How to defend yourself from ransomware
By Susan Bradley on April 23, 2015 in Top Story
Though our malware defenses have improved, ransomware authors are finding new ways to infect our systems. Fortunately, we have options and solutions.
The evolving forms of ransomware
It’s a computer user’s worst nightmare. You boot your PC, and a big warning box pops up on your screen. No, it’s not a Windows error; the message states that all your files have been encrypted and you’ll have to pay a ransom to get the key.
The first strain of this pernicious form of malware/ransomware was CryptoLocker. It was a profitable scheme — until anti-malware apps adapted to this new threat. But as with any successful infection, CryptoLocker soon mutated into new variations such as CryptoWall and TorrentLocker. Whatever they’re called, all these strains of malware have a common thread: they don’t destroy data but simply lock it up until you pay the ransom. Even when the infection is removed, the data remains encrypted. And in some cases, even backup files are made unusable — unless you buy the key.
Most ransomware infections arrive via email attachments or phishing attacks. They can even be hidden in cloud-based file-sharing sites such as Box, Dropbox and ShareFile. They can be .exe files, ZIP files, or fake PDF files that are in fact executables used to install malicious code.
Ransomware seems to be especially adept at evading anti-malware tools. Its encryption engine is similar to those we regularly use on our PCs, and its pattern or signature can change rapidly. A recent US-CERT notice describes a specific type of malicious code used to download ransomware: “AAEH is a polymorphic downloader with more than two million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network. AAEH has been used to download other malware families, such as Zeus, CryptoLocker, ZeroAccess, and Cutwail.”
That adaptability makes keeping anti-malware detection current a real challenge.
Hackers are constantly learning new ways to attack us. For example, they initially targeted only the local drives. Then they went after any network-mapped drives with an assigned drive letter (e.g., F: or I:). Now, any network location that a workstation can access is vulnerable. Again, if you don’t have a clean backup, you’ll have to pay the ransom to get access to your data. The going rate is typically $300 or more in bitcoins, purchased from a reputable vendor such as coinbase.com.
If you’re lucky enough (relatively speaking) to be infected by one of the early versions of CryptoLocker, you might be able to recover your files by using the FireEye/Fox-IT site decryptcryptolocker.com. To use the site, you submit an encrypted file — which is then matched against a recovered CryptoLocker encryption-key database. (A copy of the database was obtained by Operation Tovar — more info.)
The encryption process uses two types of keys. The public key is used to encrypt files; the private key handles decryption and is held only by the data’s owner. A CryptoLocker attacker uses the public key to lock your files. Because the thieves hold the private key, they effectively own the files. You pay ransom to have your data unlocked — you might or might not get the actual key. Again, because the attackers use standard encryption techniques, the encryption process usually goes undetected by anti-malware programs.
Keeping up on the latest ransomware variants
One of the best resources for new information on ransomware is the CryptoLocker/ransomware page at bleepingcomputer.com (so named for the frustration one gets from using computers). As noted on that page, CryptoLocker first appeared in September 2013, targeting XP, Vista, Win7, and Win8 systems. The ransom demands started at $100 to $300; if you didn’t pay the ransom within four days, the encryption key would be deleted and you’d have no way to recover the files. Fortunately, the original CryptoLocker delivery system is now disabled.
Unfortunately, there are new variations of ransomware that are not easily defeated. For example, bleepingcomputer.com notes that nothing can save you from CryptoWall short of paying the ransom. Another variant — CoinVault — is fairly new. A Kaspersky Securelist page describes the difficulty of even analyzing this ransomware. But the company claims its software can now detect this type of malware, and it has set up another page that might help recover CoinVault-encrypted files.
Keeping ransomware off your home computers
There are several techniques and tools that can help prevent ransomware infections. For example, FoolishIT.com’s CrytoPrevent (more info) defeats the original CryptoLocker infection by blocking temporary file locations used by the ransomware.
To protect yourself from newer “crypto” infections, ensure that whatever email service you use has filtering enabled to remove malicious attachments. Or forward your mail through Gmail, which generally does a good job of blocking suspect attachments. I also recommend using OpenDNS (site) to block known malicious websites.
Most important, be sure to have a local, recent, full backup of your important data. (Again, files archived to cloud-based storage can become infected.) Be sure that your backup system (such as Win7’s Backup and Restore) hides your external, USB backup drive — i.e., it doesn’t show up in Windows Explorer and so ransomware should not be able to access it. (Windows 8 doesn’t hide dedicated USB backup drives.)
One early recovery solution was to use Windows’ shadow-file copies. But the latest ransomware now disables and/or deletes those files. If you use a cloud-storage service to back up your data, be sure that versioning is turned on. If ransomware encrypts your local files, the synched version in the cloud might also be encrypted. But you should still have access to the previous versions of the files. The best solution is both cloud and local backups, rotating between two or more local backup devices. (Never connect both backup drives at the same time.)
Keeping your anti-malware up to date is important, but as already noted, ransomware is often adept at dodging security software.
Full story here
So how can ransomware find its way onto your computer or network in the first place?
There are many forms of “risky” behaviour that can lead to infection but some of the key ones are:
- opening malicious attachments appended to emails that typically come from unknown senders
- clicking through a malicious link presented in an email, social media message, instant message, etc.
- visiting a website that has been corrupted to deliver malware
- opening corrupt macros in business applications such as documents and spreadsheets
- introducing infected programs via inserted media such as CDs, DVDs and USB sticks
How can you prevent ransomware from finding its way onto your system?
Generally speaking, the key to avoiding ransomware, as well as other types of malware, is to steer clear of the behaviour listed above, all of which can be categorised as risky.
Sure, we know business people and home users alike need to open emails and read documents, but a little common sense goes a long way:
- If you receive an email from someone you don’t know, leave it well alone.
- If someone you do know sends you an unexpected email – say the title looks off – then do not open it as the sender’s system may itself have been infected with something nasty.
- Whenever you are surfing online, try to only visit sites you know and trust.
- If you visit a new site, be on the lookout for warnings in your browser which may alert you to the fact that the site has been compromised.
- Be careful when inserting media into your computer or anywhere on the network – ransomware and other malware is often transmitted in this way.
- If you are using Windows, keep User Account Control (UAC) switched on – it will notify you before any changes requiring administrator-level access can be made.
- Also, ensure you keep up to date with service packs and all security patches.
- Avoid Flash if possible – this is a common avenue of attack.
- Finally, or perhaps that should be firstly, make sure your system is protected at all times by a reputable antivirus program or security suite – its scanning abilities will help prevent ransomware and other malicious programs from taking a hold on your system in the first place.
- Also, don’t forget to back up all your important files on a regular basis. Ideally, your backups should be held in a secure location away from your primary machine or network and not rely upon cloud storage at all. This will ensure that there is no risk of the backups themselves becoming infected with ransomware.