How Ransomware Works
Ransomware such as CryptoLocker typically gets onto your PC either through a phishing email or a web site hosting malware. Ransomware will either encrypt files, make the computer unusable or make threats, all to extort money to fix the problem. CryptoLocker encrypts documents on the computer, shared network drives and connected devices, and then demands a payment in bitcoins to decrypt the files. For a typical organisation with staff having access to multiple documents on shared drives, a CryptoLocker incident can mean serious damage and lost resource, even if the organisation has backups, pays the ransom or manages to find another way to clean up the problem.
To reduce the risk of getting affected by ransomware and to limit the damage if affected, there are layers of security that you can make sure you have in place. Having overlapping security controls means that if one layer is penetrated, the other layers may prevent a breach.
Make sure you have regular backups that are tested and are kept offline. Regularly test backups to see if they can be restored. If the backups are to another hard disk or to the cloud and the backups are accessible on the network, then even if it is offsite, this may still be accessed and encrypted by ransomware.
Effective and Up-to-Date Antivirus
Many organisations have antivirus software installed on all PCs, however at Dionach we often find PCs with antivirus definitions that are quite out of date or have important features such as on-access scanning disabled. Ensure that antivirus is managed centrally, with someone regularly checking that all PCs have up-to-date signatures and that staff are not disabling antivirus features. Consider using an external mail filtering company for spam filtering and malware filtering. Many of these companies also offer web filtering. This can check and prevent common malware when staff are browsing the Internet. Although antivirus is an important security control it is far from infallible, as new variants of malware will not always be picked up quickly.
Software Security Updates
Some ransomware will exploit vulnerabilities in unpatched software to get onto a computer. Commonly targeted software includes browsers such as Internet Explorer and applications such as Adobe Reader. Although many desktops will be configured to auto-update through Microsoft Update, typically we see a proportion of PCs that have not been updated for some time, and have non-Microsoft software that is not kept up-to-date. Ensure that software updates are managed centrally and regularly checked. Windows Software Update Services (WSUS) is very useful for central management, but does not cover non-Microsoft software. There are other products that centrally manage security updates to all software.
Limit Staff Access
CryptoLocker will try and encrypt documents on the PC and any network drives to which the victim has access. Therefore the damage can be limited if the victim user only has access to documents specifically required for their job role. In your organisation review the use of local and domain administrator accounts and access to shared network drives. Although some users may need read access to some documents, they may not need write access to many of these. Setup a regular review of user access rights, as privilege creep is a common problem.
An email phishing test will determine how susceptible your organisation is to general phishing and spear phishing attacks, and how effective some of the technical and staff security controls are. Internal penetration testing on your internal network and systems can reveal network access control problems, configuration weaknesses, missing security updates.
Technical security controls are ineffective if a member of staff manages to opens a malicious attachment or downloads and runs a Trojan, all the while ignoring security warnings. Some staff may think that information security is an IT problem, so isn’t their responsibility. Ensure that staff are made aware of how ransomware and other malware can get onto their PC and what damage it can do, and how vital they as individuals are in trying to prevent this from happening. Having email phishing tests can help with this, as this demonstrates that it can really happen to them. A regular awareness exercise with examples of how recent malware works can be very effective.
Incident Response Plans
Finally, ensure that you have effective incident response plans in place, so that if and when you are affected by ransomware or have another type of breach you have proper procedures in place. This should at a minimum ensure that your organisation returns to normal operations as soon as possible.
Many of these layers of security can be found as security controls within ISO 27001, the international standard for information security. Using a framework such as ISO 27001 for managing information security means that not only will you cover these layers, but also you will have the means to identify and deal with threats other than ransomware, through a formal risk assessment process.
Ransomware (ran·som·ware): a type of malicious software designed to block access to a computer system until a sum of money is paid.
In the last several years, ransomware has become a big problem and a costly problem for consumers and businesses and there is currently no end in sight.
I am sure many of you have heard about the recent cyberattacks that targeted SolarWinds in December, 2020, and the most recent one against the Colonial Pipeline by Darkside, where they paid the hackers nearly $5 million in untraceable crypto currency.
A few years ago, Hollywood Presbyterian Medical Center was hit with ransomware on February 5, 2016, and 10 days later they paid a $17,000 ransom in bitcoin to get control of their computer system from the hacker who seized it.
These individuals or groups have one goal and that is to infect as many consumers and businesses as possible to increase their odds of getting paid. The ransom can range anywhere from a few hundred dollars to thousands of dollars and the payment is usually in bitcoins or some untraceable payment method, such as MoneyPak.
Types of Ransomware and Variants
There are two main types of ransomware:
- Crypto ransomware — encrypts data and files on a computer so the user cannot access them;
- Locker ransomware — locks the users out of their devices, preventing their use.
There are also many different variants of ransomware, including:
- Bad Rabbit
- …to name just a few.
These ransomware variants are spread primarily through e-mail attachments, infected programs and applications, malicious websites, and security vulnerabilities.
What Does Ransomware Do?
The virus starts its process by encrypting all of the files on your computer or workstation, and then it moves across the network to the other workstations, servers, and connected drives on your network. In some cases, a user will not be able to open some or all files and then they will receive an email or a message that is a ransom note demanding money in exchange for the key or code to decrypt the files.
Once the files are encrypted there is no way for you to access them unless you have the key to decrypt the files, and the only way to get that is to pay the ransom. Experts in the industry recommend that you DO NOT pay the ransom if it can be avoided because there is no way to guarantee that the hacker will give you the unlock code or that there isn’t something on your machine that will allow them to extort money from you again.
Hopefully, you are already in the habit of making regular backups of your data, with a copy stored offsite or in the cloud, because if your backup is stored locally on an external drive, for example, it is most likely also encrypted which means it’s useless.
Your best defense is going to be implementing a disaster recovery plan that includes regular backups that are stored offsite. There are multiple options for storing your backups offsite or in the cloud. One option is to use one of the online backup services like IDrive, Acronis True Image, Carbonite, or Backblaze Online Backup, just to name a few, or create a custom disaster recovery plan.
If you decide to go the custom route, I suggest contacting your IT professional or Circle Management Group to help design and implement your disaster recovery plan.
Remember to make sure that your server and workstation software and operating systems are updated with the latest patches, and if a computer does get infected, immediately disconnect if from the network so it does not encrypt the data on any other devices on your network.
5 Ways to Help Protect Yourself from Ransomware
- Never open suspicious email attachments or click on suspicious links in emails
- Always make regular backups of your data and store a copy offsite
- Always patch and update your hardware, software, and operating system
- Install a reputable anti-virus/anti malware and spyware security suite
- Install a software and/or hardware firewall
You don’t need to go it alone — Circle Management can help! Tap or click to call (336) 841-2187 today.
Ransomware is a kind of malware that locks up your own data using sophisticated encryption. Usually, the way to get it back is to pay up a fee – thus the term ransomware – they literally hold your data hostage and demand a ransom.
Ransomware is not new but is increasingly getting better and more widespread. They’re also targeting users who’ll easily pay up. Businesses, old people, even police departments. NYTimes recently had a funny and yet chilling op-ed on ransomware, which inspired us to write this explainer.
What exactly does ransomware do and is there a way to protect yourself from it? Read on to find out.
How Does Ransomware Work?
Ransomware, like any other malware, makes its way through shady email attachments or pirated or infected file downloads. Ransomware apps are a bit more stealthy than usual malware. They’re not easily detectable by antivirus apps.
Image for illustration only. Credit : PCWorld
Once the malware is installed, it will encrypt all the important files that you might have. This means MS Office documents, text files, PDFs, videos, and more. And the encryption, using RSA-2048 is pretty tight. Most of the time, the only way to decrypt is using the private key generated by the malware, which is usually on the attacker’s server – out of your reach.
Short of paying up – using pre-paid cards, wire transfers, or Bitcoin you don’t have many options. The asking price might start at $500 or more. Some ransomware keeps increasing the price for every week you refuse to pay.
Is All Lost?
Ransomware usually just locks your files, it’s not known to steal your data, but now that they have access to your PC, there’s nothing stopping them. Some new ransomware is known to add pornographic material on your PC and then offer to remove it for you – at a price.
And ransomware isn’t just limited to Windows PCs, it’s known to affect Android smartphones and even Macs.
Of course, there are all sorts of ransomware viruses out there. From dead serious and uncrackable to some that are merely posers.
But malware like CryptoLocker, CryptoWall, and PowerLocker are all serious threats.
More about online security: Check out our Ultimate Guide to password management to learn how to create strong passwords and save your important data from being hacked.
Turns out, even cloud services like Dropbox and Google Drive are not out of reach from ransomware. If you have one of those services installed and running on your PC, the files on the cloud servers will also be encrypted. What’s more, this might lead to your cloud account being compromised.
“We predict ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions such as Dropbox, Google Drive, and OneDrive. Once the endpoint has been infected, the ransomware will attempt to exploit the logged-on user’s stored credentials to also infect backed-up cloud storage data,” McAfee’s report on 2015 cyber risks noted – Source
How Do You Keep Your Files Safe?
Let’s say you’re the kind of person who doesn’t believe in giving into demands from criminals. Because that’s only going to make them stronger. It’s the same as a kidnapping, you don’t give in to the demands.
Except of course, when you have no backup of the data and you really need it. Then of course you’ll pay.
To make sure it doesn’t come to that, your only option is to create a backup. And not just any backup. A backup that’s not linked to your computer, and isn’t on a cloud storage that’s also signed in to your PC. It needs to be on a separate drive, disconnected from it all.
This means getting an external hard drive and backing up to it every other day or on the weekend.
Or have a backup that’s completely offshore, using a service like Backblaze or Crashplan. It’ll cost you $5 a month, but you can back up an unlimited amount of data this way securely.
And data backup is useful for many other instances. In case you lose your laptop, it goes bust, your hard drive goes kaput, or your house catches fire.
After backing up, you need to make sure you don’t install the malware. That means not downloading email attachments from people you don’t know and staying away from the dark corners of the internet. Not downloading pirated stuff will help as well.
What to Do with an Infected Computer?
If your computer is infected with ransomware and you already have the data backed up somewhere – that you can easily restore – you’ll want to get rid of the malware app completely.
For this you’ll need to format the computer and start fresh. Because the malware is encrypted and there’s no way for you to disable it, wiping is the only option. Alternatively, you can also try to do a system restore from a point before infection.
Let us know your experience with ransomware in the comments below. We sure hope though that you have no such memories to share, and will never have.
Last updated on 03 February, 2022
The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.
- What is Ransomware and How to Protect Against it Ransomware is a form of malware that encrypts media, document and other files on the target PC and access to those files is only granted…
- How to Protect Android Device Against Ransomware Ransomware has been menacing the world of computers for more than a decade now and has made a gradual shift to handheld devices as an increasing…
- What Is Spear Phishing and How to Protect Yourself From It Ever received an email from the fictitious “Nigerian prince” who has so much wealth stashed someplace, but needs your help to retrieve it? By the…
- What Is Snatch Ransomware and How to Remove It It seems like crimeware developers never sleep as defenses rise. They’re always on the lookout for different ways of honing their weapons of attack. One…
- How to Remove Ransomware From Your Phone We’ve already talked about how Android Nougat has received additional features to combat the growing menace of ransomware and how you can protect against the…
- How To Backup Your Files to be Safe from Ransomware The WannaCry Ransomware attack has shown us that how vulnerable and unprepared we are. Still, many PCs are hostage to the ransomware while owners are…
- Here is How Android Nougat is Preventing Ransomware Ransomware isn’t a new threat and has been rampant for more than a decade, and with the boom in the smartphone tech, companies are taking…
- How to Hide and Unhide Yourself on Google Meet on Phone and… Many of you must be wondering whether you can use Google Meet without your video, i.e., without showing your face? Yes, it’s not mandatory to…
DID YOU KNOW
Windows Hello is a biometric authentication feature in Windows 10.
More in Internet and Social
How to Change Default Chrome Incognito Color With Themes
Top 2 Ways to Enable Grid View in Google Meet on PC and Mobile
JOIN THE NEWSLETTER
Get Guiding Tech articles delivered to your inbox.
- What is a Ransomware ?
- Ransomware History
- Spreading Methods
- Encryption and Ransom Note
- Disinfection / Recovery of the Encrypted Files
What is a Ransomware ?
A ransomware is typically a software that denies the user to access its personal files and asks for a ransom in return. “Classic” ransomware usually starts on system startup and stops the Desktop from appearing. If the ransom is not paid within a certain period of time, files will be deleted. A crypto ransomware or cryptoware encrypts the user’s files and asks the user a payment in exchange of a software that will be able to decrypt them.
The concept of ransomware, literally software that asks for a ransom, is known for a long time (AIDS Trojan, 1989) but these form of malware has had very little impact. Their means of propagation were unsophisticated as well as their encryption routine. However, year 2013, mark their return with the uprising of the CryptoLocker malware. It differed from its predecessors by using a strong encryption routine and was using the Zeus botnet to propagate. In the rest of this article, we will focus specifically on current crypto ransomware, especially Locky.
Most of the time, the infection lies in the form of an attached file in a spam. Usually, the file is a Word or Excel document (respectively .doc and .xls).
A spam mail containing an infected Word file. Source : pulsetheworld.com
These documents include a macro, which will be executed when the document is opened. An example of such macro :
This macro is executed when the document is opened. It downloads the real infection (payload) from a server operated by the malware creator then execute it. In some cases, the ransomware will make a copy the file containing the macro in the shared folders and remote drives of the computer.
Exploit kits use vulnerabilities present in web browsers to automatically download and execute the crypto-ransomware payload. No user action is required. Social engineering can also be used to trick the user to install the infection by presenting itself, for example like a legit software update.
Encryption and Ransom Note
Once the crypto-ransomware is executed, it will establish a connexion with the offender server and will generate a pair of cryptographic keys. One of them, the public key, will be used to encrypt the files and will be stored on the victim’s computer. The other one, the private key, will be kept on the offender server and could be used to decrypt the files. This is called asymmetric encryption. Encrypted files are thus rendered completely unreadable.
Once this step is completed, the malware removes the System Restore Points and the content of the Shadow Copy that may contain a copy of the files in their unencrypted state. It will then create a note informing the user that its files have been encrypted and containing a link to a Bitcoin container where the ransom should be paid (usually between 0.5 and 1.5 bitcoins).
Ransomware has much benefited from the bitcoin development since no identification is required to open an account, which allows them to remain anonymous. A screenshot of the website gvxtkcbjnslm5vnt.onion, only accessible using the Tor network.
If the ransom is paid, the user will usually receive a utility containing the private key that can be used to decrypt the files. However, if he waits too long, the private key will be deleted of the server, making the decryption impossible.
Disinfection / Recovery of the Encrypted Files
There is no universal solution.
It is advised to submit one of them to ID Ransomware which will analyse it. The application will be able to tell if the version of the malware is known and if a free decryption tool has been released.
Conventional antivirus software is not really effective against such threats. When the infection is detected, most if not all the data is usually already encrypted. Furthermore, the rate detection of the payload is quite low. However, some tools were specially designed for this purpose. These include Malwarebytes anti-ransomware and Bitdefender anti-ransomware.
They use a behavioural-based approach to identify crypto-ransomware. More specifically, running processes are watched and if one of them modifies the headers of multiple files, the software terminates it forcefully. However, they are not infallible and it is very likely that specially deceptive variants will be released in a near future.
Another approach, more restrictive but more effective, is to define protected areas in the filesystem where suspicious process cannot write, which are therefore protected against any ransomware.
This feature was added in RogueKiller V14, under the form of the DocLock protection module.
A good practice is also to keep software updated to limit the attack surface regarding exploits and to disallow the automatic execution of macros. Keep copies of personal documents on external drives or cloud services are also strongly recommended.
Ransomware and specially crypto-ransomwares are expected to be developed further in the future. Indeed, those are very profitable and relatively easy to write. Software-based protections exist but it would be unwise to trust them blindly. The best solution for the time being seemed to do regular backup of personal data so as to have a copy at any time. This copy could also be used in case of hard drive failure, which can happen at any time and where there is a high probability that the data is completely unrecoverable.
The U.S. Department of Justice announced today that the Gameover Zeus (GOZ) botnet has been taken down in an effort dubbed “Operation Tovar.” The action was the result of a multinational effort between government agencies, law enforcement, and private companies to shut down the massive botnet responsible for more than $100 million in losses for victims. The cooperation necessary to take down the botnet is impressive, but there will be more, and it’s important for individuals to understand how to avoid falling victim to these threats.
CrowdStrike is one of the private companies that was heavily involved in Operation Tovar, and it worked with the United Kingdom’s National Crime Agency, the FBI, Europol, global law enforcement, and other players in the private sector. Adam Meyers, VP of intelligence at CrowdStrike, described the results of Operation Tovar. “Over 500,000 infected machines were effectively disconnected from criminal control,” he said. “The actors behind GOZ and Cryptolocker, which were both impacted by the recent actions, have done significant damage against unsuspecting victims.”
The U.S. Department of Justice announced that “Operation Tovar” has taken down the Gameover Zeus botnet.
Dwayne Melancon, CTO of Tripwire, praised Operation Tovar. “I think this is an excellent opportunity to make progress against a huge Internet threat,” he said. “Taking out the command-and-control servers of a botnet is a monumental task, and this effort will make a significant difference and at least allow us to regain a foothold.”
Melancon also cautioned, however, that botnets are extremely resilient, and he believes it won’t be long before a new command-and-control structure fills the void. Even if it’s not this botnet, there will be other botnets, so the question really is, “How can users avoid getting compromised by a botnet?”
“Consumers and businesses should use the free tools, Microsoft is a good place to start, to see if they have botnet malware on their systems,” said Lamar Bailey, director of security research for Tripwire. “If they do, they should remove it as soon as possible and apply all patches necessary to protect against reinfection.”
Bailey also recommends that users patch their operating systems and applications on a regular basis to guard against malware like Cryptolocker and run vulnerability detection scans to identify holes that could be exploited by attackers.
Lucas Zaichkowsky, an enterprise defense architect with AccessData, pointed out that most antimalware tools do a poor job of identifying and blocking botnet threats and offered this advice to help individuals avoid becoming victims:
- Block email attachments containing executable files or ZIP files with executable files like EXE and SCR.
- Use vulnerability mitigation software to make up for unpatched software and avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks—including rare zero-days—before software patches are even available. Also, EMET can be managed in corporate environments using Group Policies.
- Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise. Free antivirus software such as Microsoft Security Essentials or AVG Free are just as good as commercial offerings, so don’t feel like you have to pay money to get a good product.
For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what the existing security tools don’t reveal. Being unaware that passwords have been stolen can result in dire consequences such as wire fraud or data theft as we saw in the recent eBay incident where attackers used employee credentials to login and make their way to the database.
Just like Physical kidnapping, your critical data can be stolen, and ransome can be demanded for.
What is ransomware?
Ransomware is malware that holds your computer or device data hostage. The files are still on your computer, but the ransomware has encrypted them, making the data stored on your computer or mobile device inaccessible.
How Ransomware attacks work.
Hackers use malicious software to lock and encrypt the files on your computer or device. They can then hold those files hostage, disabling you from accessing your data until you pay a ransom. When you do pay, they may or may not give you a decryption key to regain access.
Types of ransomware
The seven most common types of ransomware are crypto malware, lockers, scareware, Mac ransomware, and ransomware on mobile devices.
Defending against Ransomware
There are steps you can take to help protect your computer and devices against being infiltrated by ransomware. Here’s a list of tips to remember.
Always backup your data: The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup.
Install reliable ransomware protection software on your devices: Stay updated. Keep your operating system, programs, and security software up to date. This helps to protect you against the latest malware with the latest security patches.
Be cautious when online: Malicious websites and pop-up ads are just waiting for you to click on them.
Don’t surf the web on public Wi-Fi networks: Using a VPN short for virtual private network — can help keep your data private.
Never use USB sticks from unknown sources: You don’t want to provide an easy gateway for hackers.
Implement a security awareness program: Provide regular security awareness training for every member of your organisation so they can avoid phishing and other social engineering attacks. Conduct regular drills and tests to be sure that training is being observed.
Never click on email attachments or links from unknown sources: They could have malware embedded in them.
Steps for responding to a ransomware attack
Activate the incident response and business continuity teams: Gather your company’s incident response and business continuity teams. Ensure each participant (IT, management, PR, legal, and any others) know what their role is and are standing at the ready.
Get help from the experts: Report the attack to the appropriate cyber law enforcement authorities as soon as you know you’ve been hit. You can also contact third-party experts to assist you in your recovery efforts.
Determine the scope of the incident:
- Identify the ransomware variant causing the infection.
- Confirm when the infection began.
- Note which networks, devices, applications, and systems have been affected.
- Determine how quickly the malware is spreading.
Contain the spread:
- Remove the infected devices and systems from the network (both wired and Wi-Fi) and from external storage devices.
- Take extreme caution with any remaining devices connected to your network and external storage devices.
Determine how you will recover from the infection.
- Try to remove the malware, or to wipe the infected system(s) and reinstall everything from scratch.
- Hire a private company to help with your recovery efforts
Remove the malware and recover your systems.
- Try to restore from a safe backup or backups. It’s best to use a backup that was not connected to your network at the time of the attack.
- Reinstall your operating system and software applications from their source media or the internet.
Plan to prevent a future ransomware infection .
Subscribe to email updates
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.
You have Successfully Subscribed!
Learning how to protect yourself from malware is an unfortunate result of our online world. In particular, ransomware is virulent software used by cyber criminals to hold your computer files in exchange for a ransom payment. CryptoLocker is a notorious version of ransomware similar to other forms of malware like spammers, Trojans, password-stealers, and others.
Regrettably, ransomware has become a popular method that malware criminals use to extort money from organizations and individuals alike. These criminals have a variety of techniques to access a computer or network, but the methods typically come down to exploiting software vulnerabilities or social engineering tactics to secretly install the malware on the victim’s computer.
If you have discovered malware already on your machine prior to taking any precautions, your options for recovery may be limited. However, you may be able to mitigate the devastation. How do you protect yourself from malware? There are specific techniques listed below, or you can contact us at NetSafe Solutions to assist.
- Backup the data
- Show hidden file extensions and find “.PDF.EXE” extension
- Filter EXEs files in email
- Disable all files running LocalAppData or AppData folders
- Disable the Remote Desktop Protocol (RDP)
- Update or patch the software
- Immediately unplug from your network or disconnect from the WiFi
- Use System Restore to return to a prior clean slate
With appropriate caution, you can protect yourself from malware such as Cryptolocker. As you can see, however, many steps may need more than perfunctory knowledge of computer software.
What Makes Crypto/Ransomware So Malicious?
Crypto/Ransomware continues to make the headlines frequently because the perpetrators send the email to massive numbers of individuals and organizations in particular in the UK and US. Typically, the authors are quick and adaptable to updates in protection technology. New variants designed to defeat the updates target new groups on a consistent basis. Also, the geographical boundaries of the US and UK are quickly eliminated, and the malware virulently spreads around the globe.
In general, ransomware will give you a defined amount of time to pay the ransom to unlock your files. However, there is no guarantee that payment will release your computer. If you don’t act quickly, your entire system may be damaged irreparably.
Site-based Backup Separated from Network
To protect yourself from malware, you should use a site-based backup that is separated from your network. Also, you should include endpoint security virus protection to prevent any malware from sneaking past it to connect with the Command and Control server. Training your employees about emails containing malware is also a requirement, as well as implementing specific policies relating to suspicious emails and attachments.
NetSafe Solutions has the solutions to protect yourself from malware. Let our professionals design the right protections for your specific business. Contact us today for a free network assessment that comes with no risks or obligations.
There’s a new piece of ransomware in town; here’s how to protect your company’s assets
Contributing Writer, Computerworld |
There’s a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organizations are being infected with this malware, but fortunately, there are surefire ways to avoid it and also ways to mitigate the damage without letting the lowlifes win.
What is Cryptolocker?
Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.
Cryptolocker’s ransom note to infected users.
The virus is, of course, an executable attachment, but interestingly the icon representing the executable is a PDF file. With Windows’ hidden extensions feature, the sender simply adds “.pdf” to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.
Once Cryptolocker is in the door, it targets files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files. It then prompts the user that his or her files have been encrypted and that he or she must use prepaid cards or Bitcoin to send hundreds of dollars to the author of the malware.
Once the payment has been made, the decryption usually begins. There is typically a four-day time limit on the payment option; the malware’s author claims the private key required to decrypt files will be deleted if the ransom is not received in time. If the private key is deleted, your files will essentially never be able to be decrypted — you could attempt to brute force the key, but as a practical matter, that would take on the order or thousands of years. Effectively, your files are gone.
Currently, the only versions of Cryptolocker in existence target files and folders on local drives and mapped drives. The malware does not currently attempt to perform its malfeasance over network-based universal naming convention paths, although one would surmise this would be a relatively simple change for the author of the ransomware to make.
Antivirus and anti-malware programs, either running on endpoints or performing inbound email message hygiene, have a particularly difficult time stopping this infection. Unless you have a blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough to do so without allowing the user to request the item’s return from quarantine, you will see your users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of time.
Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place — since your options for remediating the infection involve time, money, data loss or all three — is a software restriction policy. There are two kinds: Regular software restriction policies, and then enhanced AppLocker policies. I’ll cover how to use both to prevent Cryptolocker infections.
Software Restriction Policies
Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain programs through the use of Group Policy. You can use SRPs to block executable files from running in the specific user-space areas that Cryptolocker uses to launch itself in the first place. The best place to do this is through Group Policy, although if you’re a savvy home user or a smaller business without a domain, you can launch the Local Security Policy tool and do the same thing.
One tip: if you’re using Group Policy, create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.
By Paul Cooper published 4 June 14
Law enforcement from around the world came together last week in an impressive sinkholing operation designed to disrupt two of the most troublesome pieces of malware on the planet: Gameover Zeus and Cryptolocker. These two spent much of last winter tearing through computers around the world, encrypting all the files on the hard drive and demanding payment to restore them. The NCA has estimated that around 15,000 computers may currently be infected in the UK. Worldwide, it runs into the millions.
Over the weekend, police managed to sinkhole the entire Gameover Zeus botnet infrastructure, and seized control of Cryptolocker’s command-and-control servers. So great news for white hats everywhere. But then the UK’s National Cyber Crime Unit put out a perplexing piece of advice: users now have two weeks to protect themselves from these two cyber nasties. So what does that mean? Why two weeks? And what can you do to protect yourself?
Well, the answer is basically the same as it’s always been. There’s no special tool or patch that’ll keep you protected from Cryptolocker. It’s just pure, common-sense cyber security.
1. Keep Windows up to date
If you aren’t running Windows, stop right here. In fact, leave this article. Go read something else on ITProPortal, go wash the car or play with your kids. The two vicious botnets are only affecting Windows users, so this isn’t something you should worry about. There are still plenty of malware threats out there, though – so make sure to keep everything up to date anyway.
2. Watch your post box for warnings
Internet users in the UK who are thought to be infected will be receiving correspondence from their internet service provider (ISP) soon, warning them that they are at risk. This is pretty unprecedented, and
If you get one of these notices, you must act immediately.
“People should not only protect their computers, but also ensure that they back up their data regularly,” said security expert David Emm of Kaspersky. “This is particularly important in the case of ransomware. If you have a backup, even if you just manually drag-and-drop your files onto a USB drive, then you can avoid the need to pay the ransom if you do get infected with Cryptolocker.”
3. Perform proper security maintenance
GetSafeOnline.org has published a list of downloads (opens in new tab) it recommends to keep yourself protected.
Unfortunately, the massive demand for the service is causing the website to crash, and it’s been offline for about 24 hours now. Not very helpful, we know – but hopefully it’ll be up and running soon enough.
4. Use a password manager
Phishing gets a lot easier once the attacker has access to your personal data. Using long, complex passwords, and different passwords for each site you access will maximise your security on this front If you’re not feeling up to that, why not get a password manager?
We’ve written up a rundown of all the best password managers available (opens in new tab) , so go check that out.
5. Don’t open suspicious links
How many times do we have to tell you? Don’t open them! If you don’t know where an email came from, don’t open it. If you weren’t expecting an email from a colleague, don’t open it. If the message in the text is generic and could have come from anyone, don’t open it.
Don’t rely on hovering over the link to see the URL, either – hackers are becoming more and more sophisticated at spoofing legitimates URLs in order to infect you with malware. This is the single most common vector of attack, so protect yourself from fake emails, and you’ll be laughing.
The FBI and NCA’s two-week window is a little bit of a vague guesstimate. They probably thought it would catch headlines (and it certainly has done that), but the message is always the same – make sure your antivirus software, and firewall, and everything else designed to protect you is up to date.
Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.
Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,” the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.
A CryptoLocker prompt and countdown clock. Image: Malwarebytes.org
According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.
The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).
File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.
Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.
Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit — a comprehensive set of group policies that can be used to block CryptoLocker infections across a domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.
Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Shaw said he created the tool to mimic the actions of the CryptoLocker Prevention Kit, but for home users. So far, he said, the CryptoPrevent installer and its portable version have seen tens of thousands of downloads.
CryptoPrevent user interface
He notes that some antivirus tools have occasionally detected his kit as malicious or suspicious, and that McAfee SiteAdvisor currently lists his domain as potentially dangerous without explaining why (I know how he feels: KrebsOnSecurity.com was at one time flagged as potentially dangerous by this service). In addition, some folks have been thrown by the apparent expletive in his company’s domain name — foolishit.net.
“When I started Foolish IT [back in 2008], I went for the domain foolishtech.com but it wasn’t available and this was one of the suggestions that GoDaddy gave me,” Shaw said. “I thought it was funny and decided to go with it.”
CryptoLocker might be the best advertisement yet for cloud data storage systems. Johnny Kessel, a computer repair consultant with San Diego-based KitRx, has been urging clients to move more of their data to cloud services offered by Google and others. Kessel said one of his clients got hit with CryptoLocker a few weeks ago — losing access to not only the files on the local machine but also the network file server.
“This thing hit like pretty much all the file extensions that are usable, from Mp3s to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were system files and .exe’s, encrypting most everything else with 2048-bit RSA keys that would take like a quadrillion years to decrypt. Once the infection happens, it can even [spread] from someone on a home PC [using a VPN] to access their work network, and for me that’s the most scary part.”
For further reading on CryptoLocker, please see:
This entry was posted on Friday 1st of November 2013 02:31 PM
Monday, April 26, 2021 by Michael Nuncic
Hardly a day goes by without a corporate IT system or a privately owned computer being infected by ransomware. Every time the result is same: the victims are blackmailed with high monetary demands. The problem is so acute that reputable news media reports have intensified in recent weeks. Many ransomware variants cannot be deciphered by security experts and those users affected face serious problems. Protecting yourself against ransomware is actually quite easy, when users observe a few simple tips.
6 simple tips on how to protect yourself against ransomware
- Don’t open attachments in emails if you do not know the sender – One of the most common ways to get infected by ransomware is to open an email attachment. Always make sure that you are the real recipient of the email and that the attachment is really sent from someone you know. If you are unsure that you are the real addressee of the attachment do not hesitate to pick up the phone and call the sender to ask. If the document is potentially dangerous and you received the email at work, contact your IT security department immediately so your company can minimize the risk of an infection.
- Don´t visit suspicious sites – Some websites can be dangerous and malicious, so be super cautious when surfing in the internet. Shady websites such as gaming, file sharing and others with “free” file downloads can contain ransomware. Ransomware can also be hidden under web banners or other scripts inside the webpage. If you need to visit such a site – for example you are a journalist, be aware that you are at risk and be prepared with the most advanced anti-virus software on the market. Do not click on any unnecessary banners to avoid infection.
- Always keep your computer system and software up-to-date – Computer criminals look for easy ways to hijack or infect your own and your companies computer and servers. You can make it difficult for these criminals by frequently downloading and installing security updates and patches. The same goes with updating your antivirus software and maintaining computer security. The more often you update, the more secure you are. Many of the major antivirus software tools which check incoming emails in real time can find most known ransomware viruses and protect you from opening them.
- Keep passwords secure and your entire computer system safe – Some ransomware is not delivered by an email, but by traditional hacking and the stealing of passwords. If the password(s) of one person is stolen and hacked, the criminal has access to the computer and can infect it with ransomware. In a case where Windows Remote Desktop Protocol (RDP) is activated, the problem is even more severe: The ransomware can spread easily from one computer to another using this protocol. So if the RDP is not necessary in your company or small business keep it disabled at any time!
- Shut down all network connections – If you suspect something is wrong and you might be infected, disconnect your computer immediately from the internet or WiFi as well as your network. This way – if you act fast, you can mitigate the damage caused by a ransomware attack. Since the purpose of ransomware is to encrypt data and hold it hostage in return for money and since encryption takes time, there is a chance that you will be fast enough so only minimum data is infected. Additionally, the ransomware virus cannot spread over the network to infect other drives within the company.
- Always have a current backup available – One of the easiest ways to protect yourself against the results of a ransomware attack and to make things difficult on the criminals behind it – is having a current backup of all of your files available. There are several backup products and systems on the market for all kinds of users – private, small to medium businesses as well as large companies. Regardless of the size of the computer system one thing which has to be implemented is a decent backup plan. The main ingredient of such a plan is the decision of how often should backup(s) be created. The less time between backups, the less data can be lost due to a ransomware encryption.
But if your data is infected by a new version of ransomware, you do not have an up-to-date backup of your files and you are not able to find a decryption tool for this particular ransomware type, the only chance at recovery without paying the fee is to consult a data recovery service provider.
Specialized ransomware data recovery experts like Ontrack as well as data security companies track the different ransomware variants that are on the scene and develop specialized tools or work-arounds to recover infected files or complete storage systems. In many cases – but not all – the experts have found ways to recover the data infected by the most common ransomware types. So if you became victim of an attack, it is a good idea to give them a try. There will be a fee for the recovery of your data, but you will be doing your part to stop criminals by not supporting them.
What you will learn from this article:
You have turned on your computer, and the screen displays a message that your data has been blocked and that you can recover it only after paying a certain amount to the given account number? If so, you have fallen victim to ransomware, i.e. the blackmail of cyber criminals. Anyone can be attacked, private or corporate. Find out what the threat is and how to protect yourself against ransomware.
The aim of cybercriminals who use ransomware to attack is not to obtain your data, but to extort money . However, they often threaten to disclose confidential information, so the infection may not only result in a loss of cash, but could also damage your reputation and have serious legal consequences from disclosing customer data. So let’s prevent ‘catching’ such malware.
Ransomware – what is it?
Recently, many cyberspace security specialists have warned about ransomware. What is this? This question is asked by many people who store valuable data on their device. Nothing unusual. The risk of losing them is often frightening.
Ransomware is a type of malware that blocks access to your computer and encrypts your data, then demands a ransom to recover it . It gets into the system, for example by:
- opening an email containing infected files or a link. You just need to download an attachment or go to the website for the software to start installing on your computer. The files may take the form of e.g. a bill, bank statement, etc.,
- download a program that contains a malicious code that infects the computer,
- plug-in or web browser crash and crash installed,
- clicking on an ad redirecting to the hackers’ site on the trusted website you visit.
Ransomware can hide anywhere, and cybercriminals are using increasingly sophisticated means to extort money.
Types of ransomware you may encounter on the Internet
Hundreds of Internet users fall victim to ransomware every day. The most common types of malware that can be targeted are:
- screen-locker – it works by locking the screen. You can even get rid of it without paying the ransom. All you need is the help of a good IT specialist,
- crypto-ransomware – this software not only blocks access to data, but also encrypts information. To unlock them, you need a specialized program.
- disk-encryption – encrypts or erases data and blocks the device from booting. It is the most difficult malware to defeat, and files are often unrecoverable.
It is worth remembering that it is not just companies, government sites or banks that are victims of cybercriminals. This group can be anyone who uses the Internet.
Ransomware – how to protect yourself?
Wondering if there is a possibility of security in case of ransomware? How to avoid trouble not only at work, but also at home? Can you feel safe on the Internet?
The most important rules for using the online world are:
- caution. Do not open e-mails from suspicious recipients and do not download programs from sites that are not safe and verified. It’s a good idea to check that a locked padlock appears in the URL bar of the website. This is especially important when, for example, you want to visit the bank’s website and be sure that your data is safe,
- regularly update the computer software, the browser used and other programs. This way, the hacker will not find any “vulnerability” that he could use to install ransomware,
- Make regular copies of your data. This way, even if you lose access to your device, you will not suffer any painful consequences because you will restore it.
It is also worth changing the login method to two factor. Even if hackers get your passwords while installing ransomware, they still won’t be able to log into your account.
You’ve been a victim of ransomware and don’t know what to do next? Don’t pay the ransom! You are not sure that you will recover your data. Instead, take a computer service where specialists will help you recover your data and protect it from being attacked again.
Don’t wait for the cybercriminals to attack first. Start protecting your data today.