One of the most popular posts on our blog is about how to block Cryptowall in Office 365. It was written in 2013, but continues to be one of the most visited pages on our entire site because of the devastating effect Cryptowall – and all other forms of ransomware – can have on your business.
Ransomware is a type of malware that infects your computer and encrypts all your files until you pay a ransom fee to the attackers. It will block you from opening your files, in some cases it will take over your entire screen, take over and turn on your webcam or encrypt your files with the intent of scaring you into paying the ransom. Basically, until the bad guys get what they want, your computer has become a useless desk decoration.
As the cherry on this sundae, these attacks require that the ransom is paid in encrypted, non-traceable currency like BitCoin or MoneyPak. In 2015 alone, Cryptowall and other encrypting malware have ransomed some $325 Million from its victims. Doesn’t sound fun, does it?
So is there more than one type of ransomware? Yes. There non-encrypting and encrypting ransomware:
These infections are commonly referred to as “the FBI Virus.” There are usually accusations of pirating copyrighted material, distribution of child pornography or attempts to hack into government entities that have been traced back to your computer. The really bad ones go as far as to activate your webcam, display your public IP address, Internet Service Provider, and your geographic location.
So what’s the good news you ask? These infections can typically be removed with a good scan and removal of malware and rootkits.
Now as scary as these non-encrypting ransomware programs are, there are worse things out there. That leads us into…
That document or spreadsheet that you were editing without a problem earlier today that suddenly won’t open properly or look like someone typed your document in some weird characters are good signs you’ve been hit with the encrypting ransomware.
You may get an error message on your screen indicating that you have a certain amount of time to pay the ransom or the encryption key that was used to encrypt your files will be destroyed forever by the hacker, leaving you with a completely unusable computer. Here’s a screenshot of CryptoLocker, a common encrypting ransomware.
If that wasn’t bad enough, the encryption doesn’t stop at your local computer. If you have mapped network drives that connect back to your corporate server, the infection begins encrypting the files on those drives as well. So now your entire company is at risk.
If you are particularly unlucky, you will get no notification of the infection. One day your files that you were able to open, edit, and save will stop working. They are at least nice enough to drop a few unencrypted files on your computer: Usually a picture file, a web page shortcut, and a text file laying out the steps to pay the ransom for the key to decrypt your encrypted files, as well as the consequences for attempting to remove the infection without paying.
In the new version of Cryptowall 4.0, the files are encrypted without notification to the user, the file contents and even the file name are altered. Now that’s just dirty. Unfortunately, the groups behind these attacks are also improving the malware payload droppers (what they use to install the malware), as well as using encrypted web communication, making it even harder to detect an infection (you know, until all your files are encrypted). It’s a big bad world out there.
The most common method for delivery is a Trojan Horse program. Like the Trojan Horse from the Greek and Trojan war, it is a program masquerading as some helpful with more sinister motives hidden inside. Once downloaded, it quietly drops it’s “payload” – malware – onto your computer in the background.
Ransomware typically travels one of two ways: Either an email with an attachment that appears to be a Word or PDF document or a drive-by attack on an infected website. In both instances, opening either the document or web page has dropped the malware onto your computer.
So, if it can be anywhere what steps can you take to prevent these nasty things from infecting your computer and causing untold problems?
So all this prevention sounds good, but truth be told the people who are deploying these attacks are smart enough to know how to circumvent most of the common anti-virus and anti-malware programs on the market today.
So, what should you do once the infection is discovered? Immediately shut down the infected computer and unplug it from the network. Contact PTG Support as soon as possible so that we can determine when the infection began. This will help us figure out where the infection began and what we can do to mitigate any losses.
At this point, consider everything stored locally on this computer lost. The data isn’t coming back. We err on the side of cautious and will not risk re-infecting a network with a computer that has been compromised by these types of ransomware. The computer will be completely wiped clean and reinstalled from scratch. From here, we’ll work on restoring you from your backups and getting you up and running again as soon as possible.
Unfortunately, ransomware is only expected to increase and it's evolving all the time. It's essential to put the right security systems in place and train all of your employees on data security best practices. Talk to your IT company to see what data security training they offer and to see what holes in your cybersecurity defense need to be fixed.
