Saving Private Files: What extortionists demand for decrypting user data

Computer users in many countries are increasingly falling victim to so-called encryption malware – programs that encrypt important data on infected computers and then demand a ransom to decrypt it.

In 2014, over 7 million attempts to carry out such attacks were made against Kaspersky Lab users alone.

Kaspersky Lab experts have prepared an overview of the evolution of encryption malware, as well as advice on how to avoid being affected by this threat.

Encryption malware gets special attention because cybercriminals are continually changing the tools they use, including cryptographic schemes, code confusion techniques, executable file formats, and infection vectors.

This type of malware is usually distributed via spam or attacks against remote administration systems.

The persistence of this form of extortion is easily explained: unlike banking Trojans, which generate an ‘income’ only if the victim uses online banking, a piece of encryption malware, having once infected a computer, will always find something to encrypt and hold to ransom.

Cybercriminals prefer to be paid in the Bitcoin cryptocurrency, which offers them a sufficiently high level of anonymity.

At the same time, it is common for attackers to specify their rates in real-world currencies, such as US dollars, euros or rubles.

The cost of decrypting data for home users starts at 1000 rubles (about $15 or P660) but can be as high as several hundred dollars.

If a corporate computer is infected, the attackers’ demands increase five-fold. Cybercriminals are known to have demanded ransoms as high as 5000 euros to decrypt files.

Sadly, companies that have lost their data often prefer to pay up rather than lose important information.

It comes as no surprise, therefore, that businesses are a prime target for cybercriminals who use encryption malware to make money.

“If files have been successfully encrypted and there is no backup copy, the user has little chance of getting their data back. It would take a mistake by the attacker in terms of the design or implementation of the encryption scheme for a user to be able to decrypt the files - and this rarely happens now,” said Artem Semenchenko, malware analyst at Kaspersky Lab.

“This is why it is important to regularly back up important data and store the backup copies separately from the computer system. We also recommend using the latest versions of security solutions for protection. The System Watcher module included in all our current products not only scans the processes launched in the system and identifies any malicious activity, but also backs up user files if a suspicious program attempts to access them. If the analysis of a program indicates it is malicious, user data is automatically recovered,” Semenchenko advised.