Open-source developers targeted in sophisticated malware attack

For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware.

Developers are valuable targets for cyberspies.

The attacks started in January and consisted of malicious emails specifically crafted to attract the attention of developers, such as requests for help with development projects and offers of payment for custom programming jobs.

The emails had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.

According to researchers from Palo Alto Networks, Dimnie has been around since at least 2014, but has flown under the radar until now because it primarily targeted users from Russia.

The malware uses some stealthy techniques to make its malicious traffic blend into normal user activity. It generates requests that appear to be directed to Google-owned domain names, but which in reality are sent to an attacker-controlled IP address.

Dimnie is able to download additional malicious modules that are injected directly into the memory of legitimate Windows processes. These modules leave no traces on disk, which makes their detection and analysis more complicated, the Palo Alto researchers said in a blog post.

There are separate modules for keylogging, screen grabbing, interacting with smartcards attached to the computer and more. There is even a self-destruct module that wipes all files from the system drive in order to destroy traces of the malware’s presence.

Data stolen from an infected computer is encrypted and appended to image headers in an attempt to bypass intrusion prevention systems.

Even though Palo Alto Networks did not attribute these attacks to a particular group, the malware bears striking similarities to other recent attacks that are suspected of being state-sponsored: the use of documents with malicious macros, the use of PowerShell, the loading of malicious code directly in memory, the use of stealthy command-and-control channels and data exfiltration techniques, highly targeted phishing campaigns and more.

Developers can be valuable targets for cyberespionage. Their computers often hold proprietary information and access credentials for their employers’ networks and systems.

The Yahoo breach that resulted in hackers gaining access to the accounts of 500 million users started with a semi-privileged employee falling for a spear-phishing email.

The Dimnie attack campaign seems to have specifically targeted developers who are present on GitHub, a free source code hosting service. This category also includes developers who work for large companies and who publish personal open source projects in their spare time.

In a response to a report about these emails in January, Gervase Markham, who works as a policy engineer at Mozilla, said that he received several such messages to an email address that he only used on Github. This made him believe that the targeting might have been automated.

With access to source code repositories and distribution servers attackers can inject backdoors into software projects or turn the compiled binaries into Trojan horses. This has happened several times in the past. For example, the macOS version of the Transmission BitTorrent client hosted on the project’s official website was found to contain malware on two separate occasions.

5 things the Samsung Galaxy S8’s Bixby artificial intelligence service will do

Could artificial intelligence make devices easier to use? According to Samsung, it sure can, and that’s what it the company out to prove with its Bixby AI service.

Samsung Galaxy S8 and S8+ smartphones

Bixby is being loaded on the Galaxy S8 and S8+ smartphones, which were announced on Tuesday. Bixby is an agent that can help the smartphones talk, recommend, and remind, said Mok Oh, vice president of service strategy at Samsung.

The AI service is being positioned as a more intuitive way to use and interact with smartphones. For example, Bixby can help smartphones execute tasks with a voice command. It also brings cool features like image recognition and language translation on board the S8 smartphones.

Bixby isn’t intended to be a service like Amazon’s Alexa, Microsoft’s Cortana, or Apple’s Siri, though it does have some of their features. It’s also not a replacement for S Voice, which won’t be present on S8 and S8+ but will live on in Tizen devices.

Samsung plans to “Bixby-enable” other devices, such as appliances made by the company, though it is unclear when that will happen, said Werner Goertz, research director at Gartner.

There is a dedicated Bixby button on the smartphones. Samsung didn’t provide a chance to test Bixby and didn’t say when the AI service would come on the new smartphones. It could be available on the smartphones as early as April 21, when the S8 handsets ship, or be pushed out in a software update. Samsung has said the service will mature over time.

Once you long-press the Bixby button, here’s what the S8 handsets should be able to do.

Execute touch commands

Whatever you can do with touch, you can do with voice. That’s what Samsung is aiming for with Bixby.

Give the smartphone a command—like to take a selfie, launch the photo gallery app, or to make a phone call—and the device will be able to decipher it. You can speak out a command in multiple ways, and Bixby will understand it.

Image recognition

The Galaxy S8 smartphones will be able to take pictures, identify objects, and provide context to the images. Samsung provided the example of Bixby recognizing the Flatiron building in New York City and then providing recommendations on places to eat nearby.

This feature is also being linked closely to shopping—users can take an image of a product and post it on Pinterest, which is partnering with Samsung. Users will also be able to take picture of a product and check pricing, shop, or see recommendations of the products from sites of retail partners.

Language translation

Samsung provided an intriguing example of Bixby being able to take a picture of text and translate it into different languages. Samsung didn’t demonstrate how it worked, so there’s no clear sense yet of how this will happen. Bixby supports 52 languages, but the service isn’t based on Samsung’s homegrown technology. Instead, the company using a partner to provide this service. Samsung’s Oh didn’t provide the name of the partner and didn’t say if the company was also using a backend service like Google Translate for the capability.

Learn more about users over time

Over time, Bixby will learn about smartphone usage patterns and anticipate user needs. That feature will manifest in the form of the Samsung Galaxy S8 smartphones organizing and displaying “cards” based on anticipated actions.

For example, in the morning you may automatically see news and weather information, or Bixby may help fire up Uber to contact a cab to take you to work. In the evening, a reminder to set up the alarm may pop up. The goal is to contextualize use from commonly used apps in one single place, said Sriram Thodla, senior director at Samsung.

Which apps?

Bixby shines with the cameras in the S8 smartphones, bringing more context to images. But the bad news: Bixby won’t work with all apps. It is initially being integrated into a few apps like Photo Gallery, with wider app support coming later. Later on, Samsung will provide a software development kit, and developers will get to work with Bixby APIs (application programming interfaces).

The APIs could be helpful to retailers looking to integrate their stores into the Bixby recommendation engine. They will also help internet-of-things device makers that want to create devices for Samsung’s SmartThings device management system, which could get Bixby support later.

Surviving Mars turns catastrophe into inspiration as humanity claws for the stars

Not necessarily educational, but inspirational. That’s the thin line Tropico dev Haemimont Games is aiming for with its newly announced city builder Surviving Mars. Or “colony builder,” really.

Surviving Mars

It’s a game about surviving on Mars, if you can believe it. Tooth-and-nail survival, fighting against a planet that’s indifferent to our arrival. This is no SimCity or Cities: Skylines. You’re not laying down miles of asphalt, zoning blocks for homes and businesses and industry and watching a population magically spring up overnight. Nor is it Tropico, with its comical dictator and his near-infinite powers.

The consequences of failure are so much greater here. People don’t just leave your city for a better place, driving off into the sunset as your poor metropolis collapses into debt. At least not at first.

At first, they die.

Surviving Mars

Surviving Mars

 Surviving Mars is about establishing a human presence in a place not fit for humans, and that’s a slow and complicated process, with plenty of room for error. Colonists during Earth’s own Age of Discovery didn’t know what to expect, but arrived in places with food, with water, with something as simple as oxygen.

Mars? We know exactly what to expect, and it’s not great. Imagine stepping out on the surface of our neighboring planet and there’s just…nothing. None of humanity’s basic necessities. No food, water, or air except what you’ve brought with you.

And so in Haemimont’s estimation, the first step isn’t humans at all. It’s drones. This early stage of colonization took up most of our 30 minute hands-off Surviving Mars demo, while getting us familiar with Haemimont’s idea of a science-heavy city builder.

Surviving Mars

Surviving Mars

 Drones take care of the basics—food, water, shelter, electricity. Once you’ve landed on Mars you’ll send drones off to construct wind turbines and dome shelters and what have you. Robotic mining operations and such too, because all this construction doesn’t just come out of nowhere. Like Earth, you need to exploit Mars’s potential.

Only later will you bring in humans, building out little dome shelters with different districts for housing, entertainment, and the like. Then the stakes get even higher as a single miscalculation can leave your utopian colony a nu-Roanoke.

Minute to minute Surviving Mars looks a lot like any other city builder, but slower. More deliberate. You only have so many resources at a time, and that limits how fast you can develop as you slowly strip-mine the surface. I’m not sure if that holds true for the final game—as I said, our demo was hands-off. Each game you’ll choose a “Sponsor” country to fund the journey, and for all I know playing as the United States or Russia or China or whatever allows for the type of rapid build-up seen in other city builders.

I doubt it though, because that would undermine the tension Haemimont’s building. Surviving Mars is the will-they-won’t-they of the early Jamestown colony, and you’ll need to deal with catastrophe on a regular basis.

Surviving Mars

Surviving Mars

 We don’t see it during our demo, but a few examples are floated. Say your colony relies on a bank of solar panels for power, and then a dust storm ravages the surface of the planet for days on end. Suddenly your power source is gone, and conditions are too dangerous for your drones to construct a new one. Your colony slowly goes dark, humanity’s first foothold on Mars killed by something as simple as wind.

Or: You land on Mars, you get a little drone colony started, everything looks great. To grow bigger you need more supplies though, and as you go to send your rocket back to Earth you realize you have no way to refuel it. (Yes, that’s an actual aspect of Surviving Mars.) Without fuel, the rocket sits on Mars like an enormous monument to your failures.

Threats are ever-present when Haemimont’s discussing Surviving Mars—think Banished, but hundreds of years in the future. It really is treated as a survival game, first and foremost. Expect your first colony to fail outright, or at least to teeter on the brink of failure.

Surviving Mars

Surviving Mars

 And yet Haemimont wants Surviving Mars to be inspirational. That’s the whole reason for the retrofuturist aesthetic, the faux-’60s look of the game. Haemimont says it wants to recapture the optimism of that era, the age when people were excited about space travel, when it seemed like we’d be on Mars by the end of the ’80s let alone by the turn of the millennium.

How do you rectify that with a game about entire colonies of humans dying on Mars? Well, I suppose you do it by making those problems seem imminently solvable. Haemimont is quick to talk about all the research that’s gone into the game, the papers read and the plans studied.

Surviving Mars is science fiction by today’s standards, but only just. The problems humanity will face in Surviving Mars are very real, but so are the solutions—or if they don’t quite exist, they’re at least not far off. Plausible. Grounded.

If you can get a colony up and running in Surviving Mars, the implication is that humanity can also get one running in real life. It may take some doing, it may take a worldwide investment and a global push, but the possibility is there. And in that way, Haemimont takes a brutal game and spins it into a testament to human survival.

Fascinating, I think.

We’ll know more as the game rolls towards its 2018 launch date, and I’m particularly looking forward to getting some hands-on time with the game. A lot of what Haemimont said during our demo sounds great, but there’s no substitution for trying it out. Just how hard is it, for example? And what’s there for the player to really do once basic day-to-day needs are accounted for?

But I’m about as optimistic as Haemimont’s lil’ space people. With Tropico, Haemimont proved willing to push the city builder out from its comfort zone, and Surviving Mars seems even more ambitious. Keep an eye on this one.

Amazon Echo’s Alexa is getting push notifications, but they won’t annoy you

Alexa, Amazon’s digital assistant, has more than 12,000 skills available, and in the coming weeks some of them will be able to send notifications to your Echo and other Alexa-enabled devices.

An image of an Amazon Echo 2

To start, just four skills will have notifications available including AccuWeather, JustEat, Life360, and The Washington Post. Shopping updates from Amazon’s storefront are also coming presumably for item price tracking and the like. Amazon didn’t say when notifications would go live for users other than it will happen “soon.”

These notifications won’t work the same as they do on your phone, where every app immediately wants to start buzzing. Instead, Alexa notifications have to be enabled by users on a per-skill basis.

When a notification arrives there will be a chime, and Echo devices will also have a pulsing green light. The smart speakers won’t just start blurting out whatever the information is when a notification lands, either. Instead, users will have to say “Alexa, what did I miss?” or “Alexa, what are my notifications?” Then Alexa will fill them in on breaking news or weather updates.

Anyone who regrets enabling notifications will be able to get rid of them. Users can also temporarily stop notifications by putting Alexa into “do not disturb” mode via voice command or the Alexa app.

While notifications are starting small, Amazon will make the feature available to all developers in the coming months. At that point, Alexa fans can expect many more skills to be notifications-ready.

The impact on you at home: While it may sound handy to get notifications on your Echo device it really only makes sense for certain situations. To get your notifications, you still have to ask Alexa to give up the goods, which makes news and weather seem kind of pointless since you could just ask for them instead. That said, some skill notifications make all kinds of sense, including food delivery or Life 360’s family location information. The key will be to figure out which skills really need notifications, and which ones you’re better off using on an on-demand basis.

Arrow’s selling the Raspberry Pi 3 model B for under $25

The Raspberry Pi 3 Model B is a flexible little piece of tech. You can use it for hardware hacking projects, as a home theater PC (HTPC), or even a retro gaming setup. It’s already dirt cheap at the standard price of $35, but right now Arrow is offering it for $24.50 after a 30 percent discount.

That discount isn’t quite as good as the 36 percent discount on Amazon in February, but it’s close—and more importantly, the price is better. To take advantage of the sale, enter the code RASPI30 at checkout.

For your money, you get the most bare-bones of bare-bones PCs. A Raspberry Pi device features only the PCB board and its attached components. There’s no case or power supply included, so you’ll have to obtain those separately. Most people likely already have what they need for power—a micro USB cable and a spare 5W charger—but the case will likely have to be purchased if you don’t already have one on hand.

The board itself features a 1.2GHz quad-core 64-bit Broadcom ARMv8 processor, 1GB of RAM, built-in Wi-Fi and Bluetooth, four USB 2.0 ports, HDMI, ethernet and a microSD slot. If you need ideas for what you can do with it, we’ve got both practical and whimsical suggestions for you.

raspberry pi 3 motherboard

Google’s new TPUs are here to accelerate AI training

Google has made another leap forward in the realm of machine learning hardware. The tech giant has begun deploying the second version of its Tensor Processing Unit, a specialized chip meant to accelerate machine learning applications, company CEO Sundar Pichai announced on Wednesday.

tpu person forwebonly final

The new Cloud TPU sports several improvements over its predecessor. Most notably, it supports training machine learning algorithms in addition to processing the results from existing models. Each chip can provide 180 teraflops of processing for those tasks. Google is also able to network the chips together in sets of what are called TPU Pods that allow even greater computational gains.

Businesses will be able to use the new chips through Google’s Cloud Platform,as part of its Compute Engine infrastructure-as-a-service offering. In addition, the company is launching a new TensorFlow Research Cloud that will provide researchers with free access to that hardware if they pledge to publicly release the results of their research.

It’s a move that has the potential to drastically accelerate machine learning. Google says its latest machine translation model takes a full day to train on 32 of the highest-powered modern GPUs, while an eighth of a TPU Pod can do the same task in an afternoon.

Machine learning has become increasingly important for powering the next generation of applications. Accelerating the creation of new models means that it’s easier for companies like Google to experiment with different approaches to find the best ones for particular applications.

Google’s new hardware can also serve to attract new customers to its cloud platform, at a time when the company is competing against Microsoft, Amazon, and other tech titans. The Cloud TPU announcement comes a year after Google first unveiled the Tensor Processing Unit at its I/O developer conference.

Programming algorithms that run on TPUs will require the use of TensorFlow, the open source machine learning framework that originated at Google. TensorFlow 1.2 includes new high-level APIs that make it easier to take systems built to run on CPUs and GPUs and also run them on TPUs. Makers of other machine learning frameworks like Caffe can make their tools work with TPUs by designing them to call TensorFlow APIs, according to Google Senior Fellow Jeff Dean.

Dean wouldn’t elaborate on any concrete performance metrics of the Cloud TPU, beyond the chips’ potential teraflops. One of the things that a recent Google research paper pointed out is that different algorithms perform differently on the original TPU, and it’s unclear if the Cloud TPU behaves in a similar manner.

Google isn’t the only company investing in hardware to help with machine learning. Microsoft is deploying field-programmable gate arrays in its data centers to help accelerate its intelligent applications.

This story has been corrected to clarify availability of the Cloud TPU as part of Google Compute Engine.

Google launches Android O in beta with Google Play Protect and helpful interface tweaks

Android O has been available as a Developer’s Preview for a while now, but at the Google IO conference, Google took the wraps off some new features designed to make the next-gen version of Android more accessible, secure, and long-lasting.

android o

Let’s start with “Fluid Experiences,” or aesthetic design tweaks to the operating system. Android O actually adds some handy new features on this end, such as a “picture-in-picture” mode that minimizes an open app to a small window in the corner if you need to multitask. Who says you can’t multitask on phones?

android o picture in picture


Android O’s picture-in-picture.

 Another addition, “notification dots,” steals the look of iOS’s notification bubbles on home screen apps, but makes it more useful. A dot plopped on a home screen app means you have a notification from it; long-pressing the app’s icon will pop the notification details up right there, over the icon.
  android notification dots


Android O’s notification dots.

 Other Fluid Experiences take the hassle out of everyday tasks. An opt-in autofill function taps into Chrome’s password saving feature to help you easily log into standalone apps, while a smart text selection feature uses on-device machine learning to automatically select the entire name or address you’re trying to select.

Even better? Those smart selections come accompanied with relevant contextual actions, such as the option to call a selected phone number, or open an address in Maps.


Google is also focusing on your device’s core health in Android O, via security enhancements and tweaks to the core operating system.

android google play protect


 Most noticeably, all Android O devices that come with Google Play preinstalled will also ship with a new app called Google Play Protect. Think of it as a security hub for your phone, scanning your apps for malware and generally making sure your device stays secure. None of it is really new, per se, but it was all handled in the background before. Google Play Protect makes it obvious.
android boot times


 Operating system optimizations also help Android O devices boot twice as fast as their predecessors, Google says, and apps load much faster as well. Google is also baking “wise limits” into Android O to tame apps that want to run wild in the background—saving your precious battery life.

Android Go

Finally, Android O marks the debut of a new initiative dubbed Android Go. Android Go is designed to run better on phones with limited hardware, in regions with limited Internet connectivity. It features streamlined versions of Android and Google’s core apps, along with a self-contained version of the Play Store, and enables Google’s Data Saver feature by default. Look for it on phones with less than 1GB of memory.

HP rolls out patch to stop keylogging bug in some laptops

Consumers with HP laptops that have been accidentally recording their keystrokes can easily address the problem with a patch from the PC maker.

Hewlett Packard

More than two dozen HP laptop models, including the EliteBook, ProBook and ZBook, have an bug in the audio driver that will act as a keylogger, a Swiss security firm said Thursday. A list of affected products can be found here.

Fortunately, HP began rolling out fixes through its support page, and in a Windows update, starting on Thursday, HP Vice President Mike Nash said.

The problem has been found affecting certain HP laptops made since 2015. In some cases, it stores all the captured keystrokes in a log file on the PC. In other cases, the bug will pass the keystrokes to a Windows debugging interface on the machine, exposing them to possible capture.

The security firm Modzero noticed the problem last month and reported it to HP, which prompted the PC maker to investigate it and work on a fix, Nash said in an interview.

“There was some debugging code in the audio driver that was mistakenly left there,” he said. “It was left there by accident. The intent was to help us debug a problem.”

HP’s patch will remove the flaw from the PC’s audio driver and also delete the log file that was storing the keystrokes.

On Thursday, HP published the first patches, which fix the problem in laptops made in 2016 and 2017. On Friday, HP will publish publish patches for units from 2015.

Consumers can download the patch from HP’s support page, by looking up their laptop’s name and downloading a new audio driver. They should also receive the fix in an update coming through Windows Update, Nash said.

HP has been in talks with Conexant, the supplier of the audio driver, about fixing the problem, Nash said.

“It’s something Conexant should have identified and removed,” Nash said. “We want to make sure this doesn’t happen again.”

Old Windows PCs can stop WannaCry ransomware with new Microsoft patch

Users of old Windows systems can now download a patch to protect them from this week’s massive ransomware attack.

img 20170512 095943

In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8—all of them operating systems for which it no longer provides mainstream support.

Users can download and find more information about the patches in Microsoft’s blog post about Friday’s attack from the WannaCry ransomware.

[ Further reading: How the new age of antivirus software will protect your PC ]

The ransomware, which has spread globally, has been infecting computers by exploiting a Windows vulnerability involving the Server Message Block protocol, a file-sharing feature.

Computers infected with WannaCry will have their data encrypted, and display a ransom note demanding $300 or $600 in bitcoin to free the files.

Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits—but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack.

The ransomware was initially found spreading through attachments in email phishing campaigns. In certain cases, the scam emails pretended to represent a bank alert about a money transfer, according to Cisco’s Talos security group.

Users can protect themselves by being careful about such emails, Microsoft said. The company’s free antivirus software Windows Defender, along with other third-party security products from those including Kaspersky Lab and Avast, will also detect and remove the threat.

screen shot 2017 05 13 at 11.28.04 amMalwareTech
Infection attempts from the WannaCry ransomware.

 Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.

Businesses can prevent this by disabling the Server Message Block protocol in vulnerable PCs. They can also use a firewall to block unrecognized internet traffic from accessing the networking ports the Server Message Block uses.

Fortunately, Friday’s ransomware attack may have been contained. A security researcher who goes by the name MalwareTech has activated a sort of kill-switch in WannaCry that stops it from spreading.

As a result, over 100,000 new infections were prevented, according to U.K.’s National Cyber Security Centre. But experts also warn that WannaCry’s developers may be working on other versions that won’t be easy to disable.

“It’s very important everyone understands that all they (the hackers) need to do is change some code and start again. Patch your systems now!” MalwareTech tweeted.

Unfortunately, the kill-switch’s activation will provide no relief to existing victims. The ransomware will persist on systems already infected.

Friday’s ransomware attack appears to have spread mainly in Europe and Asia, with Russia among those nations hardest hit, according to security researchers.

Security experts are advising victims to wait before paying the ransom. It’s possible that researchers will develop a free solution that can remove the infection.

How to remove ransomware like WannaCry: Use this battle plan to fight back

Ransomware doesn’t sneak into your PC like ordinary malware. It bursts in, points a gun at your data, and screams for cash—or else. And if you don’t learn to defend yourself, it could happen again and again, as the WannaCry or Wanna Decryptor outbreak is demonstrating.

cyberattack laptop arrows war fight

WannaCry appears to leverage software the National Security Agency developed, and was then turned into malware. It’s already struck the U.K. National Health Service and several other banks and organizations.

Armed gangs of digital thieves roaming the information superhighway sounds like an overwrought action movie, but the numbers say it’s true: Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016, an increase of 167 times year over year, according to Sonicwall—even as the number of malware attacks declined. Why steal data when you can simply demand cash?

For the first time ever, the reent RSA security conference in San Francisco held a comprehensive one-day seminar on ransomware, detailing who’s being attacked, how much they’re taking—and, more importantly, how to block, remove and even negotiate with the crooks holding your data hostage. We came away with a trove of information that you can use to formulate an anti-ransomware strategy.

tech dangers for novices malwarebytes

Eric Geier

Anti-ransomware solutions like Malwarebytes are a reliable go-to for extra protection from unsavory software, but they’re not foolproof.

 Ransomware hits you where it hurts—so prepare

Three years ago, my wife’s computer was invaded by ransomware, imperiling baby photos, tax documents, and other personal data. My heart sank: Would we have to pay out hundreds of dollars to avoid losing our entire digital lives? Thank goodness, no—because we had already taken most of the steps that the experts recommend.

The first step: Understand your enemy. According to Raj Samani, the chief technology officer of Intel Security’s EMEA business, there are over 400 families of ransomware in the wild—even some for Mac OS and Linux. A survey by Datto found that CryptoLocker, which hunts down and imprisons your personal documents via time-locked encryption,  was by far the most prevalent. But they vary. One took over a victim’s webcam and caught embarrassing footage, threatening to post it online, according to Jeremiah Grossman, chief of security strategy at SentinelOne.

A few common-sense habits can help mitigate your exposure to malware and ransomware, experts say:

  • Keep your PC up to date via Windows Update. WannaCry doesn’t even try to attack Windows 10, choosing instead Windows XP and other older Windows operating systems.
  • Ensure you have an active firewall and antimalware solution in place. Windows Firewall and Windows Defender are barely adequate, and a good third-party antimalware solution is far better. WannaCry patches are already available, however, even for Windows 8 and Windows XP.
  • Don’t rely on antimalware to save you, however. Experts speaking at the RSA session reminded attendees that antivirus companies were only just getting around to addressing ransomware, and their protection isn’t guaranteed.
  • Ensure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by default.
  • Turn off Office macros, if they’re enabled. (In Office 2016, you can ensure they’re off from the Trust Center > Macro Settings, or just type “macros” in the search box at the top, then open the “Security” box.)
  • Don’t open questionable links, either on a webpage or especially in an email. The most common way you’ll encounter ransomware is by clicking on a bad link. Worse still, about two-thirds of the infections that Datto tracked were on more than one machine, implying that infected users forwarded the link and exposed more people.
  • Likewise, stay out of the bad corners of the Internet. A bad ad on a legitimate site can still inject malware if you’re not careful, but the risks increase if you’re surfing where you shouldn’t.

For dedicated antimalware protection, consider Malwarebytes 3.0, which is advertised as being capable of fighting ransomware. RansomFree has also developed what it calls anti-ransomware protection. Typically, however, antimalware programs reserve anti-ransomware for their paid commercial suites. You can download free anti-ransomware protection like Bitdefender’s Anti-Ransomware Tool, but you’re protected from only four common variants of ransomware.

A good, but not perfect, defense: Backup

Ransomware encrypts and locks up the files that are most precious to you—so there’s no reason to leave them vulnerable. Backing them up is a good strategy.

Take advantage of the free storage provided by Box, OneDrive, Google Drive, and others, and back up your data frequently. (But beware—your cloud service may back up infected files if you don’t act quickly enough.) Better yet, invest in an external hard drive—a Seagate 1TB external hard drive is only $55 or so—to add some less-frequently accessed “cold storage.” Perform an incremental backup every so often, then detach the drive to isolate that copy of your data. ( has some additional backup advice to help defeat ransomware, as does our earlier story.)

sync google drive offline

Ian Paul/PCWorld

You’ll feel a lot better if you have your data backed up online and off.

 If you are infected, ransomware may allow you to see exactly which files it’s holding hostage via File Explorer. One clue may be ordinary .DOC or .DOCX files with strange extensions attached. Ondrej Vlcek, the chief technical officer of Avast, offered an unintuitive piece of advice: If the ransomware isn’t time-locked, and you don’t need the files right away, consider leaving them alone. (Work on another PC, though.) It’s possible that your antivirus solution may be able to unlock them later as it develops countermeasures.

Backup isn’t foolproof, however.  For one thing, you may need to research how to back up saved games and other files that don’t fit neatly into “Documents” or “Photos.” Ditto for utilities and other custom apps.

What to do if you’re infected by ransomware

How do you know you have ransomware? Trust us, you’ll know. Ransomware like the busted Citadel ring “warned” that your PC was associated with child pornography, and the imagery associated with most ransomware is designed to invoke stress and fear.

Don’t panic. Your first move should be to contact the authorities, including the police and the FBI’s Internet Crime Complaint Center. Then ascertain the scope of the problem, by going through your directories and determining which of your user files is infected. (If you do find your documents now have odd extension names, try changing them back—some ransomware uses “fake” encryption, merely changing the file names without actually encrypting them.)

The next step? Identification and removal. If you have a paid antimalware solution, scan your hard drive and try contacting your vendor’s tech support and help forums. Another excellent resource is’s Crypto-Sheriff, a collection of resources and ransomware uninstallers from Intel, Interpol, and Kaspersky Lab that can help you identify and begin eradicating the ransomware from your system with free removal tools.

crypto sheriff

The front page of’s Crypto-Sheriff site includes an easy tool to discover what kind of ransomware may be affecting your PC.

If all else fails

Unfortunately, experts say that the key question—should we pay up, or risk losing everything?—is often answered by pulling out one’s wallet. If you can’t remove the ransomware, you’ll be forced to consider how much your data is worth, and how quickly you need it. Datto’s 2016 survey showed that 42 percent of those small businesses hit by ransomware paid up.



From Dec. 2015 until May 2016, Tescrypt was the most common ransomware variant detected by Microsoft.

Keep in mind that there’s a person on the other end of that piece of malware that’s ruining your life. If there’s a way to message the ransomware authors, experts recommend that you try it. Don’t expect to be able to persuade them to unencrypt your files for free. But as crooked as they are, ransomware writers are businessmen, and you can always try asking for more time or negotiating a lower ransom. If nothing else, Grossman said there’s no harm in asking for a so-called “proof of life”—what guarantee can the criminal offer that you’ll actually get your data back? (Of the companies that Datto surveyed, about a quarter didn’t get their data back.)

Remember, though, that the point of the prevention, duplication, and backup steps are to give you options. If you have pristine copies of your data saved elsewhere, all you may need to do is reset your PC, reinstall your apps, and restore your data from the backup.

Don’t let this happen to you

In my situation, my wife and I discovered that we had already backed up everything important to both a cloud service and an external drive. All we lost was a few hours of our evening, including resetting her PC.

Ransomware can infect your PC in any number of ways: a new app, a Flash-based gaming site, an accidental click on a bad ad. In our case, it was a sharp reminder not to go clicking willy-nilly because a “friend” had recommended some bargain shopping site. We’re teaching those same lessons to our kids, too.

Ransomware is an unsettling reminder that people mean you harm, and that misfortune may strike at any time. If you treat your PC as part of your home, however—cleaning, maintaining, and securing it from outside threats—you’ll rest easier knowing you’ve prepared for the worst.