What is Ransomware?
Ransomware is a category of malware that demands some form of compensation, a ransom, in return for data or functionality held hostage. For instance, ransomware might change Proxy settings in a browser to limit web use, making it difficult to find a solution to remove a computer virus. Typically, the ransomware is spread through a computer worm that enters through an email or network vulnerability. The ransomware can also encrypt a user’s personal files and documents in order to hold them hostage until the user pays the attacker and receives a key code from them releasing the hold on their computer.
Ransomware can also pretend to be an antivirus program, telling the user that their computer is infected with malware, and then directing the user to purchase the program in order to fix the issues. This rogue security software may actually even pretend to scan the user’s computer for viruses and find many issues. However, the issues will be bogus and there will be nothing to solve by paying the ransom, except the hope that maybe the attacker will remove the ransomware from the user’s machine. Because ransomware can be difficult to defeat, it is strongly advised that users create regular backups of their important data and files so that they are less vulnerable to extortion.
The most current version of ransomware is CryptoWall.3.0. It is distributed via emails with ZIP attachments with .exe files that appear to be PDF files. These fake PDF files are disguised as business communications such as purchase orders, bills, invoices or complaints. When a user double-clicks on the “PDF” it begins infecting the computer with the CryptoWall infection and installs the malware files in folders on the computer. From that point, it will scan the all of the computer’s drives, including shared network drives and removable drives. After scanning the computer, the infection will delete any Shadow Volume Copies to make sure these files can’t be used to restore the computer.
How can I defend against Ransomware?
The first and best defense against this is awareness. To reduce the risk of your computer files being encrypted you need to ensure good cyber security – this includes learning about current dangers and training all users not to open suspect emails and open dangerous downloads.
Along with educating yourself, your computer needs to be kept up to date and all vulnerabilities in the operating system and software kept ‘patched’.
We recommend you:
- Do not download or open any unknown files that are attached to an email; they could be viruses. If you are unsure, err on the side of caution, and do not open the attached files. Important: If you must download an attached file to an email, make sure to save it and scan it for viruses before you open it.
- Install, update and use anti-virus software
Most forms of ransomware are detected by anti-virus programs, so it pays to have up to date software on your computer. Check that you have paid for a subscription and have downloaded the latest virus definitions.
- Backup Everything
It is essential that you make routine backups in case your computer cannot be cleaned, and you need to perform a system restore or rebuild. Note that CryptoLocker also targets USB drives or network shares attached to an infected computer so be careful where you store your backups.
- Update Everything
Check Microsoft Security Bulletins and ensure your systems are fully patched against known vulnerabilities.
- Alert others to prevent more attacks
Please tell colleagues, friends and family who could be impacted by a ransomware infection about ways to protect their data.
Small business owners should ensure staff are aware of this latest cyber threat and that they understand how to verify the sender of any emails with attached files and do not always open them routinely without pausing to think before clicking.
Consider limiting employee access to network drives and sensitive files. Double check that your backup process is genuinely working and cannot infect the network. Double check machines have working anti-virus software and are up to date.
What do I do if my computer is infected?
If the CryptoLocker ransomware screen appears it is important to try and limit the impact of the file encryption process:
- Disconnect your computer from the internet immediately by removing your network cable or turning off the wireless connection
- Disconnect any USB storage devices or network shares and turn off any cloud backup services.
- If you have disabled the virus and cleaned up your machine, try to restore files either from your own backup process or device or using Shadow Volume Copies, available on Windows machines from XP onwards.
- You could use System Restore if confident the infection has been cleaned up or contact IT Authorities for assistance and advice.
- Note: there is no known way to retrieve the Cryptolocker private key without paying the ransom or decrypting the files without this key.
Utilizing a Managed Services Provider can ensure that your systems are patched and up to date. Contact one of our experts at IT Authorities who can answer any questions and even arrange for a no obligation IT assessment for your company.