Ransomware - should I pay or not?

10 April 2015 by Kamila Łopińska

Ransomware has been a growing threat for several years now. It aims to reach a computer, block the user’s access to the operating system or files, and extort ransom for unlocking the machine. Ransomware is evolving rapidly and finding new ways of compromising machines. Depending on the mechanisms used, it can result in stress and irritation, or pose a serious security threat. How does ransomware work, how can you defend against it, and what to do if your machine has already been infected?

The pattern is almost always the same: the malware is attached to mass-sent spam. Using very sophisticated methods, attackers generate fake messages and entice victims to open the attachments and install the virus on their computers. The emails, purporting to come from delivery companies, telecoms or websites, seek to convince the recipient that the attachment contains an invoice or similar important document. If the user believes this and opens the attachment, the malware will be installed on the user’s machine, which will then block the computer and display a ransom note.

At this stage, in other to keep the victim under psychological pressure the attackers often pose as official authorities, such as police, anti-piracy organisations or even the FBI, then inform the user that their computer has been blocked due to allegedly illegal use and that the victim has to pay a fine to restore access to the machine. The message will often feature a clock counting down the time (e.g. 72 hours) left to pay the ransom, after which the data will be irretrievably lost.

Ransomware – a fake or real danger?

It all depends on what kind of virus it is. Ransomware works at two basic levels: first of all, it blocks access to the operating system, but it can also encrypt all the files and folders accessible from the infected machine. In the first case, the attack is irritating rather than dangerous; in the latter case – your data is gone.

If the virus has just blocked access to the operating system, you are dealing with a scareware attack, which aims to scare you into paying the ransom. Such attacks are relatively easy to stop. Even if the computer has been blocked, you can use a good antivirus software, for instance by running it from a rescue disc, to scan your system and deactivate the virus. Advanced users can even remove ransomware on their own.


If you encounter more advanced ransomware, after unblocking the system you may find that all your files and folders have been encrypted. This is how CryptoLocker works. At the time of writing, it is the most sophisticated ransomware variant yet, which encrypts all the files on the computer and can even encrypt network resources. So even if you use automatic backup software and the backup is available on the network during the attack, the backup will be encrypted as well.

After you open an infected attachment, CryptoLocker is installed on your computer, downloads a private key from a server controlled by the attackers, and then encrypts your files with a 2048-bit RSA algorithm. Next, a message is displayed indicating you have 72 hours to pay the ransom. After that, the programme will be automatically uninstalled – along with the public key, rendering your files impossible to decrypt.

The same will happen if you uninstall the programme yourself or with any antivirus software: the public key will be removed as well, leaving you with unusable files which, for the time being, cannot be decrypted.

Should I pay the ransom, then?

Even if you decide to pay up the ransom, you have no guarantee you will receive the key to decrypt your files. The authors were decent enough to make sure that after the ransom has been paid, the system should automatically decrypt the contents of your computer, but due to the activities of security experts and the police, some of the servers on which the whole system runs have been closed down, so the decryption process does not always work as intended. This means that apart from losing money, you might end up losing all your encrypted data anyway. However, some cyber security companies decided to put their heads together and managed to create a system that would tell you what CryptoLocker key was being used which would allow victims to unlock their files without having to pay a penny.

How do I protect myself?

  • do not open emails, let alone attachments, from unknown, unconfirmed or suspicious sources; common sense is the most effective protection against the virus;
  • protect your computer with reliable software and keep it updated; new generations and variants of ransomware keep haunting the web, so you should always have an up-to-date signature database;
  • always make a backup your most critical files and store it offline (on a CD, memory stick or an external drive);
  • if possible (i.e. if there are no sensitive information considerations), store your files in a cloud, using DropBox, Google Drive, etc.