Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Do I Avoid Ransomware?

//
How can I prevent this new risk of criminals encrypting files on my hard drive and then demanding a ransom to unlock the data? Is having a router and software firewall enough?

In other words, how do you avoid ransomware?

Let’s look at ransomware – software that holds your computer hostage until you pay up – and how best to protect yourself.

Spoiler alert: you already know the answer.

Become a Patron of Ask Leo! and go ad-free!

What is ransomware?

First, ransomware is nothing new. It’s received a lot of press lately, but the technique has been around for a while.

Ransomware is simply malware that encrypts some large number of files on your machine, and then holds it hostage until you pay some exorbitant fee (hence ransomware) to regain access. Recent variants use good encryption, so once your machine has fallen victim, the outlook can be pretty bleak.

But note the word I used: malware.

Please understand this: ransomware is just malware. It’s nothing more than spyware or a virus or whatever you want to call it. It’s just another thing hackers can do once they gain access to your computer.

Don’t get me wrong – ransomware sets itself apart because it’s very destructive malware, but it’s still just malware.

That should give you a huge clue on how to avoid it.

How to avoid ransomware

Avoid Ransomware!You avoid ransomware exactly the same way you avoid all viruses and malware.

  • You should have a firewall. A router is probably good enough, although adding a software firewall is fine if you’re particularly concerned.
  • Run up-to-date anti-malware tools. I happen to recommend Windows Defender (formerly known as Microsoft Security Essentials), but there are many, many others. Make sure that they are running and up-to-date.
  • Keep your system and software up-to-date. Yes, this means letting Windows automatically update itself, as well as any applications that have self-updating capabilities.
  • Use common sense: don’t download random things from the internet, and don’t open attachments you aren’t completely certain are valid and correct.

In short, do all the things you should already be doing to keep yourself safe on the internet.

Ransomware happens to be just one kind of threat  – yes, a particularly nasty one – but one from which you protect yourself in the exact same way you protect yourself from all malware.

Perhaps even more important: back up

Having a good and recent backup1 can save you almost immediately.

If  you find your machine has been encrypted by ransomware on Tuesday, restoring to a backup you took on Monday could make it almost a non-event. Aside from any work performed since the Monday backup, you’d have your machine back and running again in no time, without having to pay any ransom.

There is almost nothing a good backup can’t save you from. This is another case where even something as scary as ransomware doesn’t necessarily need to get in your way.

Ransomware-specific protection

CryptoPrevent is a popular tool mentioned by many to avoid ransomware. Unfortunately, it doesn’t really avoid it.

Once installed, it prevents specific actions many variants of ransomware are known to use. In rare cases, these same types of actions might be required by legitimate applications, but as I said, it’s rare.

If installing CryptoPrevent helps you feel safer, and doesn’t interfere with something else you need, by all means, feel free to install it. It’ll protect you from a lot, including, apparently, even some non-ransomware forms of malware. Naturally, like any anti-malware solution, it can’t prevent everything, but it has a good reputation and some fervent supporters.

My concern with CryptoPrevent is that it focuses exclusively on preventing the malware’s malicious behavior, but only after the malware has infected your machine. In other words, if CryptoPrevent actually helped, it’s because malware was somehow allowed on your machine.

I’ll say it again: malware was allowed on your machine.

That’s the problem that I feel is much more important to focus on. That’s what I believe is most important to prioritize, and I don’t want CryptoPrevent – or any other tool – to give you a false sense of security that leads to your letting your guard down.

Should I pay the ransom?

No. Never.

Paying them just encourages them to keep doing this. Sadly enough, enough people do pay that it’s apparently turning into quite a lucrative endeavor. Don’t be one of those people.

Stay safe, back up, and never negotiate with hostage takers – even when it’s your data they take.

Podcast audio

Play

Footnotes & references

1: Several people have expressed concern that a backup, if connected, may also be encrypted and held ransom. While technically possible I believe it remains a rare occurrence – I’ve not heard of any instances, as of this writing. To me it’s much more important that a drive remain connected so that regular backups can happen automatically. More here: Will malware infect the backups on my connected backup drives as well?

34 comments on “How Do I Avoid Ransomware?”

  1. Hi Leo
    If over the years I have learned anything from from your columns it is “Image Backups”. I do same once a week. If anybody out there thinks this a little wimpish, they should dwell instead on the tremendous freedom and power these give the user. Although it is now years since I have had malware, should and even if when I get again I will always revert to a backup, regardless of what my scanners tell me.
    Only codicils would be that other backups are advisable, such as Doc’s, Pictures etc, and that the user should be able to boot directly into the backup. Booting directly into the backups I am guessing varies a lot from comp to comp. Perhaps Leo you might throw some light on this point????

  2. It’s also very important to keep the third party software like Java, Silverlight, Adobe Reader and Flash up to date! We’ve seen many infections come through unpatched versions of the above.

  3. I read in the local paper here threat a local medical business was locked out of their records with ransom ware. Apparently the back up drive was also compromised & locked.
    Lesson is do not leave back up drive permanently attached to the computer ..only during backup or reinstall.Perhaps use a cloud solution as well.
    Jp

    • Maybe the backup was performed AFTER the ransomware hit, maybe even after a few days and several backups where backing encrypted data along with the malware itself…
      Here, the problem is to always remember to connect your backup drive when performing the backup operation. It’s really to easy to forget to connect, and if the drive is not connected, then the backup operation will fail.
      A better option would be to have 2 or 3 backup drives that are used in rotation. In this case, even if you forget to do the rotation, the backup process can still be performed.

    • I had 2 clients hit with ransomware and it’s not so much that the backup drive was connected. More important is what backup software you run. If it is just a straight file copy then you take your chances. It you are running something like Symantec Backupexec (no plug intended), the ransomware will not encrypt the type of files they the backup software creates. Worked great for us.

  4. johnpro – doing this (not leaving the backup drive attached to the computer) makes running automated backups rather difficult.
    A rather cumbersome solution might be to only connect the backup drive at the end of the day and at the same time disconnect from the internet.
    Is there are less messy alternative?

    • Buy a backup drive that has an easily accessible power switch. Turn it on, make the back up, turn it off. You can leave the interconnecting cable (USB 3 recommended) in place since the drive won’t respond to it while off.

      I use RoboCopy to make a 5 copy rotation backup of my data files. It only updates changed files and at the end of a normal work day for me it will update a few hundred files and take about 30 seconds to do it. Add a minute or 2 to turn the drive on, allow it to spin up, flush out it’s buffers when “ejected” and to switch it off I’m in it for 2-3 minutes a day to back up.

      It’s not an image back up. I do that separately less frequently to the same drive.

  5. For the “average” user, these steps are not good enough. Because the average user has no idea what links and sites to avoid. So…

    1) Start at your list
    2) Use OpenDNS on the home network
    3) Install McAfee SiteAdvisor and only click on Green Checkmark links

  6. This a follow up on my earlier post.
    In the article a solution to this type of infection is to restore from an earlier backup. In the EBook “Maintaining Windows 7 – Backing Up” automated backup is described in detail. For these to run the external hard drive must be connected.
    However in the several references and articles I have seen on malware that encrypts, I have read that backups can also be encrypted (but whether by encrypting the disk or the image files themselves I have not found).
    What I have read is advice to not leave an external hard drive connected.
    This seems to leave two choices – either do not do scheduled backups, or bet that the protection installed and user competence are such an infection will not get in.
    I teach older people coming late to computers, amongst other things, the value of scheduled backing up. I would like to be able to give them good advice on this.

  7. @Dean,
    It sounds like the most important thing is to know and follow safe internet practices. If you have a firewall, haven’t downloaded anything suspicious, or clicked on links in emails, then viruses won’t just jump into a computer doing a backup in the middle of the night. So best thing is to teach safe practices.

  8. Thanks Connie.
    I do cover the importance of all the usual advice on protective up-to-date software, keeping the operating system and other software up-to-date, not to click on suspect sites etc. And I also recommend at least regular system backups.
    Nevertheless I have had two examples of those attending classes where they have somehow got malware.
    In one case, action taken was to copy data files to a thumb drive, do a full reinstall of the OS and other software and then add back data files after a check scan.
    In the other, a recent backup was available and was used to restore the computer to its uninfected condition. I use this example to emphasise the value of a recent valid backup.
    The problem then is – what if the infection encrypts files and has also caught the backup?
    The unfortunate user can then no longer get to his files.
    Hence the advice I have given that scheduled backups are protection against being trapped into downloading of malware is wrong, if this happens to be of the encrypting type.

  9. “Should I pay the ransom? No. Never.” – I don’t agree. Given a choice between paying a ransom and losing my data, I’d pay the ransom. It all comes down to how much the data is worth to you. That said, the best option is, of course, to make sure you never have to make that choice.

    • There is no reason to believe that they will unlock your data even if you do pay. After all, they are crooks.

      • If somebody pays over the money, they’ll almost certainly get their data back Yes, they’re crooks, but they’re also in (illicit) business and it’s in their own interests to provide the decryption mechanism. If it became known that a group didn’t, people and businesses would obviously not be prepared to pay the ransom and their revenue stream would immediately dry up. I’ve actually never heard of a case in which a person hasn’t got their data back after paying the ransom. Even the Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office advised that payment was often the easiest/only option:

        https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

        There’s really no point in moralising over the rights and wrongs of paying: it’s up to each person to decide how much their data is worth and whether they’d prefer to lose it or be blackmailed into paying criminals and almost certainly get it back. The best advice is, as I said, to make sure you never have to make that choice.

      • Let’s not complicated things. I got infected once. I just reformatted my drive, reinstalled my OS and put back my personal data folder from a backup and I was back in business (without messing around with images). The biggest “hassle” was to re-install programs, which I did as I needed them. Quick and simple. If you find yourself having to pay the ransom, then you have number of other problems you need to face: First, there is a problem with your backup and recovery scheme. Next, when paying your ransom, you may have exposed yourself to ID theft depending on your payment method. Finally, how do you know if the ransomware didn’t leave a trojan or other junk on your system which will wake up the next month and ask for another ransom? Remember, the ransomeware guy is smarter than you are. Never pay a ransom.

        • “Never pay a ransom.” – That’s very easy to say if it’s not your data on the line. If it is your data – and you don’t have a backup – then the decision may be far from easy. As I said, the best option is to ensure that you’re properly backed up and so never have to choose between paying a ransom and losing your data.

  10. I rely on three tools in my arsenal to combat malware, regardless of the type:
    1. Antivirus (Windows Defender on my laptop and Microsoft Essentials on my desktop)
    2. Sandboxie (to virtualize my browsing and to test any new software)
    3. Imaging (scheduled every Monday, Wednesday, and Friday using Macrium Reflect)

    Is this combination 100% bullet proof? Probably 99%. If any malware slips by my antivirus, it will be contained in the sandbox and easily flushed. These two tools alone have kept my systems clean for many years. But if something extraordinary happens and an infection occurs, then I’ll just restore an image taken two or three days ago.

    • Nothing is 100% certain except for death and taxes, but it’s probably better than 99%. I’d add a cloud backup to the mix. Services like Dropbox save your changed files for 30 days, so you should be able to go back to a previous version if your backups become corrupted. This would only protect the files in your Dropbox folders, but I have the paid version and keep all of my personal file in it. It would be inconvenient if it came to that, but I would still have all of my user data.

  11. It’s so good to hear like-minded people doing almost exactly what I have also been doing for years. I am 70+ and always run sandboxed…always! Macrium Reflect backup on Friday each week after a quick cleanup. MSE has been as good as anything as I have not had a problem in years. On top of that its mostly just not being stupid. email attachments from unknown parties…red-flagged websites I really dont need and just knowing that these days you just cant trust anyone. thanks for the nice, reinforcing article. Clas

  12. For the non-techy user the easiest protection is probably paying for online backup such as Backblaze, Carbonite, Crashplan, etc.

    • This is only safe is syncing is not automatic. I got a case where the business used Dropbox to back up their data (which was held on a single laptop). The Ransomware encrypted all the files on the hard drive at boot time. The Dropbox folder was set to sync automatically, so all the Dropbox content got instantly overwritten with the encrypted version of the files.
      Their back up solution turned out not to be much help. Since they only had a basic Dropbox account, they lost all the files that had not been edited within the last 30 days.

      • “Since they only had a basic Dropbox account, they lost all the files that had not been edited within the last 30 days.” – All files could have been rolled back to previous, non-encrypted versions up to 30 days after being encrypted. The date the files were last edited is irrelevant. Had the business been using Dropbox Pro, it would have had up to a year in which to roll back to previous versions.

      • As I understand it, the ransomware encrypted versions of the files would look like edited versions to Dropbox. As that’s what they essentially are, so you should be able to find the previous versions.

        • “So you should be able to find the previous versions.” – So long as it’s less than 30 days since the files were encrypted.

  13. Leo,

    Are you familiar with WinAntiRansom? It’s a cousin to WinPatrol (one of my long-time fav programs). Just wondering if you have any opinion about it.

    Leo, I’ve long followed your expert advice about image backups and also use Carbonite because I teach 1-week engineering seminars in distant locations and it allows me to access files from anywhere in case my laptop croaks / is stolen. (In case of infected files being backed up you can roll back as far as 3 months to previous versions.) OS updates are out of my hands (Windows 10) but I constantly check apps for newer versions. Finally, my password manager lets me use crazy-long, complex, all-different passwords for each account. You can’t be too careful because it’s a wild cyber world out there.

    • Carbonite is a good secondary backup. I use a paid Dropbox account for that. I had Carbonite for a while, but I wanted more control to know exactly what was backing up. Maybe Carbonite is better for people who wouldn’t be able to set up Dropbox to do that, and Carbonite is less expensive. It also keeps my 3 computers, phone and tabled all synchronized. The fact that I can work seemlessly on all my machines proves to me I have it set up correctly. Before, I had to use Teamviewer to get files from my main computer. I haven’t had to use Teamview for that since getting the paid Dropbox account. Now Teamviewer is mainly for fixing friends’ computers.

  14. I have saved my back up sessions on a CD or DVD disc for several years. It gives me a stack of discs but the saved data is not on my computer.

  15. Dispit the use of site block, ghostery, no script and fire walls, some sites still manage to send a new page command which opens with ” your PC has been locked yadda yadda yadda” please be aware that the mear presence of this forced new page does NOT mean your PC is locked. You could be forgiven for thinking so because the open block in the middle of the page is scripted to forbid you from closing the window. BUT, don’t panic – nothing has invaded YET!. To close this window you only need to do 2 things. DO NOT PUT ANYTHING IN THE OPENING BLOCK in the demand window; instead, position the mouse over the window close symbol [ X ] and with your other hand – hit the keyboard exit key and click the exit X window with the mouse immediatly the centre window block disappears. bingo – gone. No matter what is scripted, the script needs time to figure out it;s next move so the quicker these two actions are exicuted one after the other – it will close the whle page before the rest of the script has time to exicute. Hope this helps

  16. Hi Leo. We have a small business which was infected on 12.12.2016 with some type of Ransomware ({email address removed} wanted 22 bitcoins). Unaffordable, so we had the drive removed immediately.
    I had backups so although it has been a pain in the @ss- also because we close for the holiday season today- I have recovered everything except some emails.
    I had to download some programs and drivers on my second drive (which had been reformatted) and at 4pm on 14.12.2016 the virus started creating files again. So I assume one of those legit websites (I’m thinking the accounting software) is hacked. Or the formatted drive still contains that virus.
    Just wanted to let you know my cloud backup and external hard drive were both ransomware encrypted as well- although the three workstations on the network were not. I had another external backup off site a few days old, which is fine.
    These people should face a firing squad. Thanks for the page, very helpful.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.