How to guard against ransomware, and should you ever pay up?

The ransomware, called Wanna Decryptor or WannaCry, struck hospitals at the NHS on Friday, taking down some of its network

Losing access to your files, whether precious photos or business documents, is something we hope you never experience. But if the worst happens and your PC and other kit ends up infected with WannaCry, CryptoLocker or some other ransomware, what should you do? Will the hackers actually honour the payment and hand over a decryption key? Here's what we know, how to guard against ransomware, and what the FBI advises victims do.

Before an "accidental hero" calling himself MalwareTech flicked its hidden kill switch the ransomware attack that struck the UK's National Health Service systems appeared to be spreading around the world, leveraging a hacking tool that may have come from the US National Security Agency. Mikko Hypponen, chief research officer at cybersecurity company F-Secure, called the attack "the biggest ransomware outbreak in history".

The ransomware, called Wanna Decryptor or WannaCry, struck hospitals at the NHS on Friday, taking down some of its network. A security found a kill switch hardcoded into the malware, which saved the attack hitting the US.

Microsoft has already patched the vulnerability, but only for newer Windows systems. Older ones, such as Windows Server 2003, are no longer supported, but still widely used among businesses, according to security experts.

The Wanna Decryptor ransomware strikes by encrypting all the files on an infected PC, along with any other systems on the network the PC is attached to. It then demands a ransom of about $300 (ÂŁ232) in bitcoin to release the files, threatening to delete them after a set period of days if the amount is not paid.

Ransomware scams: your options

In 2016 a hospital in Hollywood hit the headlines after it admitted that it paid almost $17,000 to get back critical files including patient data. According to reports, the criminals did unlock the hospital's files and all was well just 10 days after the attack.

But there are no guarantees that the criminals behind all ransomware variants will do the same. If you pay up, you risk getting nothing in return.

Companies rarely admit to paying ransoms, because this also admits that their network was compromised in the first place. Therefore no-one is quite sure of the exact likelihood of getting your files back if you do choose to hand over the cash (or, more typically, Bitcoins).

Free ransomware decryption tools

Typically, the ransom is several hundred pounds, which is cheaper than employing a data recovery firm to attempt to decrypt the files. But before you pay anyone, check if there's a freely available tool which will do the job.

Kaspersky, for example, has a ransomware decryptor which works with Coinvault and Bitcryptor. There's another tool which is said to work on files encrypted with Teslacrypt.

If you are a Locker victim, then see this thread on Pastebin

Ransomware scams: to pay or not to pay

The first task, then, is to find out which exact malware has encrypted your files, then search online to see if a decryption tool is available.

If not, check if you have backups which are up to date enough to avoid having to pay the ransom.

And if you have no backups, the FBI's advice - amazingly - is to go ahead and pay it. It says that it's often the quickest and cheapest way to solve the problem, but not everyone agrees.

There are two main schools of thought. The first is that the bad guys want to make it as easy as possible to pay and get your decryption key. After all, they want other people to pay up and not hear that people have paid and got nothing. Hence, you should follow the instructions when you see the ransom on screen and you'll get your data back.

The second is that the bad guys have no incentive to hand over the key. For one thing, contacting people makes them easier to trace, but the main point is that they're anonymous, so they have no reputation to protect. Also, people who've paid the ransom and got nothing are hardly going to shout about it: they've just lost money to a scam and are no closer to getting their files decrypted.

Further, even if you do get a key or some tool to decrypt your files, you're still not safe. The criminals might still have access to your machine and hold it to ransom again.

Those who would advise you not to pay would also warn against believing stories such as the Hollywood hospital case, as the criminals will go to great lengths to post fake testimonies about successfully decrypting files in order to persuade victims to pay up.

Ransomware poll

How to guard against ransomware

If you're reading this having suffered a ransomware attack, the following advice probably comes too late. But if you haven't, there are several things you should be doing:

1 - Make regular backups of any and all files you can't afford to lose. Don't assume that cloud backups or cloud storage is immune from ransomware: many services sync files with those on your hard drive and could well overwrite unencrypted files with the newer encrypted ones. The best plan is to make multiple backups which include copies on hard drives or any media which is not connected to a computer or the internet. A portable USB hard drive is ideal.

2 - Keep your antivirus and internet security software up to date and ensure you are using software which can protect against all types of malware, including ransomware. Read PC Advisor's up-to-date independent Best antivirus reviews.

3 - Be ever more vigilant about which email attachments you open and links you click on. Ransomware usually relies on human vulnerabilities, rather than weaknesses in security software. Even if an email or attachment is from a person you know, or a service provider you use, double-check that it is genuine. If in doubt, don't open the email, let alone open an attachment or click on a link that will supposedly take you to a page where you can enter your banking details.

See also: How to protect yourself from CryptoLocker, GoZeus and other ransomware. For more on the latest scams, see How to avoid getting scammed.

Additional reporting by Michael Kan, IDG News Service.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about FBIF-SecureIDGKasperskyMicrosoftNational Security AgencyNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Jim Martin

Latest Videos

More videos

Blog Posts