Ransomware Cryptolocker and Data Recovery

Ransomware – Cryptolocker & its Malware-Virus Variants and Data Recovery

Have you heard of Ransomware and are afraid of being infected with it?

There is a good chance you have as the Ransomware variants have considerably increased in popularity around the world since 2012.

So, what is Ransomware?

It is a basically a piece of executable code that launches once the user executes it in an attempt to open what looks like a normal file, such as a PDF. Typically, such files are downloaded from random emails that contain “normal” PDF attachments. While such PDF files look normal, they are actually altered in a manner that makes them look normal. The alteration has to do with the extension of the file, namely “.pdf”. In the Windows operating system for example, there is a particular file view setting that allows to show the extension of a file. By default, this setting is disabled. The Ransomware creators actually prey on this design, by creating a file with a double extension, namely “FileName .pdf.exe”, where the .exe part of the file is hidden by the operating system setting, allowing thus the user to only see the “FileName .pdf” part. It is this illusion that tricks somebody into thinking the file attachment is actually a real .pdf file.

So, what happens when the Ransomware is installed, therefore activated?

Upon complete activation, the newest variants of Ransomware begin encrypting all of the files on local and network based drives. Once the encryption process completes, though the files still look normal, upon attempting to open them as usual, the applications will state that they are corrupt or unrecognized. The applications are unable to understand the files’ encrypted state, therefore they are unable to open the files as expected. The malware creators designed the code in a manner where once it is installed, a picture of the ransomware explanations and payment details will post on the desktop. Instructions for how to decrypt the files are provided within the menu.

What are the data recovery implications?

While some of the earlier variants of Ransomware were less sophisticated, some extent of file recovery was possible. With the newest most advanced algorithms implementation within Ransomware, the decryption process as part of the data recovery procedure is virtually impossible. While most experts, along with the United States government, do not recommend paying the ransom (typically $300+), some people do pay it. Due to the limited availability of measurable results of how many people were actually able to restore their files back to normal condition, it is not possible to tell with certainty whether paying will solve the problem. There are cases where a ransomware payment was completed, but the file decryption was not granted.

So, how could the Ransomware virus be prevented?

The best advice revolves around a combination of well carried out practices. One of those practices is for the end user to be educated in not opening emails from unrecognized senders and further not downloading any of the email attachments. It is recommended to simply delete the email. Another highly recommended practice is to have additional backup copies of all critical files. Should the Ransomware virus activate and render the files inaccessible, then a system restore along with the files from the backup is the typical method of overcoming the problem. Therefore, backup is critical. Lastly, a strong current anti-virus program should help, however often new virus strings could get passed by until the anti-virus updates its virus signature library.

Wikipedia reference for various types of ransomware virus: