On Borrowed Time: The Threat of Ransomware

"Ransomware" is a type of malware that holds files or computer operations for ransom.  In the most common scenario, ransomware will encrypt files on an infected computer and demand that the user pay for the decryption key. Ransomware presents an unusual threat in that simply removing it from the computer does not solve the problem.  When files have been encrypted, removing the ransomware does not make them available again.  The files must be decrypted. We have been extremely lucky so far.  Most ransomware uses vulnerable encryption, like a simple XOR cipher, or a common key that need only be compromised once and then distributed to affected users.  The distribution of ransomware has also fallen short of that of other threats like scareware.  The number of people affected by ransomware has so far been small, and security researchers have been able to distribute unlocking tools capable of defeating the ransomware, but how long will we be so lucky? It may only be a matter of time until a more sophisticated, widespread ransomware assault hits the ill-prepared.  When ransomware uses strong encryption and uses unique keys for each victim, security researchers may be unable to offer unlocking tools and a victim's only recourse would be to pay the ransom.  When a widespread attack hits, the damage could be devastating, and the returns for the attackers would certainly provide inspiration and funding for further attacks. Some ransomware uses SMS short codes to take payments, which may allow attackers to hide the final billing amount or apply recurring charges and may allow panicked and unsuspecting minors to unknowingly make the payment without first alerting their parents.  Introducing mobile providers into the mix may also affect the ability of the victim to recover the charges. Scareware distributors have already figured out successful models, their threats are already close to the behavior of ransomware, and they certainly have the resources to develop more advanced ransomware.  Perhaps scareware can serve as a preview into what ransomware may do in the future. The protection is the same simple, long-standing advice: backups.  If the important stuff is backed up, then a computer infected with ransomware can be cleaned and returned to service without concern for encrypted files.  If you find yourself infected with ransomware and do not have backups, find a computer service company with security expertise that may be able to recover your locked data.  If you have paid the ransom, notify your credit card company or mobile carrier and get your computer cleaned by a professional as quickly as possible. If you do not have a backup routine, now is the time to create one.  You may be on borrowed time.


If [your OS] does not have a backup routine [setup automatically upon first login], now is the time [for the distribution] to create one.


Hello, I'm searching google and found your post. Nice post. Thanks!

What if the malware is inactive while looking for backups, and not scrambling the data until it gets a chance to nuke the backup?

Another reason for me to wanna have a \write-once-then-read-only\ backup an a huge NAS (network Attached Storage).

human's suck.