This blog concerns the topic of what is known as “Ransomware”.
It is becoming a ever more prevalent annoyance that has been circulating around the internet. The devilish hackers behind it are attempting to extort money from common people.
Like its name implies, “Ransom-ware holds your computer hostage, subsequently demanding payment in order for the person to be able to boot or log into their computer again.”, says Eric Rainbolt, 4GoodHosting’s support manager. It goes onto a victim’s computer through unpatched software vulnerabilities to silently install itself, and sometimes through social engineering tactics too.
“Cryptolocker” is ransom-ware that can spread quickly through email a affects a person’s file that on drives that are mapped to a hard-drive (of SSD) using the drive letters D: , E, or F:. This can also include USB memory sticks, ext. hard drives, or from a network or cloud folder.
Paying the criminals, which we don’t advise, may or may not let you access to your system or your data back, but there have been plenty of cases where the ranson-ware’s decryption key isn’t emailed or when sent doesn’t even work.
Tens of thousands of machines have been affected in the past couple of years – after the ransom-ware pirates have sent millions of emails.
So what can be done about ransom-ware?
Ransom-ware is is not only disruptive and intimidating, your subsequently encrypted files can often be considered damaged and oftentimes beyond repair. But if you have adequately safeguarded your system, then it is becomes nothing more than a nuisance.
Here are some methods to negate the threat of ransom-ware.
Mirror your drive to a backup drive at least once a month.
Having a regularly updated backup is essential.
If your computer is infected with ransom-ware it may cause you to lose work-in-progress documents.
To avoid this it it better to use an external drive or backup service, particularly one that is not assigned a drive letter or is often not plugged in.
Patch or Update your software
Malware authors rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto their system.
Updating your software often will help prevent this.
Filter .exe executable programs out of your emails (Our StopSpam service does this for you)
Also make sure you disable files that have two file extensions, particularly the last one being .exe.
If you need to deliver executable files, try doing that with .zip files or via cloud file storage services.
Set windows display properties to show hidden file extensions
Ransom-ware often shows up in your email in a file that is named “.pdf.exe”; and that counts on Window’s common behavior of hiding known file extensions.
To cure this, disable the hiding of known file extensions. This will make is easier to identify these kinds of suspicious files.
Also disable programs from running in AppData/LocalAppData folders.
Rules within Windows can be defined for this or it is easier with intrusion prevention software that disallows the type of behavior of Cryptolocker. Cryptolocker runs its executable from the App Data or Local App Data windows folders. But if you have legitimate apps that runs from the App Data area then you need to exclude it from this rule.
You can use the Cryptolocker Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders.
It also disables executable files running from the Temp directory of unzipping utilities. Exceptions to these rules can be created. This tool is updated as new techniques are discovered for Cryptolocker, so make sure you have the latest version.
The Cryptolocker/Filecoder malware often accesses computers using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, disable it to protect your computer from Cryptolocker/Filecoder and other RDP exploits.
Use a reputable security suite
Have both anti-malware software and a software firewall to help you identify threats or suspicious behavior.
Malware authors regularly send out new variants to try to avoid detection, so it is important to have two layers of protection.
New ransom-ware variants that get past anti-malware software may be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.
If you have run a ransom-ware file without performing the previous precautions, your options are more limited.
There are several things you can do to mitigate the damage, though, particularly if the ransom-ware in question is Cryptolocker:
Disconnect from Wi-Fi or unplug from the network immediately
If you run ransom-ware, but have not seen the ransom-ware screen, you can stop communication with the C&C server before it encrypts your files.
Disconnect from the network immediately, and you can mitigate the damage.
The technique is not guaranteed to work, but disconnecting from the network may be better than doing nothing.
Set the BIOS clock back
Cryptolocker has a payment timer that is generally set to 72 hours, after which time the price for your decryption key increases.
At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin.
You can “beat the clock” by setting the BIOS clock back to a time before the 72 hour window is up.
This keeps you from having to pay the higher price, but its is strongly advised that you do not pay the ransom.
Use System Restore to get back to a known clean state
Enabling System Restore on your Windows machine allows you to take your system back to a clean state.
New versions of Cryptolocker, though, have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to replace your malware-damaged versions.
Cryptolocker will start the deletion process whenever an executable file is run, so you need to move quickly as executables may run without you knowing as part of Windows’ operation.
4GoodHosting’s webservers are protected from Cryptolocker.