Alan Chew, Managing Director of New Zealand’s Houston Technology Group (HTG), provides some tips for preventing a growing problem for a number of organisations – ransomware.
According to the US Computer Emergency Response Team and other experts, there has been massively increased activity recently from a form of malware infection called ransomware.
HTG is aware of actual infections in New Zealand; the widespread coverage of this threat in just the last few days (including the NZ Herald, the Waikato Times and a number of other NZ publications, as well as The Guardian in the UK) gives a hint of how extensive this problem has become.
Ransomware is not new, but the latest incarnations – such as CryptoLocker – are something that all businesses need to urgently implement protection against. The severity of these attacks is evident in the UK, where the government has recently issued an urgent alert to organisations.
What is ransomware?
Ransomware reminds me of Halloween with all its various costumes, tricks and treats. Except that the wolves dress up as sheep (usually in the form of a trusted local agency, such as the US FBI or, in the last week, the Eastlake Police Dept in Ohio).
The treat is usually a ransom that the infected system owner needs to pay. The trick differs from version to version and has changed its severity over time. Earlier forms pronounce something like, “Your computer has been used to download illegal files, pay a fine to continue using your computer.”
Other versions hook deep into your system, displaying a message saying that it will only go away when you pay a ransom. This type of malware could be bypassed via malware removal tools or just by reinstalling Windows. But unfortunately, like most hackers, the architects of ransomware have now become more sophisticated and devious.
One of the latest examples, CryptoLocker, works by quietly encrypting your important files as soon as your system gets infected. CryptoLocker then informs you through a message on your screen that your files have been encrypted and you are given a few days to pay a ransom. If this money is paid they will hand you the decryption key which allows you to recover your files. If the funds are not transferred by the deadline, the perpetrators promise to destroy the key and you are left to recover the files yourself, which can be impossible without access to the private decryption key.
Will paying the ransom be the answer?
In the case of CryptoLocker, many affected business owners actually report that when the money did get handed over, the criminals had surprisingly kept to their end of the bargain and delivered the decryption key. However, one must remember that this transaction involves dealing with organised criminals that are totally anonymous to the victim and even to law enforcement agencies. Can you really trust them?
You may think that because electronic payment is involved, the audit trial would allow enforcement agencies to track down the criminals. Because CryptoLocker prescribes currencies like Bitcoin (a new form of digital currency) as the mode of payment, it is very difficult to trace the movement of the funds.
What if I miss the payment deadline?
Until the beginning of November, if payment was not made within the time limit, the threat was that the private key would be forever wiped. Apparently not. The crims now offer a late payment option, albeit with a late payment penalty attached to it – for example, what began as $300 would escalate to $2,000.
Furthermore, to also thwart AV companies that remove the malware by breaking the payment chain, the bad guys have set up an independent online “CryptoLocker Decryption Service”. It won’t surprise me if before too long these perpetrators would get ISO certifications or receive ratings from Moody’s, Standard and Poor’s, or Fitch!
How do you get infected?
You normally get infected through links contained in emails and rogue websites. According to the US Computer Emergency Readiness Team, recent ransomware has spread through emails that appear to be delivery tracking notifications from UPS or FedEx. Opening the email itself does not create the infection. You need to open the email and actually download the zip file inside it. Hiding inside that zip file is a double-extension file such as *.pdf.exe. The .exe file lets CryptoLocker run on your computer, while the innocuous .pdf extension lures the victim into thinking that it is an innocuous notification letting you know when your Christmas order would turn up.
So far the virus has been infecting PCs running Windows 7, Vista, or XP, but that doesn’t mean it won’t eventually infect PCs running Windows 8, or even Macs.
To prevent your business from becoming an unwitting victim of this nefarious extortion, do the following:
- Ensure that you do proper backups of all your important files
- Keep up-to-date system restore points (makes it easy to remove malware if you just revert to an earlier, malware-free, state)
- Keep your operating system/browser/plug-ins up-to-date with patches and updates
- Use an antivirus and anti-malware solution that will attempt to stop ransomware in its tracks
- Practise safe computing to reduce the risk of drive-by attacks
- Avoid running suspicious files. Ransomware can arrive in .exe files attached to emails, from illicit websites containing pirated software, or anywhere else that malware comes from
- Use caution when opening email attachments. Do not follow unsolicited Web links in email messages
When it comes to mitigating the threat presented by CryptoLocker and similar ransomware, even if this advice is adhered to rigorously, there is still the chance that the system may become infected. So in any event, the onset of ransomware such as CryptoLocker emphasises HTG’s mantra to all its clients: Backup, backup, backup and always have a proper disaster recovery strategy.