Recently I had the experience of working with a client that
has an effective data backup plan, which is always a good thing. On this
particular occasion I was working with an employee that began experiencing
issues after opening an email attachment that was forwarded to them by the
company president. Upon opening the attachment, their computer began running
slowly, and the icons on their desktop began to disappear. As the employee provided details over the
phone regarding what had happened, I realized that this could have greater
ramifications than expected. I immediately remote accessed their computer and
began reviewing processes and event logs – all the typical things IT support
techs will do. When I saw what was taking place, I asked them to immediately
turn off their computer and under no circumstances should they turn it back
on. This was serious and I needed to go
onsite.
As fate would have it, this particular user was infected
with the CryptoLocker virus – a file-encrypting Ransomware that can bring a
company to its knees. The goal of Ransomware is to prevent or
limit access to computer systems and/or data. Ransomware
attempts to force victims to pay a monetary ransom using various online payment
methods in order to regain access to their computers or files.
CryptoLocker and Cryptowall are ugly types of Ransomware
that will encrypt a variety of documents and file types on your hard drive or
mounted network drives. They typically use what is referred to as an RSA key to
perform the encryption, and can only be unencrypted using the private key held
by the individual or group that sent the virus.
When you attempt to access your files a message will be displayed
showing payment information needed to regain access to your system. The idea is
that if you pay the desired financial amount, you will be given the key
required to unencrypt your files. This
is extortion in the digital realm.
When I arrived at the customers’ location, I found that all
the files within this users “My Documents” folder had been affected. Additionally, since this user had a mapped
network drive to the company server, the virus began encrypting files on the
server as well. I quickly realized that this could turn out to be a nightmare
for the client. However, since this particular client follows a strict
procedure of data backup, the damage was greatly minimized. The company takes periodic backups of
important information throughout the day, and stores them offsite. They also
have their employees store the critical documents on the server that is backed
up, rather than on their local computer. However, it takes time to restore
files. Had this user not contacted me when the issue began, I would have to
have spent much more time restoring files that were residing on the company
server. This would have brought company productivity to a halt. A rather scary
thought comes to mind – what would have happened if this company wasn’t backing up their data?
The problem with viruses like Cryptolocker and Cryptowall is
that traditional Anti-virus software is often unable to detect it. This means
that regardless of the Anti-virus software you utilize, there is a very good
chance that you can still get infected. Because of this, the best protection that is
agreed upon in the IT community is to, Backup Your Data, Backup Your Data, Backup
Your Data!
While backing up your data is vital, it is also important
that the backup is not just a copy of your files on an external hard drive.
Remember, Ransomware can encrypt files on hard drives that are accessible from
your computer, including USB drives or a mapped network drives. For this reason
it is always a good practice to have a backup strategy that includes offsite
backup (e.g. using software that makes a copy of your data to a remote
location) or at the very least, have a full backup of your data on an external
hard drive, then disconnect the hard drive for safe keeping.
Data security is a learned behavior, and by practicing safe
procedures you can ensure that you are one step ahead of the virus creators. In addition to backing up your data I always
recommend the following:
1.
By default Windows enables a setting that hides
file extensions – disable this setting so that you can see the file type when
looking at its name within Windows Explorer.
File extension are the characters that come after the period at the end
of a file name (typically three characters).
They tell Windows what type of file it is, and Windows associates the
file type with a particular application that can access it. When the file extension is hidden, you are
not able to see the full file name. This
can be a problem if someone sends an attachment that is named
“my-resume.pdf.exe.” When you view the
attachment in your email application it may appear as “my-resume.pdf” – which when
double-clicked may cause a nasty virus infection on your computer. While the
file appears to be a PDF document, it is in fact an executable file that could
create problems. To show file extensions
go to your Control Panel, click on Folder Options, select the View Tab, then
scroll down and deselect “Hide extensions for known file types.” Your screen
may flash, and when viewing Windows Explorer you will see a variety of new
characters in your file names.
2.
Immediately turn off your computer if it begins
to behave erratically after opening an email attachment (or files from external
sources). If your computer is off the malware
cannot run and infect your computer.
Your hard drive can be scanned through a variety of means including a
variety of bootable Anti-malware utilities.
3.
Install a good Anti-virus software and
Anti-malware application. Not all
Anti-virus software is effective at preventing malware infections. For this reason I use both. There are a variety of Anti-malware
applications on the market that work very well.
Personally, I use Malwarebytes (
https://www.malwarebytes.org/). Most importantly, however, is that you ensure
your Anti-virus and Anti-malware applications are being regularly updated, and
that you are taking the time to schedule full scans of your computer systems.
4.
Keep your system up to date with Windows patches
and updates. Microsoft releases updates
on a regular basis to address a variety of issues and it is good practice to
ensure you are taking advantage of these.
5.
Scan all email attachments and files you receive
regardless of where they came from. For example, your best friend may be
infected by a virus that automatically sends out infected messages to entries
in their contact list. If you receive an email with an attachment – save it to
your hard drive and scan it before opening it (especially .ZIP, .RAR and .7Z
files). Also, never open executable
files (files that end in .EXE) if you are not expecting them or aware of their
origin. Another area of prevention if when working with clients that pass along
files on USB flash drives. If they are
unknowingly infected and you connect the flash drive to your system, you could
potentially get infected as well. Developing
a procedure to scan anything coming in to your system is always a good
practice.
6.
Ensure that you have Windows System Restore
enabled. Having restore points to fall back on in an emergency is a good
practice to follow. To make sure this
feature is running, go to your Control Panel, click on the System icon, the
System Protection. There you will be
able to see what drive(s) have the feature enabled or disabled.
There are a variety of advanced practices to help prevent Ransomware
infections on company systems and home computers. Some of these include not having your user
running as an Administrator on your computer, configuring Group Policies that
prevent executable files from running (.EXE files), as well as a variety of
advanced strategies that are available in corporate environments. For a general overview of some of these
practices and Cryptolocker information in general, here are some related links:
