Ransomware is a simple concept. They want to use your data against you causing you to have to pay them to get your own data or computer back. This can be as simple as preventing you from having access to your computer by having a virus alert show up saying you have a virus and that you need to pay to have it removed. They also will try and scare you by saying you have been viewing child porn and that if you don’t pay you are going to jail. These things have been around for quite a while and use to be easy to remove. They normally didn’t damage your files and when the computer owner understood what they were and how to remove them they didn’t cost that much.
What changed?
Back in 2013 things changed. Are ransomware called CryptoLocker was released that did something that up till that point really wasn’t widely done it encrypted the user’s files and it did a very good job at it. It rendered the file unrecoverable without the encryption key. This required the user to have to pay for the decryption key to get their files back. This means that the writers of CryptoLocker made an estimated $30 million in one hundred days of operation. This proved to everyone that ransomware could be extremely profitable if written correctly.
Malware writers started to write more and more encryption ransomware because there was money in it. This trend has just continued to this day.
How it works
Crypto Ransomware works by encrypting all of your files and charging you a fee to unlock them. Also depending on the variant of crypto ransomware it will encrypt the files on shares and external drives. It’s goal is to encrypt everything you have access to without disabling your computer. If it disabled your computer you can’t pay the ransom. Crypto Ransomware will also try and do other things to prevent recovery like delete windows restore points.
It uses public key cryptography to encrypt your files with out ever having the decryption key stored on your computer. So even if it is caught in the act of encrypting your files there is no key to decrypt them on your computer.
Stopping Crypto Ransomware
So how do you stop crypto ransomware? The point of crypto ransomware is that you can’t do anything to recover your files after you have gotten it. So what you have to do is backup your files but in a way that will not be affected by crypto ransomware. Look at your backup. Can software running on your computer delete or modify your backup? There has to be some kind of separation between your backup and the computer that can be infected.
If your current backup is a external drive attached to your computer then it will just be encrypted just like the rest of your files. In this case i would recommend at least getting a second hard drive and rotating them weekly. That way if you are hit by crypto ransomware you can at least restore from a week ago. Yes you will lose files but not as much as you would if you get everything encrypted. This doesn’t follow the backup 3 2 1 role but it is much better than not having anything at all.
If you’re using an online backup solution that supports versioning then even if encrypted versions of your files are uploaded you will still be able to restore a version back. The crypto ransomware can’t delete your files in the cloud or encrypt them because it does not have access to your account. This provides a layer of protection between your desktop computer and your backup.
Just look to create a layer of protection between your backup and your computer this can be simple like we have seen above as disconnecting your backup drive to something more complex like having a backup server that manages the backups for you. This is basicly what cloud backups do. Start looking at it and asking yourself can one computer delete all of my backups? If you answer is yes then there isn’t any separation.
Don’t forget about the 3-2-1 backup rule. 3 copies of your data. 2 different media types. 1 off site. The off site copy can’t be encrypted because you don’t have immediate access to it. This provides your separation.