It’s not unusual to see (and easily dismiss) breathless headlines proclaiming “worst virus ever!” After all, most of these sensationalistic-type headlines lead to blog posts that share little “new” information about malicious software and, instead, serve only to help rake in a few more ad dollars from the folks who come visiting to Read All About It.
If it bleeds, it leads, as they often say in the news industry.
Unfortunately, there’s been a new type of malicious software (malware) making the rounds that raises the bar considerably for a general category of malware called “ransomware” and I think it’s fair to say that even if it’s not the “worst” virus ever, it certainly is a nasty one.
Ransomware is a type of malicious software that holds your computer hostage — often quite literally locking it down — until you pay the advertised ransom.
Until recently, the worst ransomware would do is render your operating system (e.g. Windows) useless until the infection was cleaned, and that usually meant a quick backup of your files combined with a reload of your computer and then restoring your files again, and you’d be on your way.
This is called “Lock Screen ransomware”.
In recent weeks, however, a new, much more insidious, form of ransomware has come on the scene and it promises to make life a living hell for folks who don’t follow good security practices, and this new type of ransomware is known as “Encryption ransomware”.
That Sounds Bad…
It is. Very.
Because once Encryption ransomware gets onto your system (to date, it only affects computers running Microsoft Windows), it immediately reaches out and finds a wide variety of file types on your computer’s local drives, attached external drives, and mapped network drives(*) and begins to encrypt them — effectively rendering those files useless — and it uses a public/private encryption scheme with a private key to decrypt your files that only the bad guys know.
And then it tells you to pay up.
If you don’t, the bad guys promise, you’ll lose your files permanently.
* Yes, ANY file that can be accessed from your computer, whether it’s on your local drive, a USB drive (thumb or otherwise), cloud storage like Dropbox, or even a file share on another computer such as your company server, can be encrypted by CryptoLocker.
Whoa! How Does This Spread?
The current variant of encryption ransomware known as CryptoLocker is known to spread in one of four ways:
1) As an email attachment. This attachment is usually a ZIP file and contains what appears to be a PDF file. Unfortunately, the PDF is really an executable that installs CryptoLocker or some other malicious software which then, in turn, installs CryptoLocker.
2) By way of an infected website. Often the website takes advantage of outdated software on your computer (usually Java) to install itself.
3) By using social engineering tricks to make you believe you need to install a particular video codec, browser plugin, or other software. This typically happens by tricking the user into clicking a link.
4) Or through a previously existing infection on your computer.
Okay, So What Can I Do If I Get Hit?
You need to clean your system of the infection.
Unfortunately, there’s no way to undo the damage caused to your files, so the importance of backing up your irreplaceable files becomes all too clear if you’ve had the misfortune of getting hit by ransomware like CryptoLocker, and that’s because the ONLY way to get your files back is to either:
- Restore your files from a backup or
- Take a chance and pay the demanded ransom.
Attempting to pay the ransom is definitely not recommended.
Some folks hit by this malicious software have reported success paying the ransom, but we at ESC! Technologies Group agree with Security Experts and Law-enforcement Officials that you should, under no circumstances, pay the ransom.
First, because there’s no guarantee that paying the stated ransom will get your files back and, second, because extortion is a serious crime and your payment only emboldens the criminals and encourages them to continue their attacks. Not only that, but you also open yourself up to identity theft as well.
So knowing that, the best course of action is to:
1) ERASE (Format) your Computer’s Hard Drive.
2) Reinstall your operating system from a known, good, copy (e.g. the installation disc).
3) Reinstall your software applications.
4) Restore your files from a recent backup.
Even though tools exist that claim to offer a method for ridding your computer of CryptoLocker, do not attempt to “clean” the malicious software from your computer. Doing so may leave other malicious software on your system that these tools don’t recognize, so the only way to guarantee your computer is 100% clean is to erase the drive and start from scratch.
Can I Take Action to Help Prevent Ransomware from Attacking Me?
Absolutely! While no action you take is fool-proof, here are 7 simple tips to help protect your computers from malicious software:
1) Pay attention to the links you click and the attachments you open.
This is really half (if not more) of the battle! If you receive an unexpected attachment or link via email, social media message, comment on your website, or any other means, and you weren’t expecting it, you’re better off NOT opening the file or clicking the link. Verify with the (alleged) sender that they sent the file or link before clicking it.
2) Keep regular backups of your irreplaceable files.
That includes photos, office documents, databases…pretty much anything that can’t be easily recreated. These backups should be kept “offline” on media like flash drives or external hard drives that aren’t connected to your computer in regular, day-to-day operations.
Another great option is to use cloud backup services that are out of reach of malicious software running amok on your machine (Dropbox, Google Drive, and SkyDrive ARE within reach of your computer because they’re online all the time and so they are vulnerable to programs like CryptoLocker).
3) Be sure your computers are up to date with the latest security patches.
This includes patches to your operating system as well as any available patches to the applications installed on your computer such as Microsoft Office.
4) Keep your browser plugins up to date.
Popular plugins include Adobe Flash and Shockwave, Adobe Acrobat Reader, Apple QuickTime, Microsoft Silverlight, and others. If you’re not sure if an update prompt you get on your computer screen is legit, pay a visit to the plugin developer’s site (Adobe, Microsoft, etc) to download the latest updates instead.
5) Uninstall third party toolbars in your browser from companies you’ve never heard of.
Microsoft Bing, Google, and Yahoo! are all popular browser toolbar add-ons and plugins, but toolbars from companies you don’t know may lead you to unexpected or even dangerous search results and websites. Delete them.
6) Speaking of browser plugins, uninstall Java from your computer.
Java has been a security nightmare recently and it’s very unlikely that you’ll ever need it, but many PC manufacturers will often install it when they build your computer…and then it’s never updated. If you uninstall Java and later find a need for it, you can always reinstall it. Be absolutely sure to keep Java up to date if you do.
7) Install an anti-virus program and keep it up to date.
No anti-virus is perfect and many were fooled by CryptoLocker because of the way it snuck on to computers, but it’s still necessary for PCs running Windows as well as some OS X and Linux users.
Top rated anti-virus programs include those from Norton, Bitdefender, Webroot, and Trend Micro, while top rated free anti-virus includes those from Avast!, Ad-aware, and AVG.
CryptoLocker and other ransomware are certainly some of the worst variants of these types of malicious programs to come along in a long time. And, unfortunately, the folks who write these programs will only continue to get more sophisticated in the methods used to carry out their attacks, so please be careful out there and, most importantly, if you have any questions, be sure to ask!
What is Ransomware? (http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx)