I attended a Technology Roundtable last week and one of the topics was “What keeps you awake at night?” My immediate response was “Ransomware”. Two days later, news broke about the massive ransomware attack dubbed “Wanna Cry” which was wreaking havoc on computers and servers around the globe.
This is truly the kind of attack that keeps IT professionals up at night.
Many viruses, rootkits, and malware are annoyances and can be removed by tools that are readily available on the internet. While some can be removed pretty quickly with killer apps like MalwareBytes, others may be more tenacious and require a recovery of your files and reinstallation of your operating system, a process that will take hours or days and cost a pretty penny. However, at the end of the day, all of your files can be safely restored either from your hard drive or a recent backup (you ARE backing up, right?)
The most devastating malware affecting users today is different. It’s called Ransomware and it will ruin your day, week AND year.
Ransomware has been around for a decade or more. You may recognize some of the variants, including CryptoLocker, Locky, and most recently Wanna Cry .
Here’s what it does:
The infections search for and encrypt important files on your computer using common encryption algorithms. When the file encryption process completes, the program displays a payment message prompting the user to send a ransom of $300+ to purchase the decryption keys to recover your files. The ransom frequently increases with time until you pay up. Failure to pay the ransom results in deletion of your encryption key and permanent file loss.
Ransoms must be paid using MoneyPak vouchers or Bitcoins which are not easily traceable by law enforcement to an organization or individual. Once you send the payment and it is verified, the program will send you the key to decrypt the files that it locked. (thanks to Lawrence Abrams on BleepingComputer.com for this summary)
How you Become Infected with Ransomware:
The infection is typically spread through infected email attachments. In the past, the emails have posed as customer support notices from Fedex, UPS, DHL, etc. and the attachment was typically named Form_102213.pdf or Form_102213.pdf.exe (or some variant of these), but might also be disguised as a ZIP or other file type. A key difference between prior infections and Wanna Cry is that once a computer was infected on a company network, it exploited a vulnerability in Windows that allowed it to spread from computer to computer on local networks. Thus, it had a devastating impact within large organizations.
What if you get infected:
The first thing to do is disconnect your computer from the internet and power it off– QUICKLY! This will prevent encryption of additional files. If you’re working wirelessly, disable wireless on your PC. If connected via Ethernet cable, pull the plug. Next call your IT pro and start deciding how important your encrypted files are to you. Also, figure out where your most recent backup is and how recently it ran. Most cloud-based backup services provide file versioning for a period of time. For example, Carbonite saves previous versions of files for 3 months which could be your saving grace.
Removal of the malware is fairly straightforward. However, without the decryption keys it is absolutely impossible to decrypt your files. Thus, if you cannot recover the files from a recent backup and need them restored, your only option is to act quickly and send the ransom money. There is currently no tool available (or IT Pro) that can decrypt your files.
How to protect yourself:
1. Be vigilant about opening email attachments – never open an attachment originating from unknown/unexpected sources (i.e. if you’re not traveling anywhere, don’t open a travel itinerary from Delta!). Also, be careful when opening unusual attachments from trusted sources as their email may have been hacked. EDIT: I rarely open email attachments even from known senders unless I am absolutely expecting it (i.e. a friend/client has explicitly stated that they are sending over an Excel spreadsheet on Monday — i will probably open this; however, if I receive an attachment from a friend that I’m not expecting, I will text or call them to verify its authenticity. NEVER send an email to verify the doc). Further, do not open unexpected file shares through DropBox, Google Drive or other sync services unless you expect them. Even then, proceed with caution.
2. Keep all programs updated and Windows Updates applied. The recent Wanna Cry ransomware exploited a security vulnerability in Windows. Microsoft issued a patch for the issue in March, so if you’re keeping Windows updated then you should be safe. Windows 10 forces download/installation of updates, so unless you have “hacked” Windows 10 to deny the updates, you should be safe. In fact, most accounts report that Windows 10 was not targeted by the most recent attacks.
3. Choose a reputable antivirus software and keep it updated. I recommend BitDefender.
4. Backup, backup backup… and then Backup! to an external hard drive ($85 for 1TB) and disconnect it from your computer or use an online service that provides versioning. I am a partner/reseller for BackBlaze and can help you get this up and running quickly. When all other protections fail, a good/current backup will get you back in business without having to pay up to the bad guys!
5. Be very careful about free software you download from the internet. Many seemingly useful programs such as PDF writers or video downloaders come with malicious “baggage”.
6. Make sure you’re running System Restore on your PC. This can help recover previous versions of files that have been encrypted. While this is not a fail safe, it’s still a good idea to make sure this feature has not been disabled in Windows.
7. Apply the Software Restriction Policies outlined in this article using Local Security Policy or Group Policy (domain computers) to disable the malware’s ability to execute on your system. This is fairly advanced, so please let me know if you want assistance applying these policies to your PC. Also, keep in mind that these policies will block the malware in its current form. As hackers modify the code to install from another location on your computer, these policies will not protect you.
8. Train your users to be vigilant about the emails they open, the links they click and the email attachments they open.
Is There any GOOD News?
As a matter of fact, yes. Most of the recent attacks occurred overseas, mostly European computers and servers. Further, a security researcher reviewed the code during the attacks and located/activated a “kill switch” which dramatically slowed the spread of Wanna Cry. However, it was slowed, not stopped. The BAD news, though, is that this was a variant on a common malware attack pattern. As long as there is money to be made in malware there will be plenty of future attacks to come. AND, as any user of Windows knows, there are plenty of security holes in the operating system as evidenced by the nearly constant interruption of Windows Updates.
If you want to geek out on more technical details about the threat, take a look at these articles posted on BleepingComputer.com, MalwareBytes and Microsoft. Another good read comes from the blog of Marcus Hutchins who found the kill switch in the Wanna Cry code.
Stay safe out there!