'Ransomware' a game-over scenario unless you have backups

Rob Pegoraro | Special for USA TODAY

Q. I thought I went to Microsoft’s site to download a malware finder, but instead this program told me all my files are encrypted and I must pay 3 Bitcoin or $700 to get them unlocked. What can I do?

A. This year’s most depressing reader e-mail took the form of this testimony from a victim of “ransomware” -- malware that encrypts files on your computer, then demands an extortionate sum to unlock them.

“Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server,” read the note left in every directory on this reader’s PC by the CryptoWall ransomware program.

I asked a handful of security experts if my reader had any alternative between paying up or saying goodbye to those locked files. Their answer: sorry, nope.

That’s because the strain of ransomware that hijacked this person’s PC, CryptoWall, resists the counterattacks outlined in such ransomware-defense guides as this Microsoft support document and another maintained by the Clearwater, Fla., security firm KnowBe4.

CryptoWall -- described in June by the Federal Bureau of Investigation’s Internet Crime Complaint Center as “the most current and significant ransomware threat targeting U.S. individuals and businesses,” responsible for more than $18 million in reported losses -- doesn’t reuse encryption keys between attacks or leave decryption keys on a victim’s computer.

“CryptoWall's use of unique keys for each infection makes it impossible to find a ‘one-size-fits-all’ solution to recover the encrypted files,” wrote Nick Buchholz, senior threat researcher at the Atlanta-based security firm Damballa.

Johannes B. Ullrich, dean of research at the SANS Technology Institute, suggested booting the computer from a flash drive running an anti-malware toolkit such as the one Trend Micro offers, then trying to recover the “shadow” copies Windows’ System Restore function automatically generates. But CryptoWall comes set to wipe those files too.

Coughing up the ransom is no answer, wrote Jerome Segura, senior security researcher at Malwarebytes Labs: “Paying the crooks [...] only contributes to fuel this underground economy."

Besides, as Buckholz wrote, “even if a victim pays, there's no guarantee they'll get their files back.”

Your only safe recourse is to have backups of your files -- but not just any backups, since CryptoWall will attack any drives connected to the computer by a cable or network connection.

And that’s where this reader had one iota of luck: He had an external drive that was unplugged during the attack.

As for the attacked computer, you pretty much have to nuke it from orbit.

“The machine affected has been compromised and cannot be trusted anymore,” Malwarebytes’ Segura wrote. HIs advice: “Restore the box to a clean state but also to change all existing passwords (email, banking, etc.) which may have been compromised already.”

You may need to pay a computer store’s tech-support service for help with that. If so, better to pay them than the crooks.

I hope this column slows the problem but I fear it won’t. As cybersecurity reporter Brian Krebs (a friend and former colleague at the Washington Post) wrote after I shared this reader’s story: “I wish I had a dime for every one of these sad reader e-mails I get.”

Tip: “Trust No One” is a good policy for online solicitations

How did this happen to my reader? He wrote that he had gotten a malware warning when he downloaded a strange e-mail referencing a flight purchase he didn’t remember making, then searched for a Microsoft security tool he was told (it’s unclear from his account by whom) that would fix the problem.

(I’m not naming him because I don’t want anybody to worry that sharing digital misfortunes will lead to them being publicly mocked by name.)

The usual security advice in a situation like this goes like “update your system and your browser, then get rid of dangerous software like Java and Flash.” It’s true -- how many times have I told you to get Java out of your browser and uninstall Adobe’s Flash plug-in? -- but it’s not enough. You also need to remember that every e-mail and Web page telling you to do something now could be lying to you.

And when that urgent! warning comes from a strange source, it almost certainly is lying. The phrase I’ve been using for the proper mindset since seeing it in a 2004 Ars Technica guide is ”skeptical computing”: bringing the same “oh, really?” attitude to strangers on the Internet that you would to strangers on the street.

But sadly enough, you can’t even trust friends on social networks if they haven’t gotten the skeptical-computing memo yet.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.