Monday, January 18, 2016

Backup Your Data, Backup Your Data, Backup Your Data

Recently I had the experience of working with a client that has an effective data backup plan, which is always a good thing. On this particular occasion I was working with an employee that began experiencing issues after opening an email attachment that was forwarded to them by the company president. Upon opening the attachment, their computer began running slowly, and the icons on their desktop began to disappear.  As the employee provided details over the phone regarding what had happened, I realized that this could have greater ramifications than expected. I immediately remote accessed their computer and began reviewing processes and event logs – all the typical things IT support techs will do. When I saw what was taking place, I asked them to immediately turn off their computer and under no circumstances should they turn it back on.  This was serious and I needed to go onsite.
As fate would have it, this particular user was infected with the CryptoLocker virus – a file-encrypting Ransomware that can bring a company to its knees. The goal of Ransomware is to prevent or limit access to computer systems and/or data. Ransomware attempts to force victims to pay a monetary ransom using various online payment methods in order to regain access to their computers or files.
CryptoLocker and Cryptowall are ugly types of Ransomware that will encrypt a variety of documents and file types on your hard drive or mounted network drives. They typically use what is referred to as an RSA key to perform the encryption, and can only be unencrypted using the private key held by the individual or group that sent the virus.  When you attempt to access your files a message will be displayed showing payment information needed to regain access to your system. The idea is that if you pay the desired financial amount, you will be given the key required to unencrypt your files.  This is extortion in the digital realm.
When I arrived at the customers’ location, I found that all the files within this users “My Documents” folder had been affected.  Additionally, since this user had a mapped network drive to the company server, the virus began encrypting files on the server as well. I quickly realized that this could turn out to be a nightmare for the client. However, since this particular client follows a strict procedure of data backup, the damage was greatly minimized.  The company takes periodic backups of important information throughout the day, and stores them offsite. They also have their employees store the critical documents on the server that is backed up, rather than on their local computer. However, it takes time to restore files. Had this user not contacted me when the issue began, I would have to have spent much more time restoring files that were residing on the company server. This would have brought company productivity to a halt. A rather scary thought comes to mind – what would have happened if this company wasn’t backing up their data?
The problem with viruses like Cryptolocker and Cryptowall is that traditional Anti-virus software is often unable to detect it. This means that regardless of the Anti-virus software you utilize, there is a very good chance that you can still get infected.  Because of this, the best protection that is agreed upon in the IT community is to, Backup Your Data, Backup Your Data, Backup Your Data!
While backing up your data is vital, it is also important that the backup is not just a copy of your files on an external hard drive. Remember, Ransomware can encrypt files on hard drives that are accessible from your computer, including USB drives or a mapped network drives. For this reason it is always a good practice to have a backup strategy that includes offsite backup (e.g. using software that makes a copy of your data to a remote location) or at the very least, have a full backup of your data on an external hard drive, then disconnect the hard drive for safe keeping.
Data security is a learned behavior, and by practicing safe procedures you can ensure that you are one step ahead of the virus creators.  In addition to backing up your data I always recommend the following:
1.       By default Windows enables a setting that hides file extensions – disable this setting so that you can see the file type when looking at its name within Windows Explorer.  File extension are the characters that come after the period at the end of a file name (typically three characters).  They tell Windows what type of file it is, and Windows associates the file type with a particular application that can access it.  When the file extension is hidden, you are not able to see the full file name.  This can be a problem if someone sends an attachment that is named “my-resume.pdf.exe.”  When you view the attachment in your email application it may appear as “my-resume.pdf” – which when double-clicked may cause a nasty virus infection on your computer. While the file appears to be a PDF document, it is in fact an executable file that could create problems.  To show file extensions go to your Control Panel, click on Folder Options, select the View Tab, then scroll down and deselect “Hide extensions for known file types.” Your screen may flash, and when viewing Windows Explorer you will see a variety of new characters in your file names.

2.       Immediately turn off your computer if it begins to behave erratically after opening an email attachment (or files from external sources).  If your computer is off the malware cannot run and infect your computer.  Your hard drive can be scanned through a variety of means including a variety of bootable Anti-malware utilities.

3.       Install a good Anti-virus software and Anti-malware application.  Not all Anti-virus software is effective at preventing malware infections.  For this reason I use both.  There are a variety of Anti-malware applications on the market that work very well.  Personally, I use Malwarebytes (https://www.malwarebytes.org/).  Most importantly, however, is that you ensure your Anti-virus and Anti-malware applications are being regularly updated, and that you are taking the time to schedule full scans of your computer systems.

4.       Keep your system up to date with Windows patches and updates.  Microsoft releases updates on a regular basis to address a variety of issues and it is good practice to ensure you are taking advantage of these.

5.       Scan all email attachments and files you receive regardless of where they came from. For example, your best friend may be infected by a virus that automatically sends out infected messages to entries in their contact list. If you receive an email with an attachment – save it to your hard drive and scan it before opening it (especially .ZIP, .RAR and .7Z files).  Also, never open executable files (files that end in .EXE) if you are not expecting them or aware of their origin. Another area of prevention if when working with clients that pass along files on USB flash drives.  If they are unknowingly infected and you connect the flash drive to your system, you could potentially get infected as well.  Developing a procedure to scan anything coming in to your system is always a good practice.

6.       Ensure that you have Windows System Restore enabled. Having restore points to fall back on in an emergency is a good practice to follow.  To make sure this feature is running, go to your Control Panel, click on the System icon, the System Protection.  There you will be able to see what drive(s) have the feature enabled or disabled.

There are a variety of advanced practices to help prevent Ransomware infections on company systems and home computers.  Some of these include not having your user running as an Administrator on your computer, configuring Group Policies that prevent executable files from running (.EXE files), as well as a variety of advanced strategies that are available in corporate environments.  For a general overview of some of these practices and Cryptolocker information in general, here are some related links:
AVG Cryptolocker Video on YouTube:
https://www.youtube.com/watch?v=cYVqJ0N0FDY

Watch Cryptolocker in Action on YouTube:
https://www.youtube.com/watch?v=Gz2kmmsMpMI