ransomware - virus image

 

Update 05/15/17: Microsoft releases solution to protect additional products: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

1. What is it?

  • Ransomware is essentially a Virus, but instead of damaging or deleting files (or opening up the system to access), Ransomware hackers sell data back to the owners.
  • Ransomware encrypts your data and forces you to pay money to the “hacker”. If you pay the ransom then the hacker will decrypt your data and you will have your system back as normal – that’s the premise. This is essentially turning cybercrime into extortion.
  • While there are accounts where people have paid the “ransom” and their files have been restored and they have not been “hacked” again, there is no guarantee of this nor is there any safe-guard against your credit card information not being used in future. There is no honour among thieves.

2. Why would your computer get “attacked”?

  • Incidents of Ransomware “attacks” have been continuing to increase since 2016, though these kinds of Viruses have been around a lot longer than that.
  • The threat of Ransomware is that it is not a “Targeted” attack – anyone can be at risk, particularly small businesses as they often lack the dedicated internal IT staff to actively protect against Viruses and to educate users on best-practices to use to help reduce the risks.
  • Ransomware attacks are now automated (as opposed to a “hacker” sitting at his computer typing furiously). They are typically deployed through Phishing-email on a huge scale… like the “spam” email you get every day.
  • As a result, anyone can get infected if they are not careful.

 3. What can you do if you get “infected”?

Unfortunately, your options are limited:

A. You can attempt to “Clean” and “Decrypt” your files using existing tools available on the web. In some cases running the steps outlined below will work – I have used these steps in the past and they have worked – but it is not guaranteed:

  1. Run ESET Rogue Application Remover (you can download it from http://malwarefixes.com/eset-rogue-application-remover-erar-free-scanner-download/)
  2. Run Microsoft Malicious Software Removal tool (you can download it from http://malwarefixes.com/microsoft-malicious-software-removal-tool-free-scanner-download/)
  3. Unlock files that were encrypted by CryptoWall using PandaWare (you can download it from http://www.pandasecurity.com/resources/tools/pandaunransom.exe)
    1. Double-click on the file pandaunransom.exe to run it.
    2. You will see Panda Ransomware Decrypt program…
    3. Next, use Windows Explorer or My Computer to make a folder “PandaTest” and copy some of the encrypted files into this folder.
    4. Go back to Panda Ransomware Decrypt program and click on Select Folder button. Select the newly created folder PandaTest.
    5. Click on START button to begin. Process may take a while, please wait until it is completed.
    6. Go to the PandaTest folder and see if it worked and if your files are good. If you were able to decrypt contents of the PandaTest folder, then you may run the tool on all the affected files and folders on the computer.

B. If you cannot clean and decrypt the files yourself, you can take them to a 3rd-party IT group (Geek Squad and other similar “Tech Services” groups). They may have access to additional tools for data recovery.

C. Failing that, you can wipe clean whatever machines have been affected (i.e. complete reformat and reinstallation of OS and programs) and then restore your files as best you can from backups. Many Ransomware Viruses do not imbed themselves in the “boot sector” of the drives, however there may be some that do so this option is also not 100% guaranteed to work … but you would know very quickly after restoring the OS, connecting to the Internet and rebooting.

D. You can, of course, risk paying the ransom but this is not recommended.

4. What can you do to prevent being infected?:

  • Most Ransomware infections occur because someone “double-clicked” an attachment in an email without understanding exactly what it was (or even who sent it)… or they mistakenly clicked “ok” or “yes” to a pop-up message without actually identifying what it was for.
  • Certainly, Anti-Virus\Anti-Spam\Anti-Phishing tools can (and should) be implemented – There are On-line Scanning services you can purchase or you can purchase ones you install and pay a subscription to in order get regular Virus protection updates (Norton, Kapersky, McAfee, AVG, etc.) … you can even find many free ones – Microsoft Security Essentials (called Windows Defender in Windows10) is completely free (and part of Windows10) and is a perfectly good program to have running on all PCs. https://www.top10bestantivirus.com/
  • However, the best prevention is really ensuring you (and your staff) keep good practices when working on your computers.
  • Here are some tips that you should ensure all your staff know and adhere to:
    • Do NOT click anything from within an email (or Skype or other social media tools). If you plan to open the file then you should ALWAYS download the file\attachment first and then consider opening it from your PC (not from within the email\Skype, etc.).
    • If you are not sure what the file\attachment is – and especially if it is an “.exe” filetype – you should NOT open it. Instead follow up with the person who sent it and ask them what it is. If you do not know the person (i.e. if they are not a client, prospect, customer or friend) then either keep the email in your Junk folder or better yet delete it.
    • Do NOT click URLs from within emails (or Skype or other social media tools). First see if the site URL actually makes sense to you (i.e. does it look like it goes to a “legitimate” domain or does it go to https://greatidea.Kevin.somecompany/aspx (as an example)). Then, if you think it is legitimate, type (or copy … but do NOT click) it into your browser…. or search the Internet to see if others have commented on it.
    • When prompted with “are you sure” pop-ups or messages saying “Warning you might be infected”, do NOT just click “yes” or “ok” – make sure you know exactly what the message is and what program it is from and what it is asking you. If you are unsure, then ask your IT support person or search the web to see if others have had issues with it.
    • Avoid using “simple” passwords and\or using the same password for all your systems. You should try to use a mix of Upper- and Lower-case letters, numbers and “special” characters ($. %, &, *). Also avoid storing passwords or selecting the “remember password” or “keep me logged in” messages on some websites. The best way to remember your password is to keep using it … and it avoids it being stored in cookies, etc.
    • If you are logged onto a website (like a banking website), make sure you Log-out of the site when you leave – do not just click the “x” Close button in the Browser. It is best to fully log out of sites, particularly those that contain private information.
  • As an Owner or IT Manager, here are some additional key practices you should implement:
    • Wherever possible, keep your systems up-to-date. Regularly review what Windows updates are available and those that deal with addressing Security issues should be applied. If you are not sure then you should ask your IT support person or even search the web to see what others have to say about it.
    • Consider upgrading to Windows10 for PCs. The Windows10 operating system is more secure than earlier versions. This may not always be possible so you should first check to see if Win10 is supported by the various programs and mission-critical applications your company uses. The same can be said for upgrading your Servers but that can be a larger project and you will want to make sure you know if all your systems will work on the newer server and what is involved with the upgrade.
    • Ensure you have nightly backups of all of your Databases and mission-critical systems\files, etc. Regular “test restores” of the data should also be performed by your IT support to ensure the backups are, in fact, working and good. Many third-party IT companies provide off-site storage where backups are made and transferred nightly to their secure drives.
    • Cloud-based storage can be another option for users to store key files on – These “drives” have their own set of protections

These are just a few simple steps that can drastically improve your protection against not only Ransomware but other Viruses as well.

by Trevor Reid
Senior Technology Consultant
treid@voxism.com
LinkedIn