Tags: cybersecurity, ransomware
In my first post (Part 1), I went over the basics of how ransomware exploits your computer, and the #1 weird trick that computer experts use to avoid the pain of ransomware: namely, always have a current, offline backup of your files where the thieves can’t encrypt it in the first place. Backups can save you from the pain, the agony, and the grief of ransomware. You may have to reimage your computer and copy a known set of good files from a backup set, so the more often you back up, the better off you’ll be.
However, if everyone always had a current backup, there’d be a lot less ransomware out there. The criminals who spread ransomware know that most people don’t back up their data. According to the FBI, attacks by ransomware accrued over $18 million by June 2015, and ransomware attacks are expected to boom in 2017. Crime pays, and pays well.
Also, cybercriminals attack new and surprising venues every day (like Android screen lockers that demand payment in Amazon gift cards), so you may be the next victim. And while backups are good, you don’t want ransomware (or malware of any kind) on your computers in the first place. And finally, if you’re in IT, you’re always going to field the eventual call from your mom, your brother, or your college roommate, saying “Help! There’s a message on my computer screen that says ransomware has infected my router and I have to pay $200!”
In this post, I’ll go over some general suggested practices to harden the various areas of your computer or network where malware might enter in the first place. I’ll also list the better resources to turn to for ransomware news and solutions that may help you extricate someone from a ransomware attack.
(Note: the first part is mostly Windows-based, but the second part applies to all computer users.)
Reveal it all
If you run a Windows machine, you should always show hidden file extensions using Windows Explorer. The average user – your college roommate, Joe Lunchbucket – has been warned a zillion times by the IT department never to open an executable file from email or a URL, and believe it or not, he won’t. But if he unzips an attachment, say an automated email from the local printer, and sees a file named BillJones_Resume.PDF, he’s going to think it’s really a PDF file. If file extensions are hidden (the default behavior) he won’t realize the file is actually BillJones_Resume.PDF.exe.
File extension viewing can be enabled by opening Windows Explorer, choosing the View, choose Options, and choosing Change folders and search options. On the View tab of the Folder Options window, uncheck Hide extensions for known file types. (The exact path may depend on which version of Windows you run.)
Keep executables and known bad links out of email, and keep updates current
Ensure that your email service filters out EXE and script files. This may not protect you from someone hiding an EXE in a ZIP file, though. At work, your corporate infrastructure should have in-mail protection such as antivirus engines that check mail and attachments before the email is sent to the inbox, and checks web links to see if they are dangerous or spoofed.
If you’re operating in a Windows enterprise environment, you or your IT administrator can use Group Policy Objects (GPO) to prevent ransomware like Cryptolocker from executing its payload in the \USERS folder, AppData, Local App Data folders, or Temp directories.
Check if you have any Remote Desktop Protocol (RDP) ports open and disable these ports to prevent access to your desktop remotely. (TrendMicro reported a sharp uptick in the number of brute-force RDP attacks in 2016.)
Patch or update your software and browsers regularly. Windows Update ensures that you have security patches and fixes for your operating system. Remember, if you have Windows 10, your free malware/anti-virus protection app is Windows Defender. To get updated malware and virus signatures, and to update Windows Firewall, you have to run Windows Update.
Axe the non-essentials and known vulnerabilities
Remove Adobe Flash on computer. Do you need Adobe Flash? Lots of malware attacks come from fake pop-ups that tell the user to update their Adobe Flash or from malvertising that uses Flash. If you do keep Adobe Flash, make sure that your antivirus/ antimalware system actively checks for malware files. Other common browser hijacks will pop up a message saying you need to download an emergency update to Firefox or click to install free anti-virus software. Ensure that these kinds of applications update silently in the background so you won’t be fooled.
What to do if you think a ransomware attack is underway
If you suspect you’ve just landed on a site that’s infected with ransomware, disconnect your machine from the outside world. Unplug your Ethernet connection. Turn off your WiFi. If you move fast enough, you may protect network-attached drives from being affected. Get off the network and fire your anti-virus and anti-malware engines up immediately.
First – as I already stated – it’s a mistake to pay. (If you do decide to pay, it should always be a last resort.) Your first step should be to verify that it’s REALLY ransomware or malware, and not a browser hijack or a scareware popup that goes away when you close your browser and restart your computer.
It’s really ransomware: where to go for help (or to help others)
Ransomware can be divided roughly into two groups: sophisticated proware, and amateur hour. Even if it’s not just a scareware popup, some ransomware can be circumvented with built-in system tools. I know someone who was recently hit with Spora, a nasty and sophisticated cryptoware for which there’s no current fix. However, she managed to retrieve some of her files using Windows Previous Versions and volume shadow copies (VSS).
DON’T start with a random Google search. A huge number of search results from “how to fix ransomware XYZ” will be spurious or links infected with malware. (Criminals work the SEO to try to direct you back into their web.) Using another computer if you have to, go directly to the blog or forum maintained by your anti-virus or anti-malware solution provider and search for information there. In fact, major antivirus providers offer free ransomware discovery or decryption tools on their websites, and non-profit sites exist that will help you identify what’s infecting your system, so any of these links are also a good place to start:
- AVG decryptors
- Bleeping Computer malware removal guides
- Emsisoft decryptors
- ESET standalone tools
- Kaspersky tools
- No More Ransom
- Trend Micro tools
Subscribing to security newsfeeds is a good way to keep your background knowledge high. If you want to read up on ransomware before you’re hit with an attack, Digital Guardian released its list of The Top 50 InfoSec Blogs You Should Be Reading (including authorities like Krebs On Security).
If you or someone you know is a victim of ransomware, it will tell you there’s a deadline of 48 to 96 hours to pay the ransom to get a private key. After the time has expired, the private key is gone and your data is forever encrypted. It’s possible to set the BIOS clock back in an attempt to delay the process and explore options. However, once the data is encrypted, you may not be able to access the files. If you can, make a new backup image of your files, even if they’re encrypted – you can always try decryption now, or at a later date once new solutions are released. (This is exactly what I told my friend who was a Spora victim to do with the rest of her hard drive that’s still encrypted.)
While this can’t be a comprehensive guide to fixing ransomware, I hope it was able to point you in the right direction. Before I leave, I want to share this amazing timeline of the varieties of ransomware released between May 2016 and today.
Until next time,