Windows 10 has an unnerving habit of throwing up a screen following certain updates that says “all your files are right where you left them“. We don’t been alone on first seeing this, in thinking it might be a ransomware message. Microsoft has said it is planning to change the alert following user complaints.
Real ransomware does just as the Windows message says; it leaves your files in place, but encrypts them, demanding a ransom (usually payable in anonymous bitcoins) for the decryption keys. Ransomware is usually distributed via dodgy email attachments or web links with cash demands that are low enough so that users who are caught out will see coughing-up as the easiest way forward. Consumers are particularly vulnerable, along with smaller business users who lack the protection of enterprise IT security. However, in the age of BYOD and remote working, users from larger organisations are not immune.
Ransomware is usually sent out en-masse, randomly and many times. So, traditional signature-based anti-virus products become familiar with common versions and provide protection for those that use them. In response, criminals tweak ransomware to make it look new and avoid file-based signature detection. To counter this, anti-virus products from vendors such as Trend Micro (which has built-in specific ransomware protection) detect modified ransomware by looking for suspicious behaviours such as the sequential accessing of many files and key exchange mechanisms with command and control servers used by would be extorters.