Here is the scenario living in a post-pandemic world:
A work-from-home agent logs in to their computer. While waiting for other users to join a conference call, the person goes to make a cup of coffee. Upon returning, the conference is not quite ready yet, so the person decides to catch up on some e-mail. While looking through messages, there was one in particular that caught their attention.
The subject reads “URGENT: You Must Run Security Update To Prevent Computer Attack”. The message is opened. The admin is requesting the user to update their computer and there is a link to “Update Computer Now”. Realizing the situation, the person immediately clicks the link and a script is executed in the background. Little is the user aware that it is a malicious computer script that is now encrypting the files on their computer.
Running the update would seem like the right thing to do, and the person returns to their daily grind. Later that day, the person runs into some issues. Some of the files on the computer could not open properly. It seems to be a glitch that will “fix itself later”. Suddenly, a pop-up message appears on screen.
The person has been hit with a very dangerous type of computer virus called malware. To be more specific, this is ransomware. The person is now the victim of a cyberattack that targets users to pay money in order to recover their personal files on their computer.
Today, ransomware is becoming more direct and user-friendly of sorts in order to allow the perpetrators to easily collect money. Gone are those cryptic messages that require a victim to have some technical knowledge, because ransomware involves the use of cryptocurrency. That is not exactly as easy as making a payment using a familiar service like Venmo or PayPal.
Ransomware victims are a getting an education in crypto, but in the most unfortunate way. Some ransomware authors include information on how to purchase crypto like Bitcoin (BTC). Not all victims would know anything about crypto, so providing them some information can help in collecting the ransom. They can get into some detail like in the following message.
Some messages try to calm the victim by presenting a more relaxing tone. Obviously, the perpetrators want to get paid. The only way that can happen is if the victim knows how to use crypto. The steps would require the victim to have a digital wallet to purchase crypto from an onramp like a digital exchange. They will have to do a KYC (Know Your Customer) to provide personal information to the exchange as part of regulatory compliance. When cleared, they can then buy crypto to pay for the ransom. There could be a problem here.
If the victim is already familiar with crypto, they may have a wallet and are good to go with paying the ransom. Otherwise they will have to go to an exchange and sign-up and pass the vetting process (involves KYC or Know-Your-Customer process). The approval can be instant or it can take a few hours. Time is precious because some ransomware have a deadline of between 24 to 48 hours. If the deadline is not met, the perpetrators claim that the files will be encrypted forever. This is probably a scare tactic to pressure the victim, leading to more anxiety as a way to make them pay.
A common method perpetrators show to victims to purchase crypto, is over-the-counter where KYC is not needed. This can be to a website that allows the purchase of crypto directly with an interested party. The victim will either wire the money or use a more familiar method of online payment. The crypto, preferably Bitcoin, can be sent directly to the wallet of the victim, but what if they don’t have one? Another method is a paper wallet with private key and address. This can be provided to the perpetrators who can then claim the Bitcoin from the victim.
It sounds complicated for non-technical users or anyone who has never used crypto before. What a victim will learn here are the basics of how to setup a crypto wallet and how buy crypto from a trusted source (e.g. exchanges) or from less trusted sources (e.g. over-the-counter).
There is also very little time to learn all this, and the victim will not be able to meet the deadline. That is why new ransomware don’t particularly have a deadline (reduces the anxiety of the victim), and just remind users that their files have been “protected” until it is “ready for recovery” (meaning payment of the ransom) upon the payment to a crypto wallet address. That might actually prolong the anxiety, but at least it gives less technical or non-crypto knowledgable users time to figure things out.
Note: To see example of a Bitcoin wallet address, visit the blockchain explorer and view any of the transaction’s address
The person in our scenario became a victim of ransomware as a result of a phishing attack. This is probably the most common way users get infected with ransomware. It was not so sophisticated at all, and could have been prevented.
The big question is should you pay for the ransom when you get infected?
It really is a question regarding how you value your data. If you have a backup of everything, and are absolutely sure you can restore everything back to normal, then don’t pay the ransom. It is worth your time to restore from backup without spending on paying a large ransom.
If you don’t have a backup, and you are not certain you can restore (since you may not have copies of the encrypted files), you may have no other choice. Those who fall victim and pay the ransomware tend to be companies who can’t afford to lose data. Cooperating with law enforcement to catch the perpetrators is a good option if there is a lot of data at stake, but some hackers target victims with blackmail.
Those who will pay the ransom have a lot of important data to lose. It can be incriminating evidence of something (e.g. financial crime, fraud, sexual misconduct, etc.). The hackers selectively targeted these users knowing about how they can blackmail them in return for something. Politicians and public figures will likely pay the ransom, to keep things away from the news.
You do have the option of approaching the authorities if it is a matter of corporate or national security. If it is important data regarding business operations, the best option is to hire cybersecurity professionals who are experts in data recovery. They can use certain keys to try and decrypt the data, or they can use brute force techniques if the data has been hashed with a known algorithm. Certain organizations (e.g. Abuse.ch) also offer help in fighting ransomware, so they offer a service to those who have been affected.
Ransomware authors are getting more clever with their tactics. They now make ransomware more “user-friendly” so that they can collect the ransom much easier. By providing a detailed instruction of how to setup a digital wallet and how to purchase cryptocurrency to pay the ransom, it becomes more like a tutorial to onboard “new” cryptocurrency users. This is of course all for the wrong reasons, and it does give cryptocurrency a bad name.
The ransomware messages are also becoming more commercialized, rather than threatening to the users. It gives an explanation of what happened, allowing the user to process it in their mind. Before, messages from ransomware were direct to the point and require users to pay a ransom using cryptocurrency (e.g. Bitcoin) with an expiration period (usually between 24 to 48 hours). Now there are less likely to be time periods, allowing a user to pay the ransom at any time if they want their files back.
The best thing to do is to avoid ransomware. Always be alert when receiving unsolicited e-mail in phishing attacks. Only open e-mail from domains or users you trust, like co-workers and professional connections. Spam filtering software and antivirus programs help combat this. Don’t be fooled by spoofed e-mail that require you to change a password or click update links. It is also important to always backup your most important files or data. You can always reinstall apps and programs, so prioritize in saving your most valuable data on your computer or smartphone.
If you do become a victim of ransomware, be prepared to restore your data from backup. If you don’t have a backup, you will have to know how to use cryptocurrency to make that ransom payment. Unfortunately, even making a payment does not guarantee you will get your data back. Hackers can accept the payment but never provide you the keys to decrypt or restore your data. That can be a painful lesson, delivered in the friendliest manner to make you understand how to give the hackers what they want.