Category: Malware

By now you have probably heard of the CryptoLocker malware, by firsthand accounts or even on the news.  This is very prevalent on the Sunshine Coast and has affected many local businesses. It is part of a nasty class of software known as ransomware, malware that adversely affects a victim’s computer, and demands a ransom be paid in order to restore functionality.  Although ransomware has existed for many years, CryptoLocker’s release in 2013 caused a massive increase in reported cases, and it doesn’t show any signs of slowing.

What is Encryption?

The modern forms of ransomware take the form of malicious email attachments or URL links that subversively downloads a file to the victim’s PC which then begins encrypting the user’s photos, videos and documents. Strong Encyption is basically locking files away behind a very long password that cannot be cracked except in very rare cases. The malicious program that encrypts the files holds this key and will request the ransom in order to unlock all of your files.

What is Encrpyted?

As well as encrypting local files on the computer, the malware will also encrypt any other computers with shares on the network. This will include devices like NAS Storage devices or even Servers or other computers. Encrypted files will appear with different extensions – often .enc or .encrypted and will not be able to be opened. Once infection is underway, users will receive a message file (often dropped into every folder as “HOW_TO_UNENCRPYT.txt” informing them that their files have been encrypted, and directs them to a bitcoin payment site where the victim must pay a ransom in order to receive access to their files again.

In some rare cases, it can be possible to recover these files using what’s called Shadow Copies.  This technology is used by Windows to take automatic backup copies of files and folders in case of data loss.  Unfortunately, most modern ransomware software deletes these automatic copies as part of its infection routine, and thus is not reliable as a backup solution or ransomware prevention method.

Although CryptoLocker and other ransomware like it can prove devastating to those unprepared it is still malware and, just like all malware, there are steps that you can take in order to prevent it.

Preparation and Vigilance

The most effective means of avoiding infection by ransomware is preparation and vigilance.  As mentioned above, the most common method of infection is by attachments and website links attached to emails.  These emails can appear to be from well-known companies (previous examples include Australia Post, AGL Energy and Optus), friends and family, or work colleagues.  If you receive an email that contains an attachment of website link, it is better to be safe than sorry, so always triple check its contents before opening anything.

Check Sender Address

In the below example, you can see that although the email appears to be from Australia Post, the sending address is clearly not from an Australia Post official email account, and it appears to simply be a free email account created through Yahoo. Don’t trust anything that is not from the website you know such as the official Australia Post website auspost.com.au.

AUsPost-CryptoLocker

Check all Hyperlinks

In this example it wants you to click a link with the get parcel info to find out why it hasn’t been delivered. This will then download malware to your computer which when you run it will encrypt all your files.Note again the sender address is nothing like what you would expect.

Australia Post Scam Email

If the suspect email contains links rather than attachments, there are also ways of checking them before opening.  Without clicking on the link, simply hover your mouse over it.  This will display the actual text link that the email is trying to send you to.  In the case below, the sender claims to be from AGL Energy, telling the recipient that there are overdue fees.  When hovering over the link however, we can see that instead of the correct URL from AGL (agl.com.au), the link is a Russian address and not an official AGL Energy domain, and thus is almost certainly a malicious link that would try to download ransomware to the system. Don’t click this link!

AGL-CryptoLocker

Call the Sending Company

Whenever in doubt, the safest option is to call the person or company that appears to have sent the email to confirm that it is safe to open; remember to look their phone number up yourself, as the phone numbers included on the emails will often be false.  It is always better to be safe than sorry.

Help with Prevention

Aside from monitoring your emails, there is a range of software products available to help prevent ransomware attacks.  At OJ Networks, we have had some success with a program called CryptoPrevent.  A dedicated anti-ransomware suite, this program stops ransomware by preventing programs from running executable files (which are used to install the malware) in many of the locations that are used by CryptoLocker and other malware.  The rise of ransomware in recent times has meant that most good antivirus software has tools to combat it, and it is more important to make sure your PC is protected.

The Only Real Solution: Backups, Backups, Backups

Finally, perhaps most important is keeping a regular and up to date backup solution for your PC.  If the worst does happen, and you become infected, the last thing you want to do is hand over your hard earned money to the people who are holding you data to ransom.  With a solid backup solution, not only are you protected from malware attacks, you guard yourself against data loss, accidental deletions, computer hardware faults, and much more.  It really is invaluable if you used your computer to hold important information, personal photos and business documents.  One important thing to note with backups is that they too can become encrypted by ransomware if the USB drive you are storing them on is attached to your PC at the time of infection.  For this reason, we recommend that after you take a backup of your system and documents, you remove the USB drive from your PC and store it safely.

For business users, we take the next step and implement a full backup rotation of drives, often up to 5 of them, and couple that with backup software called ShadowProtect.  This powerful program allows us to manage multiple instances of backups over large periods of time, which allows for archival backups stretching back months in addition to the safety of having multiple backups spread over many devices and locations.  Another great benefit of using ShadowProtect is real time data recovery.  If only a few files are lost and damaged we can simply “load” a backup from before the time of data loss, and copy only what is needed rather than implementing a full data restore.  This can be invaluable for businesses who rely on server uptime and cannot afford the time for a full recovery.