Do viruses and other malware scare you?
I recently was called in by a non-profit saying that there was an issue with their file server, and they suspected malicious intent by somebody on the inside.
After a short investigation, I found the issue was the CryptoLocker ransomware. The malware encrypted all the files in the servers, which were shared via mapped drives.
I explained that it was not sabotage by anyone, but an unfortunate mistake by one of their users.
There was little I could do as they took too long to seek help. The time to get the files decrypted had passed and they couldn’t pay the money. Their only option was to restore from backups.
What is Ransomware
Ransomware is malicious software that when executed proceeds to extort money from you in some way. Examples of ransomware include:
- Fake antivirus scanners that claim to have found malware on your PC and demands money from you to clean them up. If you don’t pay it annoys you with pop-ups or may even prevent you from using your PC.
- Fake alerts that claim that your machine has been locked by federal police for illicit content on your PC and says that you need to pay a fine.
- Encrypting ransomware is the worst of the bunch. It encrypts certain files like files in your documents folder and on mapped drives, and then demands payment to decrypt it. CryptoLocker demands a payment of anywhere from US$500 to US$1500 in Bitcoin to decrypt your files. The use of Bitcoin makes the transaction difficult to trace.
You can remove the first two types using tools from reputable anti-virus makers and pose little risk other than a headache.
Encrypting ransomware like CryptoLocker, however, is the most dangerous. It uses public/private key encryption, which makes decryption impossible without the private key.
The ransomware scourge is truly frightening and I saw firsthand the effect it can have. Larger organisations may have the technology to reduce the risk, but how can smaller organisation do that?
Several organisations, when faced with the CryptoLocker malware, paid the ransom. This cost less than it would to restore from backups, which can takes days, and cost thousands more in downtime and overtime costs.
All authorities say that you should not pay the ransom, even for the CryptoLocker malware.
Paying the ransom money only encourages these criminal organisations to continue their enterprise. It also goes towards financing the development of even worse tools.
Protecting your Business
So how can organisations protect themselves from this risk?
- Use anti-virus software as a preliminary defence. AV software offers some level of protection from known attacks. Heuristic detection for unknown attacks is also getting better. But AV may still be ineffective against new versions of ransomware software, otherwise called zero-day software.
- Be cautious of email, even from known people, asking you to open files or run software to view something. Scrutinise grammar and salutations. For example, if someone you know consistently calls you John, but the email addresses you as Jonathon, or Mr Smith, that should raise red flags. As a default, you should not open any files unless you are expecting it, or you call the person first to verify that it is legit.
- Change your operating system preferences to show the entire file name, including extensions. This will help you determine if a file is an executable. Executable files have .exe or .com extensions. Malicious files often come with names such as document.pdf.exe, or spreadsheet.xls.com with icons that show up as a pdf or excel file. If you “hide extensions of known types” then the files will show up as document.pdf or spreadsheet.xls, making it difficult to identify it as a malicious file.
- Heed warnings of anti-virus software or operating systems whenever you try to open a file. With user access control (UAC) on Microsoft Windows enabled, users are prompted if they want to run a particular application. Or an AV firewall may ask if you want to allow a particular file or application to access the internet. If you didn’t intend to run a file or application, then click no.
- Configure your firewalls and antivirus to block email attachments with executable files if it is able to. There should be no reason for executable files to be sent to you via email. If someone has to send you an executable file, let them use ftp or a Dropbox link or similar, and then call the person to find out if they intended to send you those files.
- Train your users to recognise threats. I admit that this is becoming increasingly difficult to do. I’ve seen some examples of malicious sites that were hard to discover as such. And I’m a security expert, far less a chance for the typical computer user to figure that out. However, awareness training for users helps reduce risks of those sites that they can identify, so it’s still worth doing.
- Avoid mapped drives. This is hard for some organisations, but many malicious applications (not just Crypto Locker) scans all local drives, and will see the mapped drive as a local drive. If mapped drives are not used, then they can’t be attacked. This is not to say that another version of CryptoLocker won’t be released that will scan the network and enumerate files, but for now, eliminating mapped drives can mitigate the risk.
- Use the principle of least privilege. This means that users are given the privileges to only do what they are required to do, and no more. This involves the creation of “whitelists” of what applications they can run. So if they accidentally try to run a malware nothing will happen.
Beyond these steps, there is little else any organisation can do. It’s up to the authorities to take down these criminal organisations, which are often on the other side of the globe.
The internet can be a dangerous place, but you can safely use it for personal and business benefit once you take the proper precautions.
Be safe out there.