Ransomware – How to Prevent and Recover from a Ransomware Malware Attack
This post describes what Ransomware is and what it does, and provides advice on how to prevent and recover from Ransomware attacks.
Ransomware is computer malware (term often used interchangeably with computer virus) that installs in a covert manner on a victim’s computer, executes a hidden attack to lock the computer or encrypt the files, and then demands a ransom payment to restore normal use. Simply put, Ransomware stops you from using your computer and holds your computer and/or files hostage for payment.
Some troubling statistics for Ransomware are as follows:
- Over 18 million dollars paid to Ransomware thieves between April 2014 and June 2015.
- More than 6 million detected Ransomware attack attempts in Q4 2015.
- 50% of all malware are now Ransomware attacks.
- 93% of phishing emails now contain encryption Ransomware.
Common Questions –
Q – Does Ransomware affect Macs or just PCs?
A – Both.
Prevention –
- Backup, backup, backup! We can’t say it enough, you’ve got to backup your files on a regular schedule. If you are attacked by ransomware you may lose work you started earlier in the day or week, but you can restore your files and possible system to an earlier uncompromised version. Cryptolocker will encrypt files on drives that are mapped or directly connected so it’s important to rotate your backups onto different physical disks or cloud backup services. Use a large external drive for a system snapshot along with files and save some money using USB thumb drives to store your most sensitive or critical information. Cloud backups typically keep multiple version of your files allowing you to selectively recover non-infected files. institute a regular backup regimen and unplug/disconnect physical media when they’re not performing backups.
- Configure Windows to show hidden file-extensions. Why? Window’s default behavior is to hide known file-extensions which includes EXE files. Do you have a click-happy employee? Many Ransomware malware infections are opened by users who don’t understand they are falling for social engineering attacks that rely on their innate trust or curiosity. Don’t know who it is sending you that file? Don’t open it. Call them on the phone and verify it’s origin. 99% of Cryptolocker infections make their way via email and as attachments. They are cleverly disguised with the extension “.PDF.EXE” but by default, you will only see the “.PDF” and when you click on that file hoping to read a PDF, you’re actually inviting the virus onto your computer. Telling Windows to reveal full file-extensions goes a long way toward identifying malicious software before it can cause damage.
- Lock down where programs may run from. The Cryptolocker Prevention Kit is an excellent tool from Third Tier that automatically locks down via Group Policy your ability to run executables from the App Data, Local App Data, and temp directories. It is periodically updated as Cryptolocker mutates and evolves so make sure you have the latest version and that you apply the fix on a regular basis.
- Use System Restore and patch/update your software on a regular basis. Are you a SOHO user? Enable automatic updates and let your software patch itself as much as possible. If you somehow break something via auto-patch, you can always go back via System Restore.
- Ransomware often connects to an internet server to get an encryption key. Like a lot of Malware, connections are made to further damage or invite more unruly programs (their friends) to a house party on your computer. Strict Firewall rules (are you doing business in Europe and Asia? No? Then block connections to those IP blocks!) can block those requests necessary to encrypt the data. You are essentially blocking Ransomware’s ability to phone home. Certainly, Malware can still operate from inside U.S. borders but this does restrict overall activity. Polymorphic malware evades the signature-based detection common with most antivirus so using a service like OpenDNS which blacklists Ransomware sites, thus preventing a connection to them.
- Keep your security software up to date and use a software firewall.The next three tips are meant to deal with how Cryptolocker has been behaving – this may not be the case forever, but these tips can help increase your overall security in small ways that help prevent against a number of different common malware techniques.
Software to Keep You Safe
PC – Download the Ransomware Prevention Kit ($25). Includes documents, policies, recovery keys, and instruction sets for other tools native to Windows Server and Desktop OS’s. Also include suggestions of how you can modernize your network configuration best practices a build a great solution for your network or clients: http://www.thirdtier.net/Ransomware-prevention-kit/
Mac – RansomWhere? https://objective-see.com/products/ransomwhere.html (See all their security software for OS X: https://objective-see.com/products.html)
Update October 2016
A new variant of Ransomware known as “Doxware Ransomware” will release your files on the internet if payment isn’t made. D0xware is a new malware variant that not only locks up your files, but collects other personal data from your system (think “tax returns”, etc.), uploads it to a server, and then threatens to make it public. Victims are given a 72 hour deadline to pay in Bitcoin or you lose control of your files.
Note: The word “d0xing” originates from “documenting,” and in the Cybersecurity world, it refers to when scammers threaten to release a Ransomware victim’s files out on the Internet.
Confused? Need Help?
Contact Tech MacGyver for a consultation or to make an appointment to secure your digital assets.
Tech MacGyver – Technology & Business Solutions for Sarasota-Bradenton