In my last post I covered the nature of the crypto-ransomware exploit. In this article we will discuss things you can do to help defend against this attack.
Avoidance
The best solution for preventing crypto-ransomware exploits is avoidance. For this exploit to work, you have to help it happen. Your risky online behavior makes it possible.
- Never open an email attachment unless you know who sent it and are expecting to receive it. Don’t be afraid to check; it never hurts to reply to the sender and ask them what is in the attachment. You will never get a reply from a phishing email sent by a machine.
- DO NOT click on attachments in email that come in ZIP file format or have double file extensions such as PDF.EXE. You can have file attachments checked out for malware at VirusTotal. You will need to save the unopened attachment to your Desktop in order to upload it to the VirusTotal website. Just remember to delete the file after checking, and empty your Recycle Bin too.
- Never click on a link in an email. Instead of clicking through, just go the web site by using a saved Favorite or shortcut, or manually typing the web address in the browser address bar.
- You can also have links from emails checked by VirusTotal. Click on the URL tab, and carefully copy and paste the hyperlink from the email into the scanner box.
- Another way to check a link yourself is to hover your cursor over the link until the tooltip box appears, or right click on the link and select Properties from the context menu to see the actual destination address. This method works only if you understand what you are looking at, and how a proper URL should be formatted, but it should be obvious if the link is not going to website you are expecting.
Prevention
The guys at Foolish IT have created a solution called Crypto-Prevent that uses Windows Group Policy to prevent the encryption phase from ever taking place. This is not really a do it yourself project, it helps if you are working as an IT system admin or security professional, or are at least an advanced user with experience working in Group Policy. There is a free version, and a premium version which is $15 per PC in commercial use, or $15 for all PCs in a single home. IT pros – this is your client solution, coupled with some computer user training that covers the topics listed above.
Stop the Process – NOW!
What if you happen to open the ZIP file and think you have an active infection?
- Your best defense at this point is to turn off your computer, and the sooner you do this the better. Encrypting all your files is going to take a lot of time, and the process will make your computer run slower, and may interfere with the proper functions of programs or your web browser. These are clues. Shutting off your computer ends the encryption process.
- The hard drive can not be running the compromised operating system. You can’t just run your installed Internet Security product to fix this problem, because if you leave your computer on, the encryption continues.
- Have your computer hard drive removed and scanned for malware as an external drive attached to a clean system. Computer support professionals will have a dedicated system call a “sheep dip” just for this purpose, we use one in our shop. With the malware removed, the encryption should be stopped.
- A thorough solution would be to recover all the data files from the drive while it is removed, and then wipe the drive and reinstall the Windows operating system and programs from scratch, and then restore the personal files that were recovered earlier.
Recovery After Encryption
If you see the three or four new shortcuts we described in our last article, it is too late and you have been officially and completely hosed. Your files are encrypted and will remain unusable until you get the decryption key. There are not any magic pills or software that can reverse this process, so don’t waste your money trying them. At this point your options are limited.
- Turn off your computer. Sure, the damage is done, but no sense in letting the situation spread to other connected devices. From this point on it is not a do it yourself project. Seek competent professional help.
- If you have attached backup drives or network drives or shared server drives disconnect them immediately to prevent further spread of the exploit. It may already be too late, so check them from another computer to see if they are still useable.
- If you use an online backup service such as Carbonite, halt the automatic backup process. This prevents your good backups from being overwritten with new encrypted copies.
- You can pay the ransom, and get your files back. All reports indicate that this works. I would still recommend a complete reinstallation of the operating system to ensure that all instances of any other malware are removed.
- You may be able to restore from backup, if these files have not be encrypted as well. Some backup systems including online services such as Carbonite included a feature called “versioning.” Versioning keeps earlier versions of files that have been changed, and even if the recent backups are encrypted, earlier versions will still be available. Look for versioning and pay the extra money to have it.
- You may also get back to normal using the Windows Volume Shadow Copy Service. The is a great article that explains the process on MalwareKillers.com. There is quite a bit of other useful information as well.
Resources
We found these articles to be useful when researching this issue:
- EWeek – Fears Over Ransomware Grow, Confidence in Security Dips
- VirusTotal
- TechRepublic.com – Latest ransomware, Cryptolocker, hits systems and pocketbooks hard
- MalwareKillers.com – How to Recover Files Encrypted by CryptoWall (CryptoDefense)
JUL
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com