Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How to Avoid Ransomware

//
How can I prevent this new risk of criminals encrypting files on my hard drive and then demanding a ransom to unlock the data? Is having a router and software firewall enough?

In other words, how do you avoid ransomware?

Let’s look at ransomware — software used to hold your data hostage until you pay up — and how best to protect yourself.

Spoiler alert: you already know the answer.

Become a Patron of Ask Leo! and go ad-free!

Summary

  • Ransomware encrypts your computer’s data and holds it hostage.
  • Avoid ransomware using the same techniques used to prevent any malware.
  • Backups can save you should you ever get ransomware.
  • Ransomware-specific protections exist and may help, but may add to a false sense of security.
  • Never pay the ransom.

What is ransomware?

Though it continues to get lots of press, ransomware is nothing new.

Ransomware is malware that encrypts files on your machine and then presents a message offering the ability to decrypt and recover your files if you pay a ransom. Most current variants use good encryption, so once you’ve fallen victim, the outlook can be pretty bleak.

Note the word I used: malware.

Please understand this: ransomware is just malware; there’s nothing special about ransomware and how it gets on your machine. It uses techniques like any other malware. Currently, it is most often distributed in email attachments or as downloads of some form.

Ransomware is very destructive malware, but it’s just malware.

That should give you a huge clue on how to avoid it.

How to avoid ransomware

Avoid Ransomware!You avoid ransomware the same way you avoid all malware.

  • Run up-to-date anti-malware tools. I recommend Windows Defender, but there are many, many others. Make sure they are running and up to date.
  • Keep your system and software up to date. Yes, this means letting Windows, as well as any applications that have self-updating capabilities, automatically update.
  • Use common sense. Don’t download random things from the internet, and don’t open attachments you aren’t completely certain are valid.

In short, do all the things you should already be doing to keep yourself safe on the internet.

Perhaps even more important: back up

If your machine ever does contract ransomware, having a recent backup1 can save you almost immediately.

If you get ransomware on Tuesday, restoring to a backup taken on Monday makes it almost a non-event. Aside from any work performed since the Monday backup, you’d have your machine back and running again in no time, without paying any ransom.

There is almost nothing a good backup can’t save you from. This is another case where even something as scary as ransomware doesn’t need to get in your way.

Ransomware-specific protection

CryptoPrevent is a popular tool used to avoid ransomware. Unfortunately, it doesn’t really avoid it.

Once installed, it prevents specific actions many variants of ransomware are known to use. In rare cases, these same types of actions might be required by legitimate applications, but as I said, it’s rare.

Similarly, Windows 10 has added explicit Ransomware protection to Windows Defender in the form of “Controlled folder access”.

Ransomware protection in Windows Defender in Windows 10
Ransomware protection in Windows Defender in Windows 10 (click for larger version).

Similar to CryptoPrevent, some applications may have problems if this feature is enabled.

If installing CryptoPrevent or enabling Controlled Folder Access helps you feel safer, and doesn’t interfere with something else you need, by all means, feel free to enable them. They’ll protect you from a lot, including even some non-ransomware forms of malware. For the record: I use neither.2

My concern with both these approaches is that they focus exclusively on preventing the malware’s malicious behavior, but only after the malware has infected your machine. In other words, if they actually helped, it’s because malware was somehow already allowed on your machine.

I’ll say it again: malware was allowed on your machine.

That’s the problem to focus on. That’s what I believe is most important to prioritize, and I don’t want any tool or technique to give you a false sense of security that leads to letting your guard down.

Should I pay the ransom?

No. Never pay the ransom.

Paying just encourages scammers to keep doing this. Sadly enough, enough people do pay that it’s apparently turning into quite a lucrative endeavor. Don’t be one of those people.

Stay safe, back up, and never negotiate with hostage takers — even when it’s your data they take.

Podcast audio

Play

Video Narration

Footnotes

1: Several people have expressed concern that a backup drive, if connected, may also be encrypted and held ransom. While technically possible, I believe it remains rare — I’ve not heard of any instances as of this writing. To me, it’s much more important that a drive remain connected so regular backups happen automatically. More here: Will Malware Infect the Backups on My Connected Backup Drives as Well?

2: I did try Controlled folder access some time ago, and discovered that it interfered with some of the tools I use.

34 comments on “How to Avoid Ransomware”

  1. Hi Leo
    If over the years I have learned anything from from your columns it is “Image Backups”. I do same once a week. If anybody out there thinks this a little wimpish, they should dwell instead on the tremendous freedom and power these give the user. Although it is now years since I have had malware, should and even if when I get again I will always revert to a backup, regardless of what my scanners tell me.
    Only codicils would be that other backups are advisable, such as Doc’s, Pictures etc, and that the user should be able to boot directly into the backup. Booting directly into the backups I am guessing varies a lot from comp to comp. Perhaps Leo you might throw some light on this point????

  2. It’s also very important to keep the third party software like Java, Silverlight, Adobe Reader and Flash up to date! We’ve seen many infections come through unpatched versions of the above.

  3. I read in the local paper here threat a local medical business was locked out of their records with ransom ware. Apparently the back up drive was also compromised & locked.
    Lesson is do not leave back up drive permanently attached to the computer ..only during backup or reinstall.Perhaps use a cloud solution as well.
    Jp

    • Maybe the backup was performed AFTER the ransomware hit, maybe even after a few days and several backups where backing encrypted data along with the malware itself…
      Here, the problem is to always remember to connect your backup drive when performing the backup operation. It’s really to easy to forget to connect, and if the drive is not connected, then the backup operation will fail.
      A better option would be to have 2 or 3 backup drives that are used in rotation. In this case, even if you forget to do the rotation, the backup process can still be performed.

    • I had 2 clients hit with ransomware and it’s not so much that the backup drive was connected. More important is what backup software you run. If it is just a straight file copy then you take your chances. It you are running something like Symantec Backupexec (no plug intended), the ransomware will not encrypt the type of files they the backup software creates. Worked great for us.

  4. johnpro – doing this (not leaving the backup drive attached to the computer) makes running automated backups rather difficult.
    A rather cumbersome solution might be to only connect the backup drive at the end of the day and at the same time disconnect from the internet.
    Is there are less messy alternative?

    • Buy a backup drive that has an easily accessible power switch. Turn it on, make the back up, turn it off. You can leave the interconnecting cable (USB 3 recommended) in place since the drive won’t respond to it while off.

      I use RoboCopy to make a 5 copy rotation backup of my data files. It only updates changed files and at the end of a normal work day for me it will update a few hundred files and take about 30 seconds to do it. Add a minute or 2 to turn the drive on, allow it to spin up, flush out it’s buffers when “ejected” and to switch it off I’m in it for 2-3 minutes a day to back up.

      It’s not an image back up. I do that separately less frequently to the same drive.

  5. For the “average” user, these steps are not good enough. Because the average user has no idea what links and sites to avoid. So…

    1) Start at your list
    2) Use OpenDNS on the home network
    3) Install McAfee SiteAdvisor and only click on Green Checkmark links

  6. This a follow up on my earlier post.
    In the article a solution to this type of infection is to restore from an earlier backup. In the EBook “Maintaining Windows 7 – Backing Up” automated backup is described in detail. For these to run the external hard drive must be connected.
    However in the several references and articles I have seen on malware that encrypts, I have read that backups can also be encrypted (but whether by encrypting the disk or the image files themselves I have not found).
    What I have read is advice to not leave an external hard drive connected.
    This seems to leave two choices – either do not do scheduled backups, or bet that the protection installed and user competence are such an infection will not get in.
    I teach older people coming late to computers, amongst other things, the value of scheduled backing up. I would like to be able to give them good advice on this.

  7. @Dean,
    It sounds like the most important thing is to know and follow safe internet practices. If you have a firewall, haven’t downloaded anything suspicious, or clicked on links in emails, then viruses won’t just jump into a computer doing a backup in the middle of the night. So best thing is to teach safe practices.

  8. Thanks Connie.
    I do cover the importance of all the usual advice on protective up-to-date software, keeping the operating system and other software up-to-date, not to click on suspect sites etc. And I also recommend at least regular system backups.
    Nevertheless I have had two examples of those attending classes where they have somehow got malware.
    In one case, action taken was to copy data files to a thumb drive, do a full reinstall of the OS and other software and then add back data files after a check scan.
    In the other, a recent backup was available and was used to restore the computer to its uninfected condition. I use this example to emphasise the value of a recent valid backup.
    The problem then is – what if the infection encrypts files and has also caught the backup?
    The unfortunate user can then no longer get to his files.
    Hence the advice I have given that scheduled backups are protection against being trapped into downloading of malware is wrong, if this happens to be of the encrypting type.

  9. “Should I pay the ransom? No. Never.” – I don’t agree. Given a choice between paying a ransom and losing my data, I’d pay the ransom. It all comes down to how much the data is worth to you. That said, the best option is, of course, to make sure you never have to make that choice.

    • There is no reason to believe that they will unlock your data even if you do pay. After all, they are crooks.

      • If somebody pays over the money, they’ll almost certainly get their data back Yes, they’re crooks, but they’re also in (illicit) business and it’s in their own interests to provide the decryption mechanism. If it became known that a group didn’t, people and businesses would obviously not be prepared to pay the ransom and their revenue stream would immediately dry up. I’ve actually never heard of a case in which a person hasn’t got their data back after paying the ransom. Even the Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office advised that payment was often the easiest/only option:

        https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

        There’s really no point in moralising over the rights and wrongs of paying: it’s up to each person to decide how much their data is worth and whether they’d prefer to lose it or be blackmailed into paying criminals and almost certainly get it back. The best advice is, as I said, to make sure you never have to make that choice.

      • Let’s not complicated things. I got infected once. I just reformatted my drive, reinstalled my OS and put back my personal data folder from a backup and I was back in business (without messing around with images). The biggest “hassle” was to re-install programs, which I did as I needed them. Quick and simple. If you find yourself having to pay the ransom, then you have number of other problems you need to face: First, there is a problem with your backup and recovery scheme. Next, when paying your ransom, you may have exposed yourself to ID theft depending on your payment method. Finally, how do you know if the ransomware didn’t leave a trojan or other junk on your system which will wake up the next month and ask for another ransom? Remember, the ransomeware guy is smarter than you are. Never pay a ransom.

        • “Never pay a ransom.” – That’s very easy to say if it’s not your data on the line. If it is your data – and you don’t have a backup – then the decision may be far from easy. As I said, the best option is to ensure that you’re properly backed up and so never have to choose between paying a ransom and losing your data.

  10. I rely on three tools in my arsenal to combat malware, regardless of the type:
    1. Antivirus (Windows Defender on my laptop and Microsoft Essentials on my desktop)
    2. Sandboxie (to virtualize my browsing and to test any new software)
    3. Imaging (scheduled every Monday, Wednesday, and Friday using Macrium Reflect)

    Is this combination 100% bullet proof? Probably 99%. If any malware slips by my antivirus, it will be contained in the sandbox and easily flushed. These two tools alone have kept my systems clean for many years. But if something extraordinary happens and an infection occurs, then I’ll just restore an image taken two or three days ago.

    • Nothing is 100% certain except for death and taxes, but it’s probably better than 99%. I’d add a cloud backup to the mix. Services like Dropbox save your changed files for 30 days, so you should be able to go back to a previous version if your backups become corrupted. This would only protect the files in your Dropbox folders, but I have the paid version and keep all of my personal file in it. It would be inconvenient if it came to that, but I would still have all of my user data.

  11. It’s so good to hear like-minded people doing almost exactly what I have also been doing for years. I am 70+ and always run sandboxed…always! Macrium Reflect backup on Friday each week after a quick cleanup. MSE has been as good as anything as I have not had a problem in years. On top of that its mostly just not being stupid. email attachments from unknown parties…red-flagged websites I really dont need and just knowing that these days you just cant trust anyone. thanks for the nice, reinforcing article. Clas

  12. For the non-techy user the easiest protection is probably paying for online backup such as Backblaze, Carbonite, Crashplan, etc.

    • This is only safe is syncing is not automatic. I got a case where the business used Dropbox to back up their data (which was held on a single laptop). The Ransomware encrypted all the files on the hard drive at boot time. The Dropbox folder was set to sync automatically, so all the Dropbox content got instantly overwritten with the encrypted version of the files.
      Their back up solution turned out not to be much help. Since they only had a basic Dropbox account, they lost all the files that had not been edited within the last 30 days.

      • “Since they only had a basic Dropbox account, they lost all the files that had not been edited within the last 30 days.” – All files could have been rolled back to previous, non-encrypted versions up to 30 days after being encrypted. The date the files were last edited is irrelevant. Had the business been using Dropbox Pro, it would have had up to a year in which to roll back to previous versions.

      • As I understand it, the ransomware encrypted versions of the files would look like edited versions to Dropbox. As that’s what they essentially are, so you should be able to find the previous versions.

        • “So you should be able to find the previous versions.” – So long as it’s less than 30 days since the files were encrypted.

  13. Leo,

    Are you familiar with WinAntiRansom? It’s a cousin to WinPatrol (one of my long-time fav programs). Just wondering if you have any opinion about it.

    Leo, I’ve long followed your expert advice about image backups and also use Carbonite because I teach 1-week engineering seminars in distant locations and it allows me to access files from anywhere in case my laptop croaks / is stolen. (In case of infected files being backed up you can roll back as far as 3 months to previous versions.) OS updates are out of my hands (Windows 10) but I constantly check apps for newer versions. Finally, my password manager lets me use crazy-long, complex, all-different passwords for each account. You can’t be too careful because it’s a wild cyber world out there.

    • Carbonite is a good secondary backup. I use a paid Dropbox [2019 Update:switched to paid OneDrive. For the same price as a Dropbox account, I get license for 5 computers and 1 TB storage each for 5 machines] for that. I had Carbonite for a while, but I wanted more control to know exactly what was backing up. Maybe Carbonite is better for people who wouldn’t be able to set up Dropbox to do that, and Carbonite is less expensive. It also keeps my 3 computers, phone and tabled all synchronized. The fact that I can work seemlessly on all my machines proves to me I have it set up correctly. Before, I had to use Teamviewer to get files from my main computer. I haven’t had to use Teamview for that since getting the paid Dropbox account. Now Teamviewer is mainly for fixing friends’ computers.

  14. I have saved my back up sessions on a CD or DVD disc for several years. It gives me a stack of discs but the saved data is not on my computer.

  15. Dispit the use of site block, ghostery, no script and fire walls, some sites still manage to send a new page command which opens with ” your PC has been locked yadda yadda yadda” please be aware that the mear presence of this forced new page does NOT mean your PC is locked. You could be forgiven for thinking so because the open block in the middle of the page is scripted to forbid you from closing the window. BUT, don’t panic – nothing has invaded YET!. To close this window you only need to do 2 things. DO NOT PUT ANYTHING IN THE OPENING BLOCK in the demand window; instead, position the mouse over the window close symbol [ X ] and with your other hand – hit the keyboard exit key and click the exit X window with the mouse immediatly the centre window block disappears. bingo – gone. No matter what is scripted, the script needs time to figure out it;s next move so the quicker these two actions are exicuted one after the other – it will close the whle page before the rest of the script has time to exicute. Hope this helps

  16. Hi Leo. We have a small business which was infected on 12.12.2016 with some type of Ransomware ({email address removed} wanted 22 bitcoins). Unaffordable, so we had the drive removed immediately.
    I had backups so although it has been a pain in the @ss- also because we close for the holiday season today- I have recovered everything except some emails.
    I had to download some programs and drivers on my second drive (which had been reformatted) and at 4pm on 14.12.2016 the virus started creating files again. So I assume one of those legit websites (I’m thinking the accounting software) is hacked. Or the formatted drive still contains that virus.
    Just wanted to let you know my cloud backup and external hard drive were both ransomware encrypted as well- although the three workstations on the network were not. I had another external backup off site a few days old, which is fine.
    These people should face a firing squad. Thanks for the page, very helpful.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.