decryption utilities as your only protection. Instead, they should be treated as an option of last resort.
The best defense against ransomware remains a three-pronged approach of prevention, recovery, and education. You should take steps to prevent the initial infection by using a multi-layer security approach. Network-based AV scanning and APT protection along with host-based endpoint protection remain a must. You should also regularly create and test offline backups to recover from a ransomware infection. It is important that your backups be offline to protect against ransomware that locates and encrypts networked file shares. Finally, you should educate your employees on how to spot phishing attempts, which continue to be the most common attack vector for ransomware. If all of these steps fail though, you may still have hope with a decryption utility. – Marc Laliberte