This is a particular nasty piece of malware (or ransomware) that has been around since last year, but in the last few months has increased the intensity of its attacks.
Usually it enters a system disguised as an email attachment and, if opened, then proceeds to encrypt the files on your machine. When this has completed the virus deletes itself, then tells the user that their data has been taken hostage and will only be released if they pay the demanded ransom for a key.
We are advising all our Hosting Service Customers to be extra vigilant and warn employees about the danger of opening attachments from unknown sources or unexpected emails from known sources. MIS virus check all inbound email by default before passing to your hosted desktop, however users still need to be extra careful.
Here is a synopsis of an industry report by one of the leading Anti-Virus companies, Sophos: The Current State of Ransomware
By James Wyke, Senior Threat Researcher, SophosLabs Emerging Threats Team
and Anand Ajjan, Senior Threat Researcher, SophosLabs Dynamic Protection Team
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting Ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
The current wave of Ransomware families can have their roots traced back to the early days of FakeAV, through “Locker” variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation.
The demands for money have grown more forceful with each iteration:
Fake AV peaked around 2009 and attempted to scare victims into paying up by claiming their computers were riddled with viruses.
“Locker” Ransomware locked victims’ screens and demanded a payment to unlock, sometimes using the suggestion of illegal activity on the victim’s part to help induce payment.
File-encrypting Ransomware holds the victim’s files to ransom and only releases them when the ransom demand is met.
In many cases unbreakable encryption is used, meaning that extortion has evolved from simple social engineering, with little to no consequences for failure to comply, to permanent loss of data unless payment is made. The rise of Ransomware can be attributed to the appearance of several significant variants that were extremely successful. This success has been used as a template by later variants, resulting in the mass proliferation we see today.
Ransomware infections are almost always initiated with a spam email. We’ve seen spam campaigns with the Ransomware executable directly attached to the email message, as well as some that have included an attached office document with an embedded macro that will download and execute the Ransomware file.
Other campaigns have also been observed, including some that include a link which, if clicked on, redirects the victim to a download of the Ransomware file. Spam messages show a higher degree of grammatical correctness than typical malicious spam campaigns with few if any spelling mistakes, indicating that the messages were most likely written by a native speaker of the particular language used.
The example below shows a campaign targeted at victims in the UK using the well-known “Royal Mail” brand as the lure.
After encrypting the list of files, it launches a window to show the user that their files have been encrypted and offers them a payment option to get the decryption key. Some of the demands make you think that you’re in the wrong!
Apart from having your anti-virus up to date, there are additional system changes to help prevent or disarm ransomware infections that a user can apply.
Backup your files The best way to ensure you do not lose your files to ransomware is to back them up regularly. Storing your backup separately is also key – as discussed, some ransomware variants delete Windows shadow copies of files as a further tactic to prevent your recovery, so you need to store your backup offline.
Apply windows and other software updates regularly Keep your system and applications up to date. This gives you the best chance to avoid your system being exploited using drive-by download attacks and software (particularly Adobe Flash, Microsoft Silverlight, Web Browser etc) vulnerabilities which are known for installing ransomware.
Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments. Most ransomware arrives via spam email either by clicking the links or as attachments. Having a good email anti-virus scanner would also proactively block compromised or malicious website links or binary attachments that lead to ransomware.
Disable ActiveX content in Microsoft Office applications such as Word, Excel etc. We’ve seen many malicious documents that contain macros which can further download ransomware silently in the background.
Install Firewall and block Tor, I2P and restrict to specific ports Preventing the malware from reaching its call-home server via the network can disarm an active ransomware variant. As such, blocking connections to I2P or Tor servers via a firewall would be an effective measure.
Disable remote desktop connections Disable remote desktop connections if they are not required in your environment, so that malicious authors cannot access your machine remotely.
Block binaries running from %APPDATA%, %TEMP% paths Most of the ransomware files are dropped and executed from these locations, so blocking execution would prevent the ransomware from running.
About MIS Hosting
We provide the full range of data protection software and appliances to make sure your business is never infected. For further information on how MIS can work with your business, please contact us and we would be happy to discuss your needs. Phone 0845 330 4026 or Email: firstname.lastname@example.org