What virus makes files disappear?

Viruses that make files disappear, also known as file-encrypting ransomware, are some of the most disruptive and dangerous malware threatening users today. These insidious viruses infiltrate computers, often through phishing emails or infected websites, and encrypt the user’s personal files – photos, documents, videos and more. The encrypted files become inaccessible, essentially held for ransom, until the victim pays a fee to the cybercriminals behind the virus. Unfortunately, even after paying up, there is no guarantee you will get your files back.

What is ransomware?

Ransomware is a type of malicious software, or malware, that encrypts or locks a victim’s files, denying them access until a ransom is paid. The ransom demand usually arrives along with the infection itself, with instructions to pay a fee in cryptocurrency to receive a decryption key. This key is supposed to unlock and restore access to the encrypted files. However, paying the ransom does not always work, and even if you do regain access, your personal information may still remain compromised.

How does ransomware infect computers?

Ransomware usually infiltrates systems through phishing emails, malicious ads or compromised websites. The infection is often completely invisible until it has finished encrypting files. Some common delivery methods include:

  • Phishing emails with infected attachments or links
  • Compromised websites that automatically download malware
  • “Drive-by” ransomware that exploits security flaws in browsers and apps
  • Fake software updates containing malware
  • Brute force attacks to guess weak passwords on remote desktop connections

Why is ransomware so dangerous?

File-encrypting ransomware is extremely disruptive due to its ability to completely block access to important data like documents, photos and financial records. By seizing these irreplaceable files and holding them hostage, ransomware can cause serious downtime and revenue loss for businesses. Individuals can lose access to their personal records, photos and files, sometimes with no way to restore them if backups are also encrypted.

Most common file-encrypting ransomware

Some of the most widespread and damaging examples of file-encrypting ransomware include:

CryptoLocker

One of the earliest ransomware viruses, active from 2013-2014. Spread via infected email attachments and compromised sites. Encrypted files with RSA-2048 and demanded payments of $300-$600 in Bitcoin.

CTB-Locker

Prolific ransomware variant circulated via spam emails and exploit kits from 2014-2015. Encrypted files with AES-256 and RSA-2048 algorithms. Demanded ransoms of 1-4 Bitcoins.

Locky

Massive global ransomware threat first seen in 2016. Spread through phishing spam emails containing malicious Office document macros. Encrypted a wide range of file types and demanded Bitcoin payment.

Cerber

Active since 2016, Cerber is sold as a ransomware-as-a-service on the dark web. Infected PCs via exploited websites and spam emails. Demanded ransom payments in Bitcoin of $500-$1,000.

WannaCry

Notorious 2017 epidemic infecting over 200,000 computers across 150 countries. Exploited Windows SMB vulnerability to spread. Encrypted files with AES and RSA encryption. Demanded $300 in Bitcoin.

How file-encrypting malware works

File-encrypting ransomware uses robust encryption algorithms to lock access to files on infected devices. The encryption schemes used make it mathematically unfeasible to decrypt the files without the attacker-held key. Here are some details on how typical file-encrypting ransomware infections unfold:

Infiltration

Ransomware sneaks onto a computer through social engineering like phishing emails, compromised ads or infected sites that exploit security holes. Often the user is tricked into loading the payload themselves by opening an attachment or link.

File search

After infiltration, the ransomware searches connected drives and networks for files to encrypt. Targeted files often include:

  • Documents
  • Photos
  • Videos
  • Databases
  • Backups
  • Source code

Encryption process

The ransomware encrypts located files using algorithms like AES, RSA and others. Hybrid encryption combines symmetric and asymmetric schemes for speed and security.

Encryption keys

The symmetric encryption keys used to lock files are secured with a public-private asymmetric key pair. The private key is retained by the ransomware operators to decrypt files.

Ransom demands

With files encrypted, ransomware displays payment demands and decryption instructions. Demands range from $200 to $50,000 or more in cryptocurrencies like Bitcoin.

Top targets for ransomware

Any computer or network can fall prey to file-encrypting ransomware, however attacks tend to target:

Businesses

Businesses often have sensitive data and downtime is extremely costly. High-value targets include:

  • Healthcare organizations
  • Law firms
  • Financial services
  • Educational institutions

Government agencies

Attacks on government systems can disrupt public services and access sensitive records. Recent examples include:

  • Atlanta city government
  • Baltimore city services
  • The Colorado Department of Transportation

Individuals

Home users have valuable personal data. Lack of backups and security expertise make them vulnerable.

Most damaging ransomware strains

Some ransomware outbreaks cause enormous financial damage and disruption. The most destructive incidents include:

WannaCry – 2017

The WannaCry worm infected over 200,000 computers across 150 countries, locking healthcare, government and business systems. Financial costs reached into the billions.

NotPetya – 2017

Petya ransomware masked as ransomware but was designed for destruction. Caused over $10 billion in damages to major corporations.

Ryuk – 2018

Targeted ransomware crippled newspaper printing operations in 2018. Extracted over $150 million in Bitcoin from high-value enterprises.

Sodinokibi – 2019

Prolific RaaS ransomware extracted over $123 million in ransoms from MSPs, corporations, municipalities and utilities.

Recent ransomware trends

The ransomware landscape is always evolving. Some current trends shaping modern campaigns:

Ransomware-as-a-Service

RaaS lowers the barrier to entry by selling DIY ransomware kits on dark web marketplaces. Affiliates carry out attacks and split ransoms with developers.

Double extortion

In addition to encrypting files, attackers exfiltrate data and threaten to publish sensitive documents if the ransom goes unpaid.

Supply chain attacks

Injecting malware into apps and software tools used by service providers to spread ransomware downstream to customers.

Cloud services

Backups in cloud storage are now targeted for encryption by ransomware gangs to prevent recovery.

How to prevent ransomware

The most effective ransomware prevention strategy involves layered security defenses and backups. Key precautions include:

Email security

Detect and filter out phishing emails and spam, the primary ransomware delivery method. Use email authentication protocols like SPF, DKIM and DMARC.

Strong passwords

Use strong, unique passwords for all admin accounts and Wi-Fi networks. Enable multi-factor authentication wherever possible.

Patch management

Apply software, operating system and security tool updates promptly to eliminate vulnerabilities.

Security training

Educate staff on ransomware delivery tactics like phishing to reduce the risk of infection.

Backups

Maintain current backups offline and disconnected to retain access to data if encrypted.

Endpoint security

Install antivirus software across all endpoints. Use layered defenses like firewalls, antimalware and behavior monitoring.

Access controls

Only enable admin access to resources when needed. Disable RDP if unused or require VPN with MFA.

Activity monitoring

Monitor systems for signs of compromise like suspicious registry edits, network traffic and file encryption.

What to do if infected with ransomware

If you are hit with file-encrypting ransomware, stay calm but act quickly. Follow these steps:

1. Disconnect infected devices

Isolate and power down affected devices to prevent further encryption or damage.

2. Check what strains hit you

Identify known strains using ransom note characteristics, file extensions and decryptors.

3. Assess the damage

Catalog files encrypted. Scan backups and cloud storage. Determine if any sensitive data was compromised.

4. Consider paying the ransom

Weigh the risks and costs of payment versus data loss. Negotiate the ransom if possible.

5. Wipe systems and restore data

Wipe and reinstall operating systems from a clean backup before restoring data. Change all passwords after recovery.

6. Review security controls

Analyze how the infection occurred and update defenses to prevent a repeat occurrence.

Should you pay the ransom?

Paying the ransom is controversial. Potential benefits and risks include:

Potential benefits

  • Decryption key release to restore files
  • Avoid downtime and business disruption
  • Prevent data leakage if stolen

Potential risks

  • No guarantee files will be recovered
  • Data may still be compromised by malware
  • Paying encourages more attacks
  • Fines for paying ransoms per OFAC

Victims should carefully weigh these factors against the unique costs of permanent data loss for their situation. There are no easy answers.

Can you decrypt files without paying?

There are a few options to potentially restore files without paying the ransom:

Decryption tools

For some ransomware families like GandCrab, decryption tools are available that may recover files. But most strains have no decryption tools.

Undelete files

If files are simply deleted rather than encrypted, recovery software can help salvage data.

Cloud backups

Backups in cloud storage not infected by ransomware may provide file recovery – if available.

Shadow volume copies

Some Windows systems have point-in-time recovery snapshots to roll back to before an infection.

Forensic analysis

In rare cases, forensic experts may reverse-engineer ransomware and recover keys.

Should ransomware payments be illegal?

There is ongoing debate over whether ransom payments should be illegal. Arguments on both sides include:

Arguments for illegality:

  • Paying ransoms bankrolls criminal groups
  • Encourages further cybercrime
  • Violates legal sanctions in some cases
  • Promotes cyber insurance over security

Arguments against illegality:

  • Prevents victims from making own choices
  • Forces even greater damage onto victims
  • Difficult to enforce bans on payments
  • Causes reporting challenges and risks

The debate involves weighting ethical and practical concerns. A blanket ban could harm victims, but unrestrained payments also carry risks. Nuanced policy is required.

Ransomware trends and predictions

Experts forecast ransomware evolving in the following ways in coming years:

  • More Ransomware-as-a-Service empowering mass attacks
  • Deepfakes used to apply social pressure for payment
  • Increasingly automated attacks needing less human involvement
  • Shifting targets from data encryption to operational disruption
  • Expanding ransomware targets to cloud services, mobile and IoT devices

Defenders will need to match ransomware innovation with better security hygiene, layered defenses and diplomacy tactics to discourage attacks.

Key takeaways on ransomware

In summary, these are the crucial facts to understand about file-encrypting ransomware:

  • Encryption schemes like AES and RSA are virtually unbreakable
  • Phishing, exploits and RaaS make attacks scalable
  • Every business sector is a potential target
  • Paying the ransom is risky but data loss can be worse
  • The highest leverage defense is resilient backups

By tailoring defenses to these realities, organizations and users can build resilience against even sophisticated ransomware attacks.

Conclusion

File-encrypting ransomware remains a severe cyber threat, with professional criminal groups continuously innovating new techniques. Paired with the growth of Ransomware-as-a-Service empowering mass attacks, ransomware campaigns will only grow more sophisticated and disruptive. Users can stay resilient by focusing on security best practices – phishing prevention, patching, access controls and air-gapped backups. But ultimately defeating ransomware will take global cooperation between policymakers, law enforcement, and public and private sector defenders to disrupt underground ransomware markets and infrastructure.