Got ransomware? What are your options?

As you can imagine, one of the most common questions we get asked about ransomware is, “What do I do now?”

It’s easy to be wise after the event: could’a, would’a, should’a.

Could have ignored the instructions to “Enable Macros”; would have been smart just to delete the email in the first place; should have bought that USB backup drive last week when they were on special at $45.

But what if the worst has happened, all your files are encrypted, and you’re staring down the barrel of a pay page where the crooks are calmly demanding $300 in Bitcoin for the key to unlock your precious files?

We’re assuming that you have no offline backups, and that the only copies of the files you want to preserve are sitting there in scrambled form on your hard disk, so near but yet so far.

Can you get your files back without paying?

As usual with IT-related questions, the answer is, “It depends.”

Shortcuts to recovery

Sometimes, the crooks make programming mistakes and there is a sneaky shortcut to recover for free.

For example, in the first ever ransomware attack, back in 1989/1990 (true!) the crook behind the scam wanted you to send a bank draft for $378 to an accommodation address in Panama.

However, he took the cryptographic shortcut of using the same encryption key on every computer, so free tools to unscramble the malware, known as the AIDS Information Trojan, soon appeared.

Similarly, in a recent case of Linux-based ransomware, the programmers chose a unique sequence of encryption keys for each server that they attacked, so that even two identical copies of a file would end up scrambled differently.

But they generated their keys using an algorithmic sequence known as a pseudo-random number generator, or PRNG, that was kickstarted using the timestamp of the first file that was scrambled.

Therefore, with a little guesswork, you could reconstruct the list of decryption keys yourself.

There are other ways you might be able to get some or all of your data back without a proper, offline backup, for example on a removable disk or in the cloud.

For example, Windows lets you make shadow copies of your files: a sort of rolling, on-line backup that keeps earlier versions of files handy.

Shadow copies are stored in aptly-named Volume Snapshot Service (VSS) files.

VSS files may therefore provide a quick fix against some ransomware, but that’s not very likely these days, because most ransomware deliberately triggers system commands to remove all your VSS files before scrambling the data that’s left.

So, if you’ve been hit by ransomware, and you can identify the malware strain involved, it’s worth asking around just in case there are any shortcuts that might let you recover without paying.

Nevertheless, we have to be blunt here, and tell you, “These days, it’s unlikely, so expect the worst.”

Longcuts to recovery

When a legitimate program modifies an existing file, it usually makes a copy of the file first, modifies the copy, and only then deletes the original.

This is a handy programming precaution to give you a chance of recovery in case something goes wrong and the program crashes in the middle of processing the file.

If the crooks use this sort of process when scrambling your files, there’s a slim chance of undeleting some of your old files, assuming that the crooks used the operating system’s regular file-deletion function.

That’s because most operating systems don’t overwrite deleted files immediately: to save time, they simply label the disk space occupied by the old file as “available for re-use”, so that it’s often possible to recover old files, at least for a while.

But undeleting files is a hit-and-miss operation.

To do it properly may require spending both time and money on a data forensics expert, and even then, you might end up with disappointingly incomplete results.

Calling in forensic experts is probably what would happen in a really important case, such as a murder investigation.

But after a ransomware attack, you might as well assume that data recovery will end up much more expensive than the ransom the crooks are demanding.

Of course, ransomware crooks don’t want you to recover without paying, so they don’t need to be so careful in their coding.

They typically just overwrite your files in place, aiming to leave as little as possible of the old content behind.

In theory, however, even rewriting a file in place might not actually overwrite the disk sectors in which the original content was stored.

Some operating systems, and some disk devices, deliberately shuffle writes around on the disk to perform what’s called wear levelling.

Solid state disks that use flash memory actually degrade with use due to wear-and-tear right down at the electron level, so writing over and over to the same memory cell can shorten the life of the device. Thus, wear levelling.

So, trying to dig down to the disk sector level, or even to the disk device’s firmware level, to look for data that was overwritten logically but not physically, is technically possible.

Once again, however, it would be much more uncertain, and very, very much more expensive, than just swallowing your pride and paying the crooks.

Cracking the encryption

The last way to cut the ransomware crooks out of the equation is to crack the encryption they’ve used.

As mentioned above, they sometimes make programming blunders, or choose weak ciphers, or use strong ciphers incorrectly, and therefore leave behind cryptanalytical backdoors.

But if they’ve done the crypto correctly, cracking it is as good as impossible, and here’s why.

A lot of ransomware, such as CryptoWall and Locky, uses a technique like this:

  • Connect to a server run by the crooks and download an RSA public key unique to your computer.
  • Generate a random AES key for each file (keeping it only in memory) and encrypt the file.
  • Encrypt the AES key with the RSA public key and save the encrypted file-decryption key along with the file.

Don’t worry if you have to read that a few times to get the picture of what it going on.

The trick is that the RSA encryption algorithm relies on two keys, not one: the public key locks your data, and thereafter, only the private key can unlock it.

In other words, if the crooks generate an RSA public-private key pair in the cloud for each infected computer, and only ever send out the public keys, then the crooks really are the only possible source of the unique private key needed to unlock the AES keys that in turn unlock your files.

Why not just encrypt the files themselves with the RSA public key, and leave out the AES part?

That’s because RSA is so slow that it’s only practical to use it to encrypt small amounts of data, such as randomly-chosen keys for much faster algorithms such as AES.

Why use a different key for every file?

That’s so every file encrypts differently, even if it has the same content, so you can’t use decryption hints from one file to decrypt any others.

In other words, decrypting all your files without paying is equivalent to one of these feats:

  • Cracking the RSA public-private encryption algorithm and thus recovering all the per-file AES keys.
  • Cracking the AES encryption algorithm, once for each file.

We don’t want to discourage you, but we think that’s a much harder and much less certain undertaking than paying the crooks.

What to do?

It sounds as though we’re advising you simply to pay up.

For the record, we recommend that you don’t pay, on the grounds that this means sending money to criminals.

Indeed, if you get hit by ransomware and you decide to take it on the chin, write off all your files, and start over, we say, “Power to you,” and we salute your fighting attitude.

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

We really wish things weren’t like that, but we thought it would help if we explained your options in an uncompromising sort of way.

In other words, “Prevention is better than cure!”

Useful ransomware precautions

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Many ransomware attacks arrive in documents, and rely on persuading you to enable macros (embedded document scripts). Don’t do it: Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Be cautious about unsolicited attachments. Crooks who send malware in documents are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.