Quadra

Connecting Technology and Business.

Beware of Ransomware

Ransomware is a growing problem that is now affecting many computer users around the world.

 

What is ransomware?

  • Ransomware stops a user from using his/her PC. It holds the user’s PC or files for ransom – a certain amount of money.

  • Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.

 

What does it look like and how does it work?

There are different types of ransomware. However, all of them will prevent the user from using your PC normally, and they will all ask the user to do something before the user can use his/her PC.

 

Ransomware can:

  • Prevent the user from accessing Windows.
  • Encrypt files so the user can't use them.
  • Stop certain apps from running (like your web browser).

 

Ransomware will demand that user does something to get access to the PC or files. The pop-up that appear

  • Demand the user pay money.
  • Make the user to complete surveys.
  • Often the ransomware will claim the users have done something illegal with the PC, and that they are being fined by a police force or government agency.

  • These claims are false. It is a scare tactic designed to make the user pay the money without telling anyone who might be able to restore your PC.

  • There is no guarantee that paying the fine or doing what the ransomware tells the user will give access to the respective PC or files again.

 

https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

 

Here is a sample:


Locky is the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.

Of course, it doesn’t just rename your files, it scrambles them first, and – as you probably know about ransomware – only the crooks have the decryption key.

You can buy the decryption key from the crooks via the so-called dark web.

The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/ÂŁ280).

https://sophosnews.files.wordpress.com/2016/02/locky-ransom-1200.png?w=640&h=586

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”

https://sophosnews.files.wordpress.com/2016/02/locky-macros-640.png?w=640&h=340

  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).
  • Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.
  • Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.
  • In other words, if you have more BTCs in your wallet than the cost of the ransom, and no backup, you are very likely to pay up. (And you’ll already know how to buy new bitcoins, and how to pay with them.)
  • Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.

Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.


Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:

https://sophosnews.files.wordpress.com/2016/02/locky-wallpaper-640.png?w=640&h=376

If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.


Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.


Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.

It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.


If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.


Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.


Only login (or use Run As...) with admin powers when you really need them, and relinquish those powers as soon as you don’t.


Tips to Preventing ransomware

 

1. Back up your files regularly and keep a recent backup off-site.

The only backup you’ll ever regret is one you left for “another day.” Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.

 

2. Don’t enable macros.

 

A lot of ransomware is distributed in Office documents that trick users into enabling macros. Microsoft has just released a new tool in Office 2016 that can limit the functionality of macros by preventing you from enabling them on documents downloaded from the internet.

 

3. Consider installing Microsoft Office viewers.

They allow you to see what a Word or Excel document looks like without macros. The viewers don’t support macros so you can’t enable them by mistake, either.

 

4. Be very careful about opening unsolicited attachments.

Most Windows ransomware in recent months has been embedded in documents distributed as email attachments.

 

5. Don’t give yourself more login power than necessary.

Don’t stay logged in as an administrator any longer than necessary. Avoid browsing, opening documents or other regular work activities while logged in as administrator.

 

6. Patch, patch, patch.

Malware that doesn’t come in via document macros often relies on bugs in software and applications. When you apply security patches, you give the cybercriminals fewer options for infecting you with ransomware.

 

7. Train and retrain employees in your business.

Your users can be your weakest link if you don’t train them how to avoid booby-trapped documents and malicious emails.

 

8. Segment the company network.

Separate functional areas with a firewall, e.g., the client and server networks, so systems and services can only be accessed if really necessary.

 

You can watch a video about Ransomware here:

http://www.symantec.com/tv/products/details.jsp?vid=1954285164001

 

- naked security by Sophos (@duckblog), Forbes.com & Symantec.com

Loading