In cyber extortion, pay ransom to unlock PC


November 10, 2013

MUMBAI: Extortion is thriving in cyberspace, with malicious software denying users access to their computers or files until they pay a ransom. Last month, a senior executive from Pune found himself shut out of his personal computer and all data stored on it by 'ransomware'.

November 10, 2013

MUMBAI: Extortion is thriving in cyberspace, with malicious software denying users access to their computers or files until they pay a ransom. Last month, a senior executive from Pune found himself shut out of his personal computer and all data stored on it by 'ransomware'.

Earlier, a senior executive from the western suburbs lost important data after a similar attack, which experts caution is triggered by clicking on suspicious email attachments.

'Ransomware' is a kind of malware which locks a computer and all files on it by encrypting them. To save files, the user is asked to pay a ransom.

Once 'ransomware' affects a PC, a message pops up demanding a ransom in exchange for the key to unlock the computer, warning any attempt to remove or damage the software will lead to immediate destruction of the key.

In April this year, a Juhu-based executive had to format his entire system on the advice of cyber experts, and consequently lost important data. "He was forced to format the drives as he didn't pay the ransom. The virus could have attacked his system either due to songs downloaded through free sites or by clicking on unknown attachments encrypted with ransomware," said cyber advocate Vicky Shah.

Shah said such malware, popularly known as ransomware, is spread using social engineering tricks, especially via email attachments. Once the victim opens such an attachment, the ransomware gets installed and scans the hard disk for documents. It then encrypts these files, converting them into an unreadable form. The ransomware then pops up a message and demands a ransom between $100-1,500 or higher, for the private key to decrypt the files. The message also displays a time limit within which the payment must be made or the entire data on system is destroyed," he said.

Earlier, in 2012, a senior SoBo executive ended up paying a hefty ransom in dollars for the keys, to prevent destruction of confidential company information. The virus was set with a timer. "In this case, not only was the user's PC locked, the .doc and .pdf files on his hard disk were also password protected. Unless he sent money to the hacker, he wouldn't get the passwords. As it was a senior executive's computer, he had no choice but to pay up. Even the world's best security professionals may not be able to decipher such malware at times," said cyber expert Vijay Mukhi.

Experts said computers can be shielded against most malware, including ransomware, if licensed versions of software and anti-virus solutions are installed on a computer. Joint commissioner of police (crime), Himanshu Roy, said the cyber crime branch of the Mumbai police has not received any such complaints. "Victims hardly come forward with complaints because most of them use non-licenced software. Many victims don't even install a firewall, making it easier for malware to encrypt the system," said Roy.

BKC cyber crime police senior inspector Nandkishore More said it is very difficult to trace the server from where the virus is sent. "Two types of ransomware are sent through mail attachments, one is the CryptoLocker and another is MBR. The Master Boot Record (MBR) interrupts the computer's normal boot process and a ransom demand is displayed on screen instead," said More.

Last month, a Pune-based director of a machine manufacturing company was left helpless when his personal computer got infected by a ransomware called "CryptoLocker". A warning popped up on the system screen of Maruti Kautkar, director of Jagruti Technical Services, demanding $100 USD or a similar amount in other currency, in exchange for the unlock key. The warning also said the single copy of the private key, which would allow Kautkar to decrypt the files, was located on a secret server and would be destroyed after a specified time. "The problem might have started after he opened an email attachment from an unknown sender. After sometime his computer screen displayed a message demanding money in exchange for a key to recover his files," said Sanjay Katkar, chief technical officer of Quick Heal.

What is ransomware

An offshoot of malware – malicious code that could be disguised in the form of an app, software or web link – ransomware takes control of your data or locks you out of your computer

In order to regain access to the locked data or PC, the victim is directed to pay a ransom amount within a stipulated period

Payments are made as vouchers, which are difficult to trace and usually irreversible. The latest ransomware on the block, called CryptoLocker, makes its victim pay $300 in Bitcoins

After paying the ransom amount, there is never any guarantee that access to the locked data will be regained

To pay or not to pay:

If the data is not locked in by way of encryption, there is a fair chance that the ransomware can be removed. The process is not as easy as uninstalling software, may require you to download specific removal tools from antivirus websites. It is advisable to seek professional advice

Ransomware like CryptoLocker is unique. It encrypts data and demands money in return for the decryption key. To decrypt the data, security experts will need to be called in. This could be time-consuming and prove to be expensive

Paying the ransom may solve the problem but does not mean the user will not be targeted again. The victim may not even regain control of his or her data. The purpose of extorting money has been accomplished. Ironically, there have been cases where victims were deprived of the decrypter key after having made the payment because the controlling servers were brought down by ethical hackers

You are infected, what are your options?

If the computers are part of a network (home or office), disconnect them from the local network. This will stop the infection from spreading or communicating with the commander servers on the internet

Ransom payment should be your last option. Get in touch with a professional technician. The cost of ransomware removal would depend on how complicated it is to extract it from the system. If the ransomware uses encryption, it could be prove to be time consuming and difficult to decrypt

Get in touch with your local authorities.

Advisory: How do I protect myself against a ransomware infection?

Use genuine licensed software and update them regularly or use open source software

Ensure that the anti-virus, anti-malware, anti-spyware software installed on your PC is always up-to date. However, this does not guarantee complete protection from malicious code

In case your antivirus fails to detect a ransomware infection, it is prudent to take frequent backups of your data. If your data is compromised, you will be able safely reinstall Windows and restore from the backup

Make sure your web browser (Internet Explorer, Mozilla Firefox, Chrome) is updated

Do not click on any links in e-mails from friends, couriers sharing tracking information, job recruitment sites, local government services, supposed social networking sites, etc

Ignore text messages that contain web links or shortened links to unknown websites

While making online bank transactions, always use the virtual keyboard to prevent malware from recording your keystrokes

Do not believe ad pop-ups that profess to make your computer faster or try to scare you into believing it needs maintenance

Do not open e-mail attachments that contain an .exe file, cross check with the sender, if he is known to you. Disregard the ones that come from unknown senders

Similar threats:

CryptoLocker: This ransomware encrypts data and shares the unlock key only after payment is made within a stipulated period

Revaton: This ransomware poses as a local enforcement agency, charging the victim with criminal activity online. The fake police warning then frightens the user into paying a fine in return of an unlocked system. This method does not use encryption and can be remedied with an antivirus and specific removal tools

How the virus functions:

  • CryptoLocker ransomware activates in the system when internet users clicks any mail attachment that is encrypted with Trojan virus
  • the ransomware encrypts the personal files and folders and locks it before a pop up appears on the screen demanding a payment of 300 USD to 1500 USD to release the unlock key.
  • It is malicious software that denies you access to your computer or files until you pay a ransom.
  • 'Locks' the screen (presents a full screen image that blocks all other windows) and demands payment and with a stipulated time. If the ransom is not paid through some foreign payment site then the entire data is damaged in the system.

Courtesy: TOI