Ransomware: the monetization of computer viruses

Rarely has a ransomware attack shown such visible consequences as a recent case in the US: The attack on one of the largest US pipelines has significantly affected the fuel supply on the east coast. The result is closed petrol stations and constantly rising fuel costs.
In the following, we want to examine which basic concepts can help against ransomware. How should one behave if one’s own computer or network has been infected? And how to get rid of the malware if necessary?

Whether you move to the USA as a tourist or like the author to work there – in everyday life you quickly discover many differences. One of the most obvious are the much cheaper fuel prices compared to Europe. But in May 2021, this looked significantly different, at least on the US East Coast: fuel prices have climbed to an all-time high – if there is any fuel at all. Because many gas stations have even closed because they are no longer supplied with gasoline.

The reason for this is not an international conflict, but a computer virus – more precisely, a ransomware. This type of malware, also known as “crypto Trojans”, encrypts the files on infected computers. The authors of such attacks try to extort ransom money from the owners of the infected computer systems through encryption. And in the current example, it was one of the largest pipelines in the US that was crippled by a ransomware attack.

But even if the effects are particularly obvious this time: Already in 2019, there was a ransomware attack every 14 seconds worldwide. This number has increased to this day. Ransomware does not only cause great economic damage due to the failures of the infected computer systems. In addition, many of the criminals actually manage to earn money in this way – and more and more of them: While the average ransom demand in 2019 was still around 100,000 euros, the amounts demanded tripled on average in 2021.

Table of contents of the article

  • 1 When the ransomware reports, it is usually too late
  • 2 How to protect yourself from ransomware?
  • 3 Ransomware has infected my system. Now what?
  • 4 What are the chances of decrypting the data again? 
  • 5 Restoration of a shadow copy
  • 6 Recovery with a Data Recovery Software
  • 7 Recovery with the help of Linux
  • 8 Permanently remove the ransomware
    • 8.1 Related Posts

When the ransomware reports, it is usually too late

Not least, the now widespread use of various cryptocurrencies such as Bitcoin continues to fuel this trend. This allows large amounts to be transferred easily and largely anonymously-even across national borders and continents without any problems.

Companies or self-employed persons, on the other hand, who have been the victims of such an attack, may have to pay for their existence.

In most cases, if a ransomware attack is successful, those affected on your computer will receive a message as shown in the screenshot below. But when it appears, it is usually already too late – the data on the computer is probably already encrypted.

Die Erpressungs-Nachricht der erfolgreichen Ransomware WannaCry.The blackmail message of the successful ransomware WannaCry.

In 2017, we explained in this article which encryption methods ransomware usually uses and how the infection works technically exactly.

The extent to which a ransomware attack can damage or render unusable a company’s computers and network depends on various factors-not least the protection and security concepts implemented in the network. However, even if well-thought-out measures allow data and systems to be recovered, it can take days or weeks for the company to recover from the attack and restore its network.

Basically, security experts recommend not to go into the alleged offer of the extortionists. Because on the one hand, the payment of ransom motivates the attackers even more. Thus, some companies that have paid have even been attacked a second time within a short period of time. On the other hand, even with a payment, it is by no means certain that you will get your data back. Quite a few of the extortionists simply stop contact after receiving the ransom.

Therefore, we now want to illuminate step by step how best to deal with ransomware: how to protect yourself, what to do in case of infection, and how to get rid of the ransomware software?

How to protect yourself from ransomware?

Even if it sounds almost hackneyed: the most efficient way to protect your computer or an entire network from ransomware attacks is regular backups. However, it is important to find the right balance between convenience and security: Backup media that can be accessed via shares from the affected computer encrypts current ransomware at the same time. So there should be backups that are “offline” – that is, do not have an active connection to the network. These can be removable hard drives, for example, which are ejected and physically isolated after the backup has been completed. Or in larger companies also the backups on magnetic tapes, which are already widespread for data backups, which are then also ejected after completion of the backup.

Wechsel-Medien, die sich physisch von Rechner und Netzwerk trennen lassen, sind eine gute Versicherung gegen Ransomware. Die Möglichkeiten reichen von einfachen Festplatten-Docks wie abgebildet bis hin zu Bandlaufwerken und dezidierten Wechsel-Medien.Removable media that can be physically separated from the computer and network are a good insurance against ransomware. The possibilities range from simple hard disk docks as shown to tape drives and dedicated removable media. (C) BaseTech

In addition, current firewall and virus protection solutions are of course mandatory anyway. In many cases, they detect and block the files that contain ransomware-and can either completely prevent the attack or at least prevent it from spreading over the entire computer network.

Ransomware has infected my system. Now what?

Should we not consider paying the ransom, especially in cases where the demand is not so high? As already described above: No! Paid ransom only spurs cybercriminals to develop more and better ransomware programs. Thus, insurance companies that offer to pay the ransom in the event of a ransomware attack are also critical. Especially since according to recent surveys, only about 8 percent of the victims of ransomware who paid the required amount actually got their data back. And those who pay, for the reasons already described, even have a significantly higher risk of being attacked again.

The originators of the extortion software are often located in countries where legal remedies are hardly effective. Therefore, before considering a payment, you should try all possible steps to get the encrypted data back by other means.

What are the chances of decrypting the data again? 

Most ransomware programs use encryption algorithms such as AES-256 or RSA and thus strong keys that these are practically not crackable with today’s computers. Simply trying out the possible decryption codes would take up to a million years.

However, it may be worthwhile to check whether the data is really encrypted at all. Because encryption is also computationally intensive, which is why some extortion programs take shortcuts or – in the best case for the affected person – maybe even just pretend that encryption has taken place. The blackmailers then rely on some of their victims to pay the ransom in the first panic.

Even if really encrypted files can hardly be decrypted without the matching key, there are methods to restore the data under certain circumstances:

Restoration of a shadow copy

Since Windows XP, there is the system service “Volume Shadow Copy Service” (VSS). It creates so-called shadow copies of a file. Their purpose is to save different version levels of a file, which the user can restore if necessary. To do this, Windows keeps up to 64 versions of a file.

The described Windows service is not a dedicated backup program and should not be understood as such. VSS is rather intended as a service for actual backup software, so that, for example, files that are currently being opened and edited can also be backed up. Windows creates a shadow copy only when there is a change to the file. Unfortunately, this also means: If a file is only read but never edited, there is probably no shadow copy of it.

However, in the event of a successful ransomware attack, shadow copies may be able to help restore certain files. As mentioned, this is especially true for files that have been edited and modified frequently. However, this also depends on the type of ransomware. Some ransomware programs also try to delete shadow copies of files. However, this does not always succeed, or the ransomware simply does not find all shadow copies.

Die systemeigenen Schattenkopien von Windows geben eventuell Zugriff auf wichtige Dateiinhalte.The native shadow copies of Windows may give access to important file contents. (C) Point2Click.de

Recovery with a Data Recovery Software

Another way to recover files after a ransomware attack is a specialized data recovery software-that is, a tool for recovering deleted files. This chance is not so small, because the encryption process often works in such a way that the ransomware writes the encrypted content to a new copy of the affected file and then deletes the original file.

Programs for data recovery use this principle and the fact that when deleting a file from a storage medium, only the information that the file exists is deleted. However, the actual contents – the ” zeros “and” ones”, which represent the actual data – are still present on the medium. At least until they are overwritten. Anyone who uses a data recovery program immediately after the attack therefore has no bad prospects of recovering the deleted original files. This should happen as soon as possible, but: first you need to start a clean system, for example, from an external boot medium. Because the ransomware must of course no longer be active, so as not to nullify any successes immediately.

Recovery with the help of Linux

A really useful feature of the Linux distribution Ubuntu is that you can start this operating system from a USB drive Drive without having to install the Linux on the boot disk of the computer. For this, you can create an Ubuntu Live Media Disk on a USB stick, CD or DVD, with which you can then start the computer.

Since Linux is a fundamentally different operating system than Windows, a ransomware targeting Windows usually does not” run ” on it – the system is not vulnerable to the malicious software. However, Linux can still read data from a Windows system, and with appropriate tools also restore and backup to an external medium.

Basically, you should backup recovered files externally if possible and not on the infected computer itself. Also check the recovered data with a current virus scanner to make sure that you have not also copied the ransomware.

Ubuntu Linux ist eine nützliche Systemumgebung, um Daten von befallenen Windows-Installationen zu retten. (C) WikimediaUbuntu Linux is a useful system environment to rescue data from infected Windows installations. (C) Wikimedia

Permanently remove the ransomware

After the data is recovered as much as possible, you need to make sure that the malware disappears from your machine permanently.

Depending on the ransomware, this can possibly be achieved with specialized programs from well-known and reliable security companies. However, you may not be able to avoid setting up the system completely anew.

Here too, however, a clever backup strategy can help: There should not only be backups of your documents, but also of the system and the installed programs themselves. So it is much faster to bring the computer back to its state before the ransomware attack.

 

Go to our cases Get a free quote