Ransomware is a malicious program that infects a computer and then locks or encrypts some parts, preventing users from accessing their computer or data. Commonly, after the ransomware is loaded on the user's computer, a message is displayed demanding payment to unlock it. Ransomware varies in its degree of difficulty to remove and how many areas are locked, ranging from a few files to the entire hard drive.
How to protect your computer from ransomware
There are several main ways to protect your computer from being infected with ransomware.
- At least monthly, check for and install any updates and patches for your computer's operating system and software.
- Install an antivirus and anti-malware program, and keep the program updated.
- Do not click a website link, download a file, or open an attachment in an e-mail if you do not recognize the sender of the e-mail. The link, file, or attachment may contain ransomware.
- If a program tries to install on your computer, and you don't recognize the program or did not initiate the install yourself, cancel or block the installation.
- Do not connect a USB (universal serial bus) flash drive to your computer if you do not know where the drive came from. If you receive a USB flash drive at a trade show or a non-reputable vendor, it could contain ransomware.
At least once a month, if not more often, create a backup of any important files. While backing up your files doesn't prevent ransomware, it does allow you to restore your files if your computer is infected with ransomware and files are encrypted. That is assuming the backup is also not corrupted.
How to remove ransomware from your computer
Depending on the level of infection on your computer and if you have an antivirus or anti-malware program installed, you can remove the ransomware. If you still have some access to your computer, follow the steps below.
If the ransomware encrypts files on your computer, those files can remain encrypted even after removing the ransomware.
- Reboot your computer to Safe Mode.
- Open the antivirus or anti-malware program installed on your computer.
- Run a virus and malware scan to find and remove the ransomware.
If you do not have any access to your computer or cannot boot the computer to Safe Mode, you can try the following.
- Remove the hard drive from the computer and externally connect it to another computer using a hard drive enclosure. Run a virus and malware scan on that hard drive to try and remove the ransomware.
- Take your computer, or the hard drive if it's easily removable, to a computer repair shop. They can connect a hard drive to another computer for virus and malware removal.
If the ransomware cannot be removed, or too many files are encrypted for the computer to be usable, restore the computer to factory settings. Restoring the computer erases all data and gets it back to working condition.
History of ransomware and notable attacks
The first known ransomware attack was the AIDS Trojan in 1989. Created and initiated by Joseph Popp, the AIDS Trojan encrypted file names and hid those files in another location on the computer's hard drive. Victims were informed they needed to pay $189 to get the decryption key. Through analysis, the decryption key was included in the ransomware's code and could be extracted without paying the ransom.
In September 2013, the Cryptolocker ransomware was released and infected many computer systems globally. It mainly spread through e-mail attachments but also utilized the Gameover ZeuS botnet to infect some computers. The spread of Cryptolocker was stopped in May 2014, and was estimated that over $27 million was paid by victims as ransom, the largest ransomware total to date.
In May 2017, the WannaCry ransomware was released, utilizing the EternalBlue exploit, which reportedly was discovered by the NSA (National Security Agency) and subsequently leaked to the public. WannaCry infected over 230,000 computers across more than 150 countries and demanded $300 for each infected computer.
The SamSam ransomware was also released in May 2017 by Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi. SamSam targeted JBoss servers at government and healthcare locations, using brute-force tactics to break weak passwords. About $6 million in total ransom money was paid, and an estimated $30 million in damages was realized from SamSam attacks.
In May 2021, the U.S. Colonial Pipeline company was a victim of ransomware, attacked by the DarkSide hacker group. The attack caused Colonial Pipeline to temporarily shut down their main oil pipeline, which supplies 45% of the fuel for U.S. East Coast states. DarkSide demanded a ransom of $4.4 million, which the company paid. However, the U.S. Department of Justice did recover $2.3 million of that ransom payment.
The single biggest global ransomware attack infected MSPs (Management Service Provider) using Kaseya on July 2, 2021. The attack infected thousands of companies in at least 17 different countries.