Even the best antivirus likely can't save your files from a ransomware infection
Dan Turkel
broken computer
(REUTERS/Kacper Pempel)
With new types of computer viruses being released every day, the internet can be a dangerous place, especially if you value the files on your computer.
One of the most prevalent forms of malware out there right now is called ransomware, a virus that encrypts a user's files, leaving them scrambled unless the victim pays for the decryption key.
It’s a criminal business model that has proven extremely profitable. Some of the largest actors may be making millions on the scam.
What makes the scam so effective is the fact that, without backups, paying is often a victim’s only recourse. The problem has gotten so bad that FBI Assistant Special Agent Joseph Bonavolonta said at the 2015 Cyber Security Summit that FBI often advises victims to just pay the ransom. An FBI spokesperson has since walked back the comment, saying that the FBI doesn’t make recommendations but rather presents the options — it’s just that there aren’t many options.
“Decrypting as a way of mitigating [the ransomware threat] is unfortunately ... probably not going to be the avenue that people should be relying on,” Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, told Business Insider.
Simply put, the encryption used by modern ransomware is too good to crack—it was developed that way, generally with the hopes that it would be used for less malevolent purposes.
We spoke with a number of security and antivirus professionals to learn about the tools they are developing to help protect users from ransomware. The answers were unanimous: The best approach is fighting ransomware is to avoid it in the first place.
cryptowall instructions ransomware
(Business Insider/Screengrab) In this screenshot provided by a CryptoWall victim, the virus explains what has happened to the user's files.
The standard antivirus approach
Antivirus software often works by maintaining a massive database of digital signatures of known viruses. The software scans your hard drive for these “fingerprints” and if it finds a file that matches known malware, it will attempt to quarantine and delete it.
While this can protect your computer against well-known viruses, it won’t do you much good if a virus is too new or obscure to be in a database. Plus, some viruses encrypt or modify their own source code, making it much harder for antivirus software to detect it.
One way to improve detection is called “sandboxing.” The idea is to run new software or suspicious files in an isolated space to protect your important systems from possible infection. Some antivirus packages include sandboxing functionality and there are dedicated apps for creating virtual machines for testing, but running every untrusted file through the digital equivalent of a quarantined hosedown can introduce unnecessary overhead.
For detecting previously unknown viruses, we can now turn to heuristic analysis. Antivirus software that uses heuristic analysis can detect previously unknown viruses by studying the behavior of software running on a user’s machine. If suspicious activity is detected, like the encrypting of the user’s documents, the questionable software can be stopped in its tracks and removed.
The security companies we spoke to — Trend Micro, Cisco, and Kaspersky Lab — all offer software with some type of behavioral analysis feature: OfficeScan, AMP, or Kaspersky Internet Security, respectively.
But part of being in the cybersecurity industry means fighting to keep up with the competition. As Cabrera put it: “We don’t see other security vendors as our competitors, we see cybercriminals as our ultimate competitors.”
Advances in malware
In many cases, the encryption aspect of ransomware is already as effective as it has to be. But that doesn’t mean that hackers are resting on their laurels.
According to Craig Williams, the lead security outreach manager for Cisco’s Talos security group, some of the biggest recent innovations in malware have been in how the viruses infect your machine.
Phishing Attachment
(SecurityMetrics) An example of a standard phishing email with an attachment
“Spear-phishing” is an update of one of the oldest delivery methods: the fake email. In a standard phishing attack, a cybercriminal will spam users with emails masquerading as something legitimate in the hopes that the user will click download an infected file attachment or enter their password into a fake form. Spear-phishing, as the name suggests, is more targeted. Emails are customized to make reference to you and people or businesses that you know, making them more convincing.
“Watering hole” attacks, on the other hand, infect legitimate websites that a user trusts — like the Daily Mail or The Independent — to serve malware to unsuspecting visitors.
To protect against these and future methods, the security companies that Business Insider spoke with all stressed general “good hygiene” practices that go beyond simply running your antivirus scan:
Keep backups of your files, preferably stored offline where they can’t be reached by infections that make it to your computer.
Keep your operating system, antivirus, and installed software patched and up to date.
Avoid suspicious websites, emails, and files online, using common sense and a healthy dose of skepticism.
To help with the third tip, security companies offer reputation programs alerting you to websites and email addresses known to be serving up dangerous content to users.
Williams noted that these practices can help save you from more than just viruses—a freak hardware failure could have the same effect as the most vicious ransomware.
“If you don’t have backups, and they’re not offline … you’re effectively driving an F1 car without a seatbelt ...” Williams told Business Insider.
An ounce of prevention is worth more than any cure
Prevention is currently the best bet users have in fighting ransomware, and that’s not likely to change going forward.
Security companies are currently dedicating most of their resources to prevention and early detection. Analyzing cryptographic ransomware for flaws that might allow the encryption to be cracked is generally time-consuming and is never guaranteed to work. Even worse, when methods are developed to crack poorly implemented encryption, the malware developers often take notice and fix their viruses, as was recently the case with decryption keys stored in versions of TeslaCrypt.
What this all means is that, for a victim whose files are encrypted without a backup, payment might truly be the only way to restore your files.
cryptowall screenshot ransomware
(CryptoWall/Screengrab) A website associated with the CryptoWall ransomware virus provides decryption instructions to a victim who paid over $500 for the key.
Even so, the security firms we spoke to were uniform in their recommendation not to pay if you can bear losing your files, understanding that victims may choose to pay to recover important documents.
The justification is twofold. First, while ransomware authors may try to prove their trustworthiness, there is ultimately no guarantee that paying the ransom will restore your files. There may be no working decryption key at the end of the line—sometimes just because of a mistake by the author.
Second, paying the ransom supports the ransomware business model. By refusing to pay, you are theoretically doing the entire community good with your conscientious objection.
But it will take more than just a few principled victims to stop the threat entirely. New innovations have made malware easier to deploy and incentivized hackers to spread it. Losing out on a few ransoms might not stop rogue developers with dreams of making millions.
