Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Ransomware: How do you prevent it from happening?

Dec 19, 2014 7:40AM PST
Question:

Ransomware: How do you prevent it from happening, and if you were held up, do you pay?


I've been seeing a lot of news headlines about ransomware in which I think it is when a hacker gets into your computer and puts a lock on it so that you can't do anything on it and demands a payment of a specific amount or else your computer will remained locked or will be wiped clean. Am I correct or is there more to it? This has me a bit concerned. Even though my computer doesn't hold top-secret materials, I still don't want to get caught in this mess. So how would one go about preventing this type of ransomware from being attached to my computer? Is an antivirus program good enough to keep this from happening? If not, what should I have installed to prevent this? And out of curiosity, if this were to happen to you where your computer were held up for ransom, would you pay up? Why or why not?

--Submitted by Steven H.

Discussion is locked

- Collapse -
Infected sites
Jan 9, 2015 1:46PM PST

I have a suspicion that most ransomeware infections come from either opening an e-mail attachment or visiting porn sites.

- Collapse -
Probably a good percentage...
Jan 9, 2015 4:40PM PST

But there's plenty of malware waiting for us in torrent sites, and newsgroups. An exe file on a music CD ISO isn't something you want to see, but you do.

Porn, freebie, pirate content... definitely need to be wary about them and definitely DON'T want to be accepting any download of a movie package, or download assister. That's just asking for trouble.

- Collapse -
Avoiding Ransomware
Dec 19, 2014 4:55PM PST

I have never been held hostage by ransomware, but what I do for regular safety is save all my data on a separate partition (e.g., D:\) and daily (if not more often) copy it using XCOPY to an external USB drive. If anything adverse occurs, including a ransomware attack or virus, all I have to do is reformat the system drive (C:\) and reinstall the operating system and applications. Yes, it takes several hours, but then I have a fresh system. If the data partition was also compromised, then reformat the entire drive, reinstall the system and applications, and copy back the data from the last external backup. Hope this helps. Larry S

- Collapse -
A Separate Partition Cannot Escape Encryption
Jan 9, 2015 2:39PM PST

A separate partition for backups is a good tool for inadvertent deletions or other viruses but when the encryption on your system is turned on, it gets EVERYTHING that is part of your system.

- Collapse -
Wife clicked a pop up and her computer was locked by Trojan.
Dec 19, 2014 9:34PM PST

My wife had a pop up on her computer that said her computer was infected, click here to clean. She immediately did, and her computer was locked. Rebooting didn't help. I opened her computer and removed the hard drive, put it into an external USB drive box and connected it to my computer which was already running. I then used my anti virus to clean her drive. When it was finished I put the hard drive back in her computer knowing that she would never click on a pop up message again! Both of our computers are Windows machines, but I don't see different operating systems as a problem to using this method to clean an infected hard drive.

- Collapse -
My wife also clicked on the pop-up...
Dec 19, 2014 11:53PM PST

...and I just happened to have an external drive frame to place the hard drive in. Then I used my antivirus to clean the drive. It works. Now she calls me when she gets a popup. She lets me decide if it is something to cancel or click through.

- Collapse -
the Moral of the Story. . . .
Jan 9, 2015 4:47PM PST

Don't click on pop-ups that say you have an infection or virus, unless it is a message from your anti-virus software. I know what the messages from My Avast look like. I also know what the messages from MBAM and my the other components of my free security software look like and read like. You should also know what the pop-ups/messages from your computer's anti-malware software look like. If you get malware warnings from anyone else or anywhere else than your own anti-malware software on your own system, do not click on it. If I get a message from Avast that did not come from my system, I email Avast. The most MBAM, Avast, SAS, and others give is general warnings about new or developing malware and responses to it. Infections on your system, should come from the software running on your system. KNOW YOUR own SYSTEM, folks. . . .

If Reg Pro says I'm infected, I don't have them and know that they are trying to sell me a cure. It's a common scam to diagnose problems for free, and offer to sell the cure. If Glary Utilities says I'm infected, it's crap because they're not installed on my system. I have Aeomi free backup and back up a disk image twice per week because I teach online and use my computer for work. I don't open attachments from people I don't know. Stay away from sites you don't know, like porn sites and other untrusted sites. If you aren't sure, don't go there or get something like WOT that rates sites as safe and unsafe. Be smart and be savvy. Hitman Pro is not malware, btw. Neither is Combofix or the other legitimate malware prevention software and fixes such as MBAM. Hitman Pro only gives you free service for a limited time. Unless you want to pay for it, it is meant to be used to get rid of malware infections. Once it has done that; once you've seen it in action, as the IT experts here have, you'll know it's legitimate and worth the price if you need it. By the way, the guys at bleeping computer are some of the best and most knowledgeable. They've helped me more times than they'll know because I rarely need to submit a question there. I just look on their site for a similar problem, and apply the solution they came up with and recommend. It usually works. . . .

- Collapse -
hubby not allowed to click pop ups
Jan 10, 2015 10:38AM PST

Under threat, hubby has been instructed to click on nothing that pops up or wants updating. Have not given him admin privileges. Despite his opening his emails and clicking thru on his friends- youtube, etc.,so far we are good. As far as ransom, on his machine it would be worthless to pay. There is nothing but original stuff on there. He has no idea what to do with the machine other than access the internet. If he needs help , and I am not available, then he just has to wait. So far, it is working.

- Collapse -
Limited accounts won't always save you..
Jan 11, 2015 12:54PM PST

If you don't update your operating system right on time, and applications too; clicking on anything may get you pwned even if you are running as a standard user with limited rights. Clicking on anything is almost like allowing the administrator to take over and let things happen. The UAC will not always pop up with the warning either. Malware like cryptolocker are some of the worst ever! I posted a site here in the discussion where you can get the free Crypto-Prevent solution from the original developer, but Bleeping computer or Wilder's Security Forums may have a link or download also.

On versions of Windows that have Parental Control, you can activate the process guard for that account and very successfully prevent almost anything bad from happening. It is basically a process whitelist.

- Collapse -
typical casual user
Jan 12, 2015 2:22AM PST

is what he sounds like, most of it internet related as in browser, email, chat, etc.
For that he can use Firefox, Chrome, Thunderbird in a Linux distro which you install on a virtual hard drive under Windows. You can keep a copy of the VHD or VDI and quickly restore the install if/when needed.

https://www.youtube.com/watch?v=5yJ1d7HhB0s

- Collapse -
Please stop confusing ransomware with other problems.
Jan 11, 2015 8:34AM PST

This was not ransomware. You did an excellent job of solving a problem, but not the one under discussion. Your approach would not have restored any encrypted files. At present, the only way to get encrypted data back is to have an offline backup or pay the ransom.

- Collapse -
Some ransomware are too simple..
Jan 11, 2015 1:03PM PST

and I have read that decrypting some the infections is actually pretty easy(after defeating the infection). A search of some of the help sites listed by others are very helpful in the procedure for doing this. I read the instructions and they look easy enough for a newbie to follow - believe it or not. You are correct about the problem though; but apparently in these instances the crooks used weak encryption!

- Collapse -
Ransomeware
Dec 19, 2014 11:38PM PST

Basically, it is a worm or virus that you somehow acquire on your computer (by download, etc.). It might be a trojan program, one that you downloaded and installed thinking it was something else. It could be a virus attached to a legitimate program.Once installed and activated it can encrypt your hard drive, then post you a message that you need to pay to get your content back. The usual key to this is to entice the victim to install and run the ransomware. Now you are stuck wishing you had backed up your hard drive. One good recent backup (plus incremental backups) and you can wipe and reinstall to eliminate the ransomware. No backups? Then you have two choices... pay up or start over with a fresh install.

Some smug linux users think they are immune but that is only because hackers have little or no interest in linux as a hack victim OS at this time. Any OS can be vulnerable if the user can be gulled into installing and running the ransomware.

- Collapse -
never pay ransom
Dec 20, 2014 1:37AM PST

Even if the jerks really were willing to remove it, most are not very well written and don't have uninstallers. I've had good luck removing several for customers. It takes time, but isn't too hard. The best way to make sure that you don't get harmed by this isby doing good backups, often. What I mean is- backup backup backup. And if that doesn't work, BACKUP !
With a good backup program, it doesn't matter if you can't get the malware off your disk, you can wipe it and start over. This can even save you money, I've spent as much as 6 hours recovering customer data from infected disks becasuse they didn't backup, that's a lot of money at my rates. I could have reinstalled them from a proper backup in less than an hour.

- Collapse -
Computer literacy and some education is key

Being literate enough to backup your data on a secondary hard drive or thumb drive that is offline is key.
Maybe being literate enough to reinstall your operating system on a second hard drive and being able to replace it and or rebuild your computer.

My motto is not to let others solicit you so if you get one of those screen messages that your computer is infected is not a reason to click on a popup for virus scanners. Installing software because others encourage you is like letting other people have the keys to your computer. Unless the person is a nerd who knows what he or she is doing, most people are infecting your computer. Paying the bad guy ransom just encourages this kind of behavior.

I think that installing Java and or third party software is your danger.

I run two Virus scanners on purpose against the warning of others. One is for malicious hackers and the other is one that came with the computer.

At work, we have guys that just want to play games at work so they download these free games online and the virus software has to clean the computer. We're are victims at work because employees don't care because they just want to play games or get something for free and no one writes free software much anymore without bad strings attached.

The other solution is to not keep computers on the internet anymore.

- Collapse -
FBI Ransom-Schmansom; And I don't use an anti-virus either.
Jan 5, 2015 2:21AM PST

Having been bit by this clever malware scheme many time from various sites, I developed a few ways to restore my system. Don't pay the ransom! Many of you have great responses to this issue and I have used some. What has worked for me with the least amount of time involved are these:

1. REPAIR METHOD 1: When virus first loads and appears, cut it off at the knees by turning off your router or computer to prevent further downloading of the program. I have a switch to the Router just for this. Forget System Restore - it's been crippled. Reboot to F8 and go into safe mode. Do a search in your OS files for programs dated today. Sort the search by date and delete the files with time stamps within the last 10 minutes or so. Delete all. Reboot and relax. Works 80% of the time.
2. REPAIR METHOD 2: Run MalwareBytes or Glary Utilities (or both) from a USB drive upon booting and remove or quarantine bad files. Its faster than REPAIR METHOD 1 and works about 90% of the time. Its also faster than Method 1 but not as fun and you learn nothing about the worm.
3. REPAIR METHOD 3: See PREVENT METHOD 1, below.
3. PREVENT METHOD 1: Buy another hard drive and install it. Transfer from C: Drive all data, Docs, pics & vids to new Drive. Leave only OS and software on C: drive. All other data is on other drive(s). Clean drive and then automate a mirror of your OS with Acronis or other System Backup schema. When virus hits insert boot disk and restore OS and Programs. My C: drive is 1 TB and is 67% full. Last time it took only 28 minutes to restore.

Good luck.

- Collapse -
Data still susceptible
Jan 9, 2015 9:57PM PST

RedDiamond, your PREVENT METHOD is not a bad idea. But it will still leave your data (D Drive), susceptible to an encryption attack. So periodically, it would be wise to backup all the data on D to an external hard drive, and then unhook that hard drive.

Does anyone know if the encrypter attacks will encrypt the Acronis TIB files? My main PC, (Windows XP), I have a D Drive built into the system. I keep all my stuff, OS, Programs and Data on C. Then periodically make a full image backup, using Acronis, to my D Drive. Nice, because I could do a full image restore, if needed. But I can also extract just one file from the image, or multiple files and/or folders. But if I got hit with an Encryption Attack, and if that also encrypted my Acronis Backup, that would not be good. I suppose I could copy the most recent image file to my external HDD, as well.

- Collapse -
data still susceptible
Jan 9, 2015 10:12PM PST

I hope that your D drive is physically a separate drive and not just a partition. If the physical drive fails, there goes your partition. I use Easeus todo which is similar to Acronis. I would not trust any backup file to be immune to malware. So either keep it disconnected or password protect/encrypt it or both.

- Collapse -
Separate Drive
Jan 9, 2015 10:28PM PST

Yes, hsweet, my D Drive is a separate physical drive mounted inside my PC. And as regards protection from hardware failures, that was part of my strategy. Extremely unlikely to have both hard drives experience a hardware failure at the same time.

If I were to Password Protect the backup file, when it is created, would that prevent some Encrypter from being able to encrypt it?

- Collapse -
encrypting backup files
Jan 10, 2015 1:49AM PST

I asked EASEUS tech support. They said: "If the backup file is encrypted, it would not be accessed and edited by other malware or person mostly." So I plan to do that. I will still be running Bleeping Computer's ListCrilock to check for ransomware encryption before copying to my normally disconnected external hard drive though.

I also have installed FoolishIT's Cryptoprevent and Malwarebyte's Anti Exploit.

I have more security here than an old lady has chain locks across her front door!

- Collapse -
Finally someone who addressed the actual problem
Jul 1, 2015 11:58AM PDT

I put several post on here about PREVENTION, which was the whole gist of the story, but not one upvote. I guess the subject is hopeless for most here on CNET.

- Collapse -
Encryption post reply
Jul 1, 2015 1:40PM PDT

It depends on when you replied. If it wasn't for the fact I have this post checked for replies I wouldn't know you said anything at all. The issue I believe is that the shelf life of replies is fairly short and then people move on.

- Collapse -
Lightning
Jan 10, 2015 10:44AM PST

In the lightning capital of north America, it is possible to wind up with a fried system, including everything that is hooked up.

- Collapse -
LIGHTENING
Jan 10, 2015 9:08PM PST

A nearby friend had his refrigerator fried by a nearby lightening hit. It was not even a direct hit and the refrigerator was not even plugged in! Enough current was induced in to have done the damage.

- Collapse -
(NT) how nearby was this friend at the time?
Jan 12, 2015 9:29AM PST
- Collapse -
Lightning - what?
Jan 12, 2015 3:26AM PST

And this relates to the subject matter how? When we speak of storing things in the cloud this isn't what we mean.

- Collapse -
According to Windows Secrets..
Jan 11, 2015 1:15PM PST

I read an article that said the really bad versions of the true cryptolocker bugs will not only encrypt anything connected inside the computer but even networked drives and connected cloud drives!!!

The only way besides previously installing Crypto Prevent is to totally and physically isolate the backup drive. I believe this same reality was discussed on Krebs on Security as well. Nothing stop cryptolocker from locking your encrypted files too, according to the experts I've read from. However, not all cryptolocker attacks are equal in sophistication - some of them use encryption so weak you can decrypt them after killing the infection processes.

- Collapse -
Worst are encrypters
Jan 9, 2015 11:35AM PST

I am a computer tech and have removed dozens of the "your computer is infected" types, fairly simple. Also have removed many of the "FBI Virus - your computer is locked types", most were very simple. The one I dread, and have only seen a few times are the encrypters, like Cryptolocker. Easy to remove the infection, but you are left with the damaged (encrypted) personal files, (docs, pics, music, etc.). Nothing you can really do unless you have a backup such as online or flash drive or external drive (do not leave those connected to the pc all the time though ... otherwise encrypters will get those files too).

- Collapse -
Ransom ware question
Jan 9, 2015 12:25PM PST

My computer got hit by ransom ware and all of my stored pic now have an icon over them. I also had an external hard drive hooked up to the computer and the pics on it also have icons on the. My question is that I also had music and other things stored on the hard drive, if I hook the hard drive up to an uninfected computer can it be infected from the external hard drive? ie should I junk the whole thing?

- Collapse -
If you're careful, then, no
Jan 9, 2015 1:48PM PST

The only way that external drive can infect another machine is if you run an EXE from that drive. There's a good chance that they'll be infected with the virus that started all this. If you only access data, then it (generally) cannot infect your machine.

One exception might be Microsoft Office files. Those may have a script stuck onto them that will run an infected EXE as soon as you open the file. Then, that machine could be infected, too. Dunno if any of the encrypters do that, but it's one possibility that I can think of. There may be other avenues.

Drake Christensen