The Ransomware Epidemic
In case you haven’t heard, there is a new breed of virus going around in massive proportions. A whole new wave of viruses are being distributed for the sole purpose of getting your money. And for the first time in history there is an anonymous, digital currency that is making it possible without getting caught.
The most common distribution method seems to be via email attachment. As with most viruses, actual infection is only possible if the script in the attachment is executed. So we can’t stress this enough, don’t open or preview any attachment if you are not absolutely sure that it is legitimate. If your like me, you may be thinking, “I would never fall for that.” Which might be true, until you are actually waiting on a FedEx package that should have been delivered a few days ago, when you get an email from FedEx saying your package was delivered somewhere else, and you need to fill out the attached form to claim your package… oops none of my files will open.
What Ransomware Does
Generally speaking, ransomware will first make an encrypted copy of every file with a common file extension, and then delete your original files. Suddenly many programs seem to stop working, but the problem is that many of the files that it used are now replaced with encrypted files with different names. None of your documents, images, spreadsheets, etc. will open either. Once this stage is complete, it appears to us that the virus either removes itself, or goes dormant. At this point you are left with completely unusable files, and instructions on how to send the virus distributor money.
How they Collect Your Money
In order to get your files back, you have to pay the file-napper for an encryption key to un-encrypt your files. I always recommend against this because it kind of encourages the behavior, and your giving a criminal money for something they should be arrested for. There reputation so far however, has been to actually provide the encryption key as promised if paid as requested. So there is a good probability that if you pay them, you will get your files back. In order to pay them, you must use BitCoins. BitCoin is a relatively new anonymous payment system similiar to PayPal in that all funds are transferred through a 3rd party, except BitCoin provides an almost completely untraceable platform, which allows criminals to take your money online, and never be caught. The price of the encryption key can be as low as $300, but we just had a customer infected where the price was going to be over $3000.
If you’ve been infected, there are only a few options to get your files back. The first one of course is to pay the ransom which we hate the idea of more than anything. Secondly, if you have a good backup recently, you can just restore your files after the virus has been cleaned from the computer. Thirdly, sometimes files can be recovered using shadow copy (a system that windows uses to allow cached access to files over the network). Finally, since the original files were deleted, you might have success with a data restoration program that can “undelete” files. This one can be time consuming, and requires special software (you won’t find your files in the recycle bin).
How to Protect Your Files
If you haven’t been infected yet, there are some very important things you should be doing to prevent this type of infection.
- Never open attachments unless you are 100% sure they are legit
- Run a local back of your data every day (built in software on Windows 7 and newer is fine).
- Subscribe to an off site backup service like Carbonite. A couple of our clients have been “saved” by Carbonite already. They keep up to 30 days of revisions on files which makes their service invaluable against this type of attack.
- Make sure your mail protection is blocking macro-enabled documents and .js scripts (iSAFE Mail Protection will do this for you).
- Make sure your web protection is blocking access to downloading Tor (iSAFE Web Protection will do this for you)
- Use iSAFE web protection to block “proxy avoidance” or “anonymizers”.
- Disable Java in your web browsers.