Losing access to your files, whether precious photos or business documents, is something we hope you never experience. But if the worst happens and your PC and other kit ends up infected with WannaCry, CryptoLocker or some other ransomware, what should you do?
Will the hackers actually honour the payment and hand over a decryption key? Here’s what we know, and how to guard against ransomware. See also: Best antivirus 2017
Before a 22-year-old “accidental hero” calling himself MalwareTech flicked its hidden kill switch, the ransomware attack that struck the UK’s National Health Service systems appeared to be spreading around the world, leveraging a hacking tool that may have come from the US National Security Agency.
Mikko Hypponen, chief research officer at cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history”.
The ransomware, called Wanna Decryptor or WannaCry, struck hospitals at the NHS on Friday, taking down some of its network. A security found a kill switch hardcoded into the malware, which saved the attack hitting the US.
Microsoft has already patched the vulnerability, but only for newer Windows systems. Older ones, such as Windows Server 2003, are no longer supported, but still widely used among businesses, according to security experts.
MalwareTech, who works for Kryptos Logic, a threat intelligence company, warns people to patch their systems: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
The Wanna Decryptor ransomware strikes by encrypting all the files on an infected PC, along with any other systems on the network the PC is attached to. It then demands a ransom of about $300 (£232) in bitcoin to release the files, threatening to delete them after a set period of days if the amount is not paid.
Ransomware scams: your options
In 2016 a hospital in Hollywood hit the headlines after it admitted that it paid almost $17,000 to get back critical files including patient data. According to reports, the criminals did unlock the hospital’s files and all was well just 10 days after the attack.
But there are no guarantees that the criminals behind all ransomware variants will do the same. If you pay up, you risk getting nothing in return.
Companies rarely admit to paying ransoms, because this also admits that their network was compromised in the first place. Therefore no-one is quite sure of the exact likelihood of getting your files back if you do choose to hand over the cash (or, more typically, Bitcoins).
Free ransomware decryption tools
Typically, the ransom is several hundred pounds, which is cheaper than employing a data recovery firm to attempt to decrypt the files. But before you pay anyone, check if there’s a freely available tool which will do the job.
Kaspersky, for example, has a ransomware decryptor which works with Coinvault and Bitcryptor. There’s another tool which is said to work on files encrypted with Teslacrypt.
If you are a Locker victim, then see this thread on Pastebin
Ransomware scams: to pay or not to pay
The first task, then, is to find out which exact malware has encrypted your files, then search online to see if a decryption tool is available.
If not, check if you have backups which are up to date enough to avoid having to pay the ransom. And if you have no backups, you may well be tempted to cough up.
There are two main schools of thought. The first is that the bad guys want to make it as easy as possible to pay and get your decryption key. After all, they want other people to pay up and not hear that people have paid and got nothing. Hence, you should follow the instructions when you see the ransom on screen and you’ll get your data back.
The second is that the criminals have no incentive to hand over the key. For one thing, contacting people makes them easier to trace, but the main point is that they’re anonymous, so they have no reputation to protect. Also, people who’ve paid the ransom and got nothing are hardly going to shout about it: they’ve just lost money to a scam and are no closer to getting their files decrypted.
Further, even if you do get a key or some tool to decrypt your files, you’re still not safe. The criminals might still have access to your machine and hold it to ransom again.
Those who would advise you not to pay would also warn against believing stories such as the Hollywood hospital case, as the criminals will go to great lengths to post fake testimonies about successfully decrypting files in order to persuade victims to pay up.
Back in 2015, when we originally wrote this article, the FBI recommended paying the ransom, especially if you have no backups of your files. These days, though, the advice is the opposite – you shouldn’t pay.
How to guard against ransomware
If you’re reading this having suffered a ransomware attack, the following advice probably comes too late. But if you haven’t, there are several things you should be doing:
1 – Make regular backups of any and all files you can’t afford to lose. Don’t assume that cloud backups or cloud storage is immune from ransomware: many services sync files with those on your hard drive and could well overwrite unencrypted files with the newer encrypted ones. The best plan is to make multiple backups which include copies on hard drives or any media which is not connected to a computer or the internet. A portable USB hard drive is ideal.
2 – Keep your antivirus and internet security software up to date and ensure you are using software which can protect against all types of malware, including ransomware. Read PC Advisor’s up-to-date independent best antivirus reviews.
3 – Be ever more vigilant about which email attachments you open and links you click on. Ransomware usually relies on human vulnerabilities, rather than weaknesses in security software. Even if an email or attachment is from a person you know, or a service provider you use, double-check that it is genuine. If in doubt, don’t open the email, let alone open an attachment or click on a link that will supposedly take you to a page where you can enter your banking details.
See also: How to protect yourself from CryptoLocker, GoZeus and other ransomware. For more on the latest scams, see How to avoid getting scammed.
Additional reporting by Michael Kan, IDG News Service.