It’s that time of year again, when the first of four company newsletters go out to both existing clients and the public via this page here on Facebook. Stuff like what I’m about to share with you is starting to happen often enough that it’s causing me to reconsider the static nature of my website and consider turning it into it’s own blog!
My subject for today is ransomware. Up until 2013, the vast majority of ransomware was really nothing more than an elaborate bluff that most technicians had no trouble getting around to free up a personal or company computer. However, in 2013, a piece of ransomware known as CryptoLocker began to get attention. Prior to 2013’s arrival on the security research radar, it was only being targeted at certain enterprises and corporations in a few countries. In 2013 however, the list of countries was growing, as was the range of computers being affected.
Unlike typical bluffing ransomware that claimed your computer was inaccessible until you paid up, CryptoLocker would actually, literally encrypt files on your computer that matched a given set of file extensions. These file extensions were chosen due to how proliferant they generally are in the workplace setting. As with all malware out there, ransom or not, the criminal minds behind CryptoLocker decided to update their program in the latter half of 2014, and we now have CryptoWall. In either case, in order to regain access to your files ON your own computer, you have to pay the ransom. Unlike most other ransomware out there, the ransom must be paid in bitcoin and according to TechRepublic author, Jesus Vigo in an article written for TechRepublic on March3,2015 (http://www.techrepublic.com/article/ctb-locker-virus-how-to-protect-your-systems-and-what-to-do-if-infected/), many bitcoin exchanges are changing their policies to crack down on the large purchases needed to get enough bitcoin to pay the ransom.
Security researchers and programmers are currently working on ways to deal with this situation. One programmer has created a prevention app called CryptoPrevent (https://askleo.com/why-havent-you-mentioned-cryptoprevent/), which aims to lock down the ability to install executables from certain questionable sources and locations. Similar to tools such as Spybot Search and Destroy, MalwareBytes, and others, this tool is meant to augment your pre-existing anti-malware software such as your antivirus protection. It isn’t intended as a sole protector of your data however, it is intended to provide further protection only.
Anyone following my writings here on Facebook will have seen articles related to ensuring the safety and security of your computer through various means ranging from circumspect behaviour on your part, to suggested tools that can help you along the way. I wrote a series that was first featured over at mytechonsite.com and a couple years later, featured on this page (https://www.facebook.com/FACTco?sk=notes beginning July 2013, these are now available on this website). A solid combination of safe surfing habits, safe computing habits, and decent, updated anti-malware/AV software is required now more than ever.
CryptoLocker/Wall tends to propogate using email and zip files. At the moment anyway. . .
I can’t preach enough, the dangers of having your preview/reading pane open in your choice of email client on your computer or laptop! Turn that thing OFF and get used to double-clicking to read the emails that are safe to open. Get used to single-clicking to select and delete the unsafe emails. You’ll know an email is unsafe because a) you don’t bank there, b) you’ve never done business with that company, c) the company you do business with will never send that type of email to you, d) the subject line is spelled funny or the from name/email address is spelled funny or looks strange, e) there’s an attachment and said company never communicates that way. If you are in doubt as to whether an email is safe or not from a company you normally do business with, call them and ask if they sent you an email with the given subject line. If they say no, don’t open it.
If you do open a suspect/strange/unusual email that contains an attachment, you run the risk of that attachment’s contents being automatically activated, particularly if it’s an html page or image. Because CryptoWall/Locker uses a zip file at this time, don’t open the zip file of any unusual or strange or out-of-character email that comes in.
It’s also wise not to click on links within emails. The safer way to handle links purportedly from trusted sources, is to see if you can go to the company website directly and locate the information yourself. This is especially true for links claiming to lead to Paypal, your bank, an online bill-paying service, or store that you regularly do business with. Many phishing emails will pretend to come from those sources claiming you need to update your account details and to log in from the link in their email. Banks won’t send you such emails. Credit cards won’t send you such emails. Your medical insurance company will not send you such an email. This kind of email tends to come around high-traffic times of year such as Christmas when everyone is using couriers to get packages to recipients faster. Phishing emails pretending to come from couriers have attachments much of the time as well. Most couriers will let you go to their website, enter the tracking code and check on parcel status that way, no need for this type of email.
Because of the threat caused by images in html emails, some email clients are now installing with “download images” turned off by default. You are wise not to turn this back on! Do you want to see an image your friend sent? Download it, scan it, then open it. It isn’t necessary to see images on every single email that comes through. Some mail servers have gotten pro-active in this regard, and block html emails that you don’t explicitly state you want coming through. AOL, Yahoo, Comcast, hotmail/outlook.com and earthlink are the most notorious for not just blocking html email, but also blocking bulk-send emails whether you asked for them or not. (If you wonder why a newsletter you subscribed to isn’t coming through every month, this may be why)
If you consider yourself a wise and safe computer and Internet user, you’ve installed all the tools and yet you still get infected with this ransomware, the best way to get your data back without paying the ransom, is to previously have a regular back-up system running on your computer. Ideally, this will be an off-site backup system with file versioning, so that you can restore your data to an earlier date than when your machine became infected. Sync sites such as box.net, gladinet.com, sugarsync and others also have file versioning. Once CryptoLocker/Wall is removed from your computer, you can use these services to restore working versions of your files.
To remove CryptoWall/Locker, contact a technician. Ransomware typically is not an easy removal task and does require the services of a knowledgable malware removal technician. Needless to say, CryptoPrevent (http://www.majorgeeks.com/files/details/cryptoprevent.html) may be a wise addition to your safety arsenal.