AppellaTech: Ransomware, A New and Very Serious Security Threat

Computer scams and viruses are a constant threat. As you surely already know, this requires constant care and vigilance about what websites you visit, what programs you install, and what email attachments you open. In case you weren't aware, these threats increase over the holidays.  For the moment, then, you need to be even more careful than you already are.

I am saddened to inform you, however, that the risk has risen recently.  There is a relatively new kind of threat that has arisen that can have incredibly dire consequences for your practice. The threat is called ransomware. Once one of these programs is installed on your computer, it can encrypt all of the files on your computer and keep them "locked" unless you pay a ransom.

Imagine all of your client files, all of your work product, all of your contact information, and all of your databases rendered immediately and irretrievably inaccessible unless you agree to pay a ransom to the group that managed to get their software onto your computer. The first known instance of it occurred in September 2013. Since that time, it has grown in use and sophistication. It is worth your time, then, to learn of the threat now and to try to take some precautions that will reduce your risk of getting it or help you recover when you do.

How Ransomware Works

You don't need to know the full technical explanation of ransomware. If you are technologically savvy and curious enough, though, you can get more explanation here.

The basic idea of these types of programs is that, once they get installed on your computer, they begin encrypting certain files types (word processing, spreadsheet, database, etc.) with a very sophisticated encryption code. Only the group that put the software on your computer has the key to decrypting the files. As a result, everything that has been encrypted has become immediately inaccessible to you.

If you are logged on to an office server, the program will encrypt files it can find on the server as well, rendering other people's files inaccessible, too. It may also try to infect other people's computers that are also connected to the network.

Once the encryption has occurred, you will get a screen looking something like this:


From what I understand, a number of the programs included a timer. If the ransom is not paid in the time allotted, the encryption key is destroyed and you can no longer get the files decrypted.

To make things more difficult, the preferred payment system has become bitcoin because bitcoin transactions cannot be reversed. Unless you already regularly trade in bitcoin, trying to purchase bitcoins will only add to the difficulty of the situation.

Once you are infected, you face the dilemma of whether to pay the ransom. I am not here to answer that question for you. But clearly, people choosing to pay the ransom causes this threat to be lucrative, inviting more such threats. Additionally, the Department of Homeland Security warns, "Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."


How to Try to Protect Yourself

As an initial matter, it is worth noting that there are some computer viruses that just claim to have locked your computer or encrypted your files but have not actually done so. Encrypting data requires a fairly high amount of programming sophistication. Before you spend too much time deliberating over whether to pay the ransom, you should try to make sure that what is on your computer actually is ransomware.

Many of the standard warnings about avoiding any type of virus apply to avoiding ransomware.
  • Don't open email attachments from someone you do not know. Even if the email appears to be from someone you do know, it could be a fake.
    • On this point, if you are sending an email with an attachment to someone, get in the habit of always writing something in body text that is more than just "Please see attached." This will help friends spot an email claiming to be from you but is uncharacteristic.
  • Similarly, don't click on links in an email from someone you do not know.
  • Use caution when visiting websites you are not familiar with. Be wary of clicking on links in a website unless you trust the website.
  • Have anti-virus software on your computer. This may not be particularly effective, though. One security firm claims that the techniques used by ransomware "make it nearly impossible for traditional detection-based security solutions, such as antivirus, to prevent the attack before the file encryption."
Keeping viruses off your computer requires constant vigilance, however. And we all inevitably make mistakes. In one circumstance, an employee received an authentic-looking email from PayPal, claiming someone had sent him money. He clicked on the link, and trouble ensued.

Perhaps the most important way to protect yourself from such an attack, then, is to make sure your data is always backed up. But because of the nature of ransomware, this means more than just having another copy of your data immediately accessible. If the ransomware software can find the file, then your back-up efforts become lost. To this end, simply having files copied to a Google drive is insufficient. (At least it is if the Google drive is automatically accessible from your computer.)

Instead, there are a couple of safer alternatives. First, you can copy your files to an external hard drive that is not connected to your computer (or anyone else's computer on the network) except for when you copy the files. If your computer does become infected, do not connect that external hard drive to your computer (or any networked computer) until you know you have the problem fixed.

Second, you can use an online file recovery system. I highly recommend this alternative. There are any number of ways you can loose your files. Your hard drive could break or become corrupted. You could accidentally delete one file that you needed. Or you could become infected by ransomware. In any of these scenarios, your data is retrievable online. The benefit to these systems over copying files to an external hard drive is that it doesn't depend on you remembering to back up. A program runs in the background of your computer backing up files as you make changes.

These backup systems are more than just copies on a cloud drive. You have to go through a recovery process to access the files. This recovery process is what would protect your files from the ransomware software. For my home computer, I use CrashPlan. There are others out there, and I hope you spend some time investigating what would work best for you.

If you do use one of these options for backing up your files, fixing your computer will still be a headache. But it won't require paying a ransom, and it will save you from permanently losing all of your files. Instead, you will need to work to have the ransomware removed from your computer. Once you are sure that the computer (and all network computers) is safe, you can reload your files onto your computer.

I hope this never happens to any of you. I also hope that, if it does, you are adequately prepared to respond. Happy holidays.

Derek Bauman
Staff attorney, First Court of Appeals

Comments, questions, and useful information are always welcome (and desperately sought). Please send them to: submissions@hbaappellatelawyer.org.