I havenât seen many descriptions of how to avoid Ransomware, mostly because I havenât bothered to look, cocooned in the apparent security of my Mac. But is it basically the same kind of internet-hygiene as for any other virus? i.e. Donât be on Internet Explorer, donât download weird files. Or are attacks more sophisticated now?
Itâs impossible to guard against all vectors for malware attacks, though practicing caution as you described can help. Your best defense against ransomware is a regular backup with versioning - that is, the backup should store previous versions of your files, in case you accidentally back up one thatâs already been encrypted. Be aware that ransomware can also attack your cloud storage, such as Dropbox.
Emailed Word docs seem the most common attack vector for successful ransomware attacks these days.
An attack made all the more credible because people still send me attachments (Word and PDF files) for minimally formatted text ! Just past the relevant damn text into the email. Donât attach it!!! Grrrr, ought to be a lawâŚ
Most ransomware doesnât need elevated privileges. This would, which makes it much less effective.
Iâm waiting for ransomware the specifically targets full-disk encryption by re-encrypting the master keys.
Ah, Word document viruses. Amazing how theyâre still an issue after all these years. I still remember my first fights with them in the late 90s. One of the reasons one of my first steps with Word is to shut off macros, because who the heck is going to send me a text document that needs macros???
Itâs been a long time since I had to unerase a file, but isnât this attack the equivalent to ârecycle binningâ the entire drive? Wouldnât all the data be there and relatively easy to recover? Like a job not for the NSA but for Geek Squad?
All the dataâs there, but you have to figure out where one file stops and another starts, filenames, etc. Iâve had to do that a few times, but I usually ended up with a some files that are perfectly recovered and others that are gibberish. Software for it might have improved since then, though.
You could probably recover specific files of recognizable file types pretty easily, especially if theyâre something simple like text files. But if youâre trying to get the entire OS install and all your data back into a working state, it could be a real crapshoot.
The Word docs begin with the words âEnable macro if the data encoding is incorrectâ followed by random garbled text.
edit to add: it seems the larger problem is either that MS has given VBA macros the ability to run downloaded executables or that people still use MS office. I canât decide which is worse.
âŚpardon me while I slam my head against this desk a few times. Just enable macros if my data encoding is incorrect afterwards.
And I thought the malware emails I keep seeing reports of with a message along the lines of âjust run the executable if this email doesnât open correctlyâ were badâŚ
Ransomware has been around since 2005, 11 years. The new part in 2005 was the charging for access, the ransom part, the encrypting the filesystem or Master Boot Record or File Allocation Tables have been around since 1994. Viruses like Monkey and Slovak bomber would encrypt the Master Boot Record and/or files and your data would be inaccessible if they were removed improperly, but they didnât charge for removal and access. This isnât really a new trick. It is just a new variant.
Any smart ransomware would hit those firstâŚTHEN start on the files afterwords. I surprised that this combo isnât the defacto method of attack.
Many of them already do. DiskDrill does for sure. It saves its own MFT for recovery.
While there isnât a lot of info out yet, it appears that this is a windows specific vector and only affects NTFS on windows machines. EXT4 and HFS and all the other filesystems are out of the scope of this specific malware.
I think it is brilliant social engineering - and I think that un-warned and had I received such an attachment, I might have fallen for it, partially because it is hard to believe that after all these years Word is still subject to macro trojans.
As far as the social engineering goes, I see similar messages all the time in legitimate situations, such as all the web pages that tell me to turn on java scripting, or warnings in emails that the email wonât format correctly if I have HTML turned off.
There is nothing fundamentally new in terms of how âransomewareâ gets onto the system, typically application or plugin exploits, or social engineering.
The one nasty little twist is that encrypting all your files isnât a privileged activity from the perspective of your computer; so unlike the more traditional rootkits and such the attacker doesnât need a privilege escalation vulnerability or to trick you into accepting a privilege escalation request. Some ransomware variants may use admin rights if they have them, just to dig in deeper or throw up scary bootsplash screens or whatever; but genre is founded on the fact that most of the files you actually care about are owned by you; while the Vital System Files are well protected; but can be restored in maybe an hour from install media.
The really horrible part? I work in the IT department of a college campus. The chair of our Computer Science department has been hit by malware in just this way at least three times. Having taken a class or two with him, Iâm really not sure why we even let him have a campus provided computer, but itâs certainly not my decision.
You sir, need to live up to your name
âDrive-byâ infections from ad networks and emails that are a lot like Phishing messages are the 2 causes Iâve seen. Specifically emails trying to convince you they contain legal documents or other must reply data. I keep a Linux VM around to checking the file extension and erasing the emails from the webmail.
Having good backups and doing wipe/reinstall (or replace drive/reinstall) seem to be the best tactic for fixing it. When the ransomware starts revising the BIOS or writing to PRAMs elsewhere in the system (Videocard firmware for example) is when things will be really awful. It also doensât seem to travel much out of the original infected PC.
A good ad-blocker is at least as important as a good antivirus program these days. Or you could upgrade to Linux 
Itâs aspirational. 
I consider myself a skeptic because I know I can be fooled, not because I think I canât.
Makes total sense, thanks.
Isnât the disk theoretically vulnerable as long as itâs partitioned with an MBR? It shouldnât matter what filesystems the partitions contain.
Iâm curious whether a similar attack could be made against a GPT or disklabel.
