One of the most popular posts on our blog is about how to block Cryptowall in Office 365. It was written in 2013, but continues to be one of the most visited pages on our entire site because of the devastating effect Cryptowall – and all other forms of ransomware – can have on your business.
Ransomware is a type of malware that infects your computer and encrypts all your files until you pay a ransom fee to the attackers. It will block you from opening your files, in some cases it will take over your entire screen, take over and turn on your webcam or encrypt your files with the intent of scaring you into paying the ransom. Basically, until the bad guys get what they want, your computer has become a useless desk decoration.
As the cherry on this sundae, these attacks require that the ransom is paid in encrypted, non-traceable currency like BitCoin or MoneyPak. In 2015 alone, Cryptowall and other encrypting malware have ransomed some $325 Million from its victims. Doesn’t sound fun, does it?
Types of Ransomware
So is there more than one type of ransomware? Yes. There non-encrypting and encrypting ransomware:
The non-encrypting type tends to fall into more of the “scareware” category. In other words, their bark is worse than their bite. Usually, these types of malware display a message that takes up the entire screen and states that your computer has been taken over by a Federal Law Enforcement Agency (i.e. FBI, CIA, NSA) and demands you pay the ransom or face criminal charges, fines or even imprisonment.
These infections are commonly referred to as “the FBI Virus.” There are usually accusations of pirating copyrighted material, distribution of child pornography or attempts to hack into government entities that have been traced back to your computer. The really bad ones go as far as to activate your webcam, display your public IP address, Internet Service Provider, and your geographic location.
So what’s the good news you ask? These infections can typically be removed with a good scan and removal of malware and rootkits.
Now as scary as these non-encrypting ransomware programs are, there are worse things out there. That leads us into…
These are the malicious infections who come in through the same Trojan Horse means that their non-encrypting kin enters your computer. Instead of throwing up messages about possible illegal activities, though, they encrypt the files on your computer.
That document or spreadsheet that you were editing without a problem earlier today that suddenly won’t open properly or look like someone typed your document in some weird characters are good signs you’ve been hit with the encrypting ransomware.
You may get an error message on your screen indicating that you have a certain amount of time to pay the ransom or the encryption key that was used to encrypt your files will be destroyed forever by the hacker, leaving you with a completely unusable computer. Here’s a screenshot of CryptoLocker, a common encrypting ransomware.
If that wasn’t bad enough, the encryption doesn’t stop at your local computer. If you have mapped network drives that connect back to your corporate server, the infection begins encrypting the files on those drives as well. So now your entire company is at risk.
If you are particularly unlucky, you will get no notification of the infection. One day your files that you were able to open, edit, and save will stop working. They are at least nice enough to drop a few unencrypted files on your computer: Usually a picture file, a web page shortcut, and a text file laying out the steps to pay the ransom for the key to decrypt your encrypted files, as well as the consequences for attempting to remove the infection without paying.
Newer, scarier variations
In the new version of Cryptowall 4.0, the files are encrypted without notification to the user, the file contents and even the file name are altered. Now that’s just dirty. Unfortunately, the groups behind these attacks are also improving the malware payload droppers (what they use to install the malware), as well as using encrypted web communication, making it even harder to detect an infection (you know, until all your files are encrypted). It’s a big bad world out there.
How does it get in?
The most common method for delivery is a Trojan Horse program. Like the Trojan Horse from the Greek and Trojan war, it is a program masquerading as some helpful with more sinister motives hidden inside. Once downloaded, it quietly drops it’s “payload” – malware – onto your computer in the background.
Ransomware typically travels one of two ways: Either an email with an attachment that appears to be a Word or PDF document or a drive-by attack on an infected website. In both instances, opening either the document or web page has dropped the malware onto your computer.
So, if it can be anywhere what steps can you take to prevent these nasty things from infecting your computer and causing untold problems?
- Don’t open emails or the files in emails from senders that you don’t recognize.
- Don’t click on links in emails from senders that you don’t know. Don’t click on links from people you do know if there is anything abnormal going on. When it doubt, confirm with the sender that a link is legitimate before clicking on it.
- Don’t go to websites that you don’t recognize and be cautious with websites you DO know. Make sure the URL is correct. Hackers are putting up websites that are cleverly misspelled versions of sites like Microsoft or Google web pages to direct people to the sites that run their malware.
- Block executable file types from coming through on email (here's how) or block file attachments entirely, requiring a safe word to allow emails with file attachments through. This stops the Trojan Horse programs from getting through via email attachments and dropping their malicious cargo onto your computer.
- Start running Deep Packet Inspection on all traffic on your network, both encrypted and plain text. This is typically run on a firewall and will spot the network traffic of ransomware attempting to communicate with its host and kill the connection, stopping the damage dead in its tracks.
- As always keep your anti-virus, operating system and programs as up to date as possible. There are constant updates to patch vulnerabilities that have been discovered and exploited by these hackers.
- Ensure that you have good working backups. Good backups have saved our clients hours work and untold anguish once the breach was discovered.
- Get with your IT company (or IT manager) and examine your user’s permissions on shared folders on your servers. Really think and ask how much access the users need. Are there users that have full access where less will suffice? Encrypting ransomware takes enormous advantage of the permissions of users on network drives.
- Encourage your users to not save anything locally on their computers. Instead, save all important data on network drives or cloud storage so that they are covered in case they do get infected.
- Train your employees on data security. It only takes one person clicking on a bad link to potentially compromise your entire company. Make sure all employees are trained on data security best practices like warning signs, what to look out for before opening attachments or clicking links and what to do if something goes wrong.
What to Do if You Are Infected
So all this prevention sounds good, but truth be told the people who are deploying these attacks are smart enough to know how to circumvent most of the common anti-virus and anti-malware programs on the market today.
So, what should you do once the infection is discovered? Immediately shut down the infected computer and unplug it from the network. Contact PTG Support as soon as possible so that we can determine when the infection began. This will help us figure out where the infection began and what we can do to mitigate any losses.
At this point, consider everything stored locally on this computer lost. The data isn’t coming back. We err on the side of cautious and will not risk re-infecting a network with a computer that has been compromised by these types of ransomware. The computer will be completely wiped clean and reinstalled from scratch. From here, we’ll work on restoring you from your backups and getting you up and running again as soon as possible.
Unfortunately, ransomware is only expected to increase and it's evolving all the time. It's essential to put the right security systems in place and train all of your employees on data security best practices. Talk to your IT company to see what data security training they offer and to see what holes in your defense need to be fixed.