Your hard drive held hostage– Ransomware*

You turn on your computer and see, “Your files have been encrypted–send me $500 for the key.”
An article in Newsweek calls this a “new” phenomenon, but I assure you it is not — it even has a name: ransomware.

As my loyal readers know, I am constantly advising security, security, security! I have a “thing” … I detest digital Evil Doers.
Ransomware is a type of worm and/or trojan horse that runs a RC4 encryption algorithm on your hard drive. This ‘scrambles’ your files and makes them unreadable … unless you have the ‘key’. The malware leaves several (readable) read_me.txt files which tell you what has happened, and where to send money to buy the key. Your data held hostage. Without the key, all you have is gibberish. Without paying the ransom, you have no key. Or, that’s the idea anyway.
I haven’t talked about ransomware before because it has not been a very common, or rewarding attack.

What this means to you is that it is more important than ever to have an off-machine backup and up-to-date malware protections in place. You do have a recovery backup … don’t you??? Please click this link to read my article on creating backups. It is important to understand that what this piece of code does (and this is true of most malware), it does, or tries to do, to every drive it can find. That means every storage device attached to your computer, such as the hypothetical drive “E:\” in the ‘how to auto-backup’ article, will get scrambled. If you store your backup (and/or backup image) on a partition, or USB attached hard drive, it is effectively gone as a result.

Tip of the day: I will reiterate, because it’s so gosh-durned important, that you should store a recovery backup in two locations; usually this means two different storage media types. In this case I’m referring to CD’s or DVD’s.
I use a 3rd party “disk imaging” application (I happen to have got a deal on Norton Ghost [free after rebate], but my reco is Acronis True Image) which automatically breaks the system backup into disk-sized pieces. But you do not need such a program; you can use your zip program (see today’s free link) to do the same thing to a Windows Backup.bkp file. It will take several disks, so be sure to stock up.

If you have Windows Vista Home Premium or Ultimate Edition, you have a powerful system backup utility (built in) that will copy a recovery backup to disk, or other storage, that works through an easy to follow wizard. And you also have a delightful command line imaging tool called Ximage that I suggest you look into.

The main point I want to get across is that if you should, one day, discover that some Evil Doer has scrambled your files and wants money to descramble them, DO NOT SEND THEM MONEY. RC4 can be broken. You can find the password (the ‘key’) posted on the Internet, and use it to get your files back. You also should take a seriously critical look at your Internet protection apps … either you didn’t have them, or they let you down. Fix that.
If this happened to me, I wouldn’t bother with trying to decrypt my files. I wouldn’t trust that the trojan wasn’t still lurking, (possibly as a rootkit)ready to pull the same stunt again and demand another ransom. I would format my hard drive and boot my first recovery CD and restore my system from the backup. This backup would not contain the trojan, because I make system recovery DVDs once a month, nor my most recent files … those I would recover from a network drive, or live without.

So. You do have a system backup, right?

Today’s free link: there are many zip utilities out there, and Windows comes with a “compressed folder” zip tool, and selecting one is a matter of taste. They all do basically the same thing: take a big file (or folder) and run a compression algorithm to make them smaller (“zipped”). Some are free and some are for sale — typically under $20. The free zip tool I use is 7-Zip. It has all the features you need, and actually does compress.

Can I ask you a favor? I am a bit curious as to how Tech–for Everyone readers are feeling about the Olympic Games being held in China, and so I’ve created a very brief survey. Click Here to take survey

Update 8/16/07: There’s a report on Sunbelt of a new ransomware, and this one only demands $150. Click here for an interesting read.
Update 8/9/08: Bill Mullins discusses a newer, and meaner, type of ransomware in this article.

Copyright 2007-8 © Tech Paul. All rights reserved. post to jaanix

Share this post :

August 9, 2008 - Posted by techpaul | advice, Backups, computers, cyber crime, encrypting files, how to, PC, ransomware, security, tech, Windows | attack, cyber crime, data, encrypted, hackers, held, hostage, malicous, malware, ransomware, what to do if