What is a Ransomware ?
A ransomware is a malicious computer program that consists of preventing a user from accessing to his data or to a machine. If he wants to recover access he must pay a ransom, a sum of money in crypto currency (often in bitcoin). The software acts like a kidnapper during a hostage taking, restoring the files only if the ransom is paid.
The question on everyone's lips is how can such software take our data or system hostage ?
First of all, it is important to understand how the ransomware can enter our networks or systems. It infiltrates machines via vulnerabilities (web or system) or through a mailing campaign with an attachment containing the ransomware. If the user opens the attachment, the malicious program encrypts data of the machine's hard disk and display a message, ransom request, to the user. Some ransomware do not encrypt the data of their victims but limit all the interactions of the user with the system. This was the case with the WinLock program, the ransomware displayed pornographic images on the victim's screen and asked him/her to send an overtaxed message. Then the user received a code necessary to recover access to his/her machine.
The ransomware appeared in Russia, then spread all over the world. It is not uncommon to hear the press list the harms caused by this type of software. Maybe you heard about Wannacry. This is the name of the ransom responsible for the biggest ransom piracy of the internet history. Also known as Wannacrypt or Wannacryptor 2.0, this ransomware affected more than 300,000 victims in 150 countries. The British National Health Service was one of the main victims with 48 institutions impacted, many of which had to cancel or postpone medical interventions. France was not spared, the manufacturer Renault saw its production lines stopped for one day on its site of Douai. Other the victims are the Russian central bank, several Russian ministries, the US parcel delivery giant FedEx or the Spanish telecom company Telefónica.
If you want to know the technical details of this malicious software please read the article "Wannakey, the wannacry decryption tool" written by Samuel Campos, computer security engineer at HTTPCS.
Among the most well-known ransomwares, there is also Petya (or NotPetya). Originally Petya is an open source ransomware but it has been modified, hence the word "NotPetya". Unlike Wanacrypt, Petya acts in two steps. Firstly it encrypts a small part of the hard disk that contains all the files in memory, making them unusable. In a second step, Petya attacks the part of the hard disk that allows to launch the operating system. The purpose is to prevent the victim's computer from booting on the intended OS. After these two operations, a message appears on the victim's computer, asking for a ransom ($300) to be paid in Bitcoins. Thus the user obtains the decryption key and thus recovers access to the computer.
If you suffer a ransomware, you mustn’t pay. In fact, even if the threat frightens you don’t have any guarantee about the decryption of your data. Moreover, the banking data input for the payment may be reused by the hackers.
The first thing to do in case of attack is to disconnect the machine from the network through the control panel of your system or by unplugging the network cable directly. If you are connected to WI-FI, don’t forget to disable it. This will prevent the spread of malware. One of the mass attacks consequences is the tools publication on the Internet, which, in some cases, allow to recover your data.
How to protect yourself against ransomware ?
The first thing you need to do not to be a victim of ransomware is to update your computer regularly. It is necessary to update the operating system but also all the softwares of the computer and especially the web browsers or the email softwares. Do not forget plugins, especially those related to Java, Flash or PDF. Be careful it's not because you own a "next generation" antivirus that you are not vulnerable to ransomware.
Vulnerabilities often come from an action caused by a human being. It is very important not to click on links from unknown sources, which can redirect you and make you run a fraudulent code. You have to be even more carefull when you receive links or attachments sent by email. It is essential to make sure of the identity of the sender. The best solution is to edit the source code of the email and look at the line containing the sender (Received).
One should not forget good practices as performing backups of your work on external hard drives or secure servers. Do not overlook the 3-2-1 rule: at least 3 copies of your data, 2 different supports, 1 off-site backup.
However, the best solution remains to keep up to date on IT security, in order to be aware of the latest news and to take a proactive approach in the event of a problem.