Ransomware Is Not New

That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

Today’s attacks are much more sophisticated and use interesting forms of social media to try and by pass a normal persons safety measures. Once infected you are stuck, unless you pay, which we strongly advise against, unlike the police department in Swansea, Massachusetts, who paid the cybercrooks behind the CryptoLocker Ransomware $750 (about £450) for the decryption key to retrieve its files.

This demonstrates that while this threat has been making headlines for several weeks, and education around avoiding opening suspicious attachments going on for considerably longer, sometimes a well-crafted piece of social engineering can take in the most cautious of users i.e. the Police! So where does that leave the rest of us?

Firstly, from an integrity point of view, any files that are so important they are worth paying money to retrieve should be routinely backed up to a secure location. Thus, if something like CryptoLocker does destroy your local copies you can always restore a recent version of the data once the infection has been cleaned out but make sure the back up is clean and is not storing a copy of the original file which contained the Ransomware.

Even when there are good backups in place, it is prudent for users to be logged in with minimal rights, and for important documents to be writeable only when they are actually being worked on. So review which staff have access to company data and ensure their system credentials meet with what you would expect them to have access to. It is so easy for a user to inherit credentials either from lazy system administrators or simply by progressing through a company working in different departments but never having the previous access rights to a department removed. An employee may have started in the HR department as a trainee and then secures a job within the facilities management department but retained their HR log on credentials as well as their new ones for the FM department!

The Cryptolocker malware is very sophisticated and many new variants are being discovered on an almost daily basis. So how do they work?

The Ransomware communicates with a command and control server somewhere on the internet and an encryption key is provided to the Ransomware which it then uses to scramble and render unusable every document, spreadsheet, picture or, in fact, any file you own – both on your own computer, any connected hard drive or networked storage.

The ransomware is so sophisticated the only way to retrieve your important information is to capitulate with the Cryptolocker software scammers and pay the ramsom at which point you will be sent the key to unscramble your data.
The longer you take to decide whether to pay up or not the more expensive it gets. If you tamper with the software in any way your information is destroyed and the encryption key is lost. However, if you pay, although you will get your data back, there is no guarantee that the Ransonware programme has been removed leaving yourself open to re-infestation. So, in the end, you need to clean the machine that ultimately means rebuilding. This is why Digital Pathways never recommend paying, as you have to clean the machine anyway and by agreeing to the ransom demand the scammers continue to view this type of attack worthwhile.

So how do they get in to your machine? They access either via email or a Botnet. Email attacks are fairly easy to avoid: take care with attachments you weren’t expecting, or from people you don’t know well.

Infection via a Botnet is a little different, since the cybercrooks are using the fact that you are already infected with malware as a way to infect you with yet more. This is because most Botnets once active on your computer include a general-purpose “upgrade” command that allows the cybercrooks to update, replace, or add to the malware already on your PC.

When an attack happens the attachments are often disguised as files that sound important, but not of a sort usually associated with viruses and malware. For example, a voicemail, fax, details of a suspicious transaction or invoices for payment.

Cybercrooks know how to make attachments look like images, audio files, or documents, by giving them names like VOICEMAIL.MP3 or INVOICE_SCAN.JPG. You see VOICEMAIL.MP3, which seems innocent enough, but Windows sees VOICEMAIL.MP3.EXE – in other words, an executable file, better known as a program. So instead of firing up your media player, opening the attachment runs the malware and you are infected.

What you can do?

Prevention, in the case of Ransomware or the like, is significantly better than cure:

Firstly, stay patched – keep your operating system and software up to date. This is the foundation for a secure system.

Then:

1. Check that your email provider is scanning your email for viruses and malware, ask them what product they are using and make sure you recognise the brand. If it is a weak, cheap, system it is probably using poor quality code and will be doing little to protect you.

2. Make sure you use a different antivirus program from the one your email provider uses. This gives you a wider virus footprint detection area. Also make sure it is installed correctly, switched on and updated with the latest definitions.

3. Never open any email attachment (pictures, zip files) unless you are expecting them and you can confirm with the sender that they sent the item. Any links within an email hover over and read what is really behind the words.

4. Never preview the attachment in your email account as you are effectively opening it albeit within the email account. Download it first then run an antivirus scan on the folder.

5. Make regular backups and store them somewhere safe preferably offline. Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup. They may be extremely useful but they tend to propagate errors rather than to defend against them i.e. to the synchroniser a document on your local drive that has just been scrambled by CryptoLocker is the most recent version and so it will replace it.

We recommend using a well-respected brand of AntiVirus software such as Sophos, Avira, Symantec, Kaspersky or McAfee. Free antivirus programs for home use are available from Sophos, Avira or Microsoft, a paid for Antivirus product is recommended as it may be updated more frequently and have other security features that protect you.

Malware is always a pain to deal with and it can infect very quickly, even before you have had the chance to ‘rip out’ your Internet connection to stop it! If you do get ‘hit’ don’t panic, what’s done is done and move on. With luck you will have a back up so all you need do is rebuild your machine and put the event down to experience. If you have lots of machines then rebuilding will take a long time and cleaning up will take even longer, so no time to put that down to experience be proactive and don’t wait for it to happen to you, act now before it is too late!