The threat of ransomware is among the top threats today to Windows users. Ransomware does not ‘break’ Windows like other malware, but encrypts specific file types and renders files unreadable. Unfortunately, most antivirus applications today cannot detect or prevent ransomware.
Since January 3, new ransomware variants have been released, such as CryptoJoker and TeslaCrypt (original versions were commonly known as CryptoLocker or CryptoWall). They are able to infect computers through email attachments (disguised as something legitimate) or through websites where it is released onto the computer through tainted Java or Adobe Flash components, all unbeknownst to the user.
When the malware infects a computer, it will encrypt files on the local, external, and networked disk drives (C:\, D:\, E:\, etc.) and even Dropbox if it is mapped to a drive letter. New variants are also encrypting file names making it hard to determine what files are affected. Once encrypted, they can only be unlocked by paying a ‘ransom’ for the decryption key or restoring the data. Typically, a timer counts down and after a set time limit expires, the ransom will increase by double or more. If the timer expires, the ability to obtain the decryption key is lost and the computer’s data is permanently encrypted. Yes, indeed. Pictures, videos, Excel files, Word files, PDF files, are all lost.
To pay the ransom, an anonymous payment system is most common, such as Bitcoin, and additional time to set up such an account, if you do not have one already, will eat away at the ticking clock. Or worse, the files may already be infected because, until you attempt to open an encrypted file, the timer may have already expired.
Recovery
Choosing to not pay the ransom means the only option that remains is restoring files from a backup. To restore, methods rely on an external backup copy, shadow file copies, or file recovery software. The external backup copy is the best bet as the others depend on the computer’s state. It is imperative to remember to back up your files to an external drive or cloud backup on a regular basis. While not in use, keep the drive detached from the computer to prevent it from infection as well.
Whether data restoration is successful or not, do not trust that the computer does not have a sleeping Trojan or Zero-Day malware just waiting to infect again. If an infection occurs, it is best to have the computer rebuilt by reloading Windows or by restoring a system image to a date prior to the infection. While an inconvenience, it may be the only sure remedy that the malware is removed.
Prevention
When it comes to email and internet browsing, one bad click could mean the loss of money, data, pictures, or more. To prevent attack, be very aware of email messages with attachments or links within them. Here are a few things to watch out for:
- The message contains a mismatched URL – hover over a link, the actual URL is different from what the link claims it to be.
- URLs contain a misleading domain name – the domain is not exactly what it claims to be.
- The message contains poor spelling and grammar.
- The message asks for personal information.
- The offer seems too good to be true (…you won the lottery).
- You did not initiate the action (…you won a lottery without entering one).
- You are asked to send money to cover expenses.
- The message makes unrealistic threats.
- The message appears to be from a government agency.
- Something just doesn’t look right.
Keep software updated as often as possible, such as Windows, Java, and Adobe Flash. Updates fix security weaknesses that may be discovered and exploited by hackers.
Unfortunately, malware continues to evolve and become more sophisticated, staying one step ahead of prevention measures. No one is immune from attacks, and being aware of their nature can lead to prevention. Lastly, remember the two key steps – data backup and consistent awareness. Staying on guard will prevent a slip when least expected.
J. Eric Panknin, CISSP, MCSE, Security+
As Manager of Technology Solutions for DMJPS, Eric Panknin, MCSE, CISSP, maintains DMJPS’ increasingly sophisticated technology network and addresses the firm’s strategic IT needs. In addition, Eric also consults with DMJPS clients on technology engagements that may include design, implementation, and support.