Ransomware: How to Guard Against Online Extortion

Some business advice

Tuesday, June 14, 2016

Hackers on the loose again!

Recently, the University of Calgary had their computers hijacked by a ransomware scam that shut down the administrative staff and faculty members' email programs, as well as other systems. The aggressive virus provided automated instructions for the educational institution to pay $20,000 to receive an encryption key to unlock all their compromised files. The cyber-extortion case was reported widely in the media, including in this CBC article.

The Controversy of Caving to Criminals

The decision by the university to give into the extortionists' demands, paid in untraceable "Bitcoin" cyber-currency, was not without controversy. University officials admitted they were concerned for some of the content, which the criminals had encrypted, as it contained the life work of numerous academics from the campus. Others, however, suggest that every time any individual or organization takes the easy way out and pays the ransom, it encourages the hackers to continue the loathsome practice.

Additionally, those that do pony up are tacitly admitting they are a prime target and may be exposing themselves to further attacks. Another concern is being unable to tell if the decryption keys sent following payment actually removes all criminal malware from the system or if there are still residual bugs waiting to launch at some point in the future.

It is not known how many other institutions and companies have been similarly victimized as few go public as the U of C did. Internet Security company McAfee Labs claims ransomware rakes in an estimated $10 million to $50 million per month. Being computer savvy won't necessarily help you, however, given that Facebook founder Mark Zuckerberg, who one hopes is somewhat cyber-literate, was even hacked, with his ineffective password, "Dadada" spread all over the web.

Job One in Protecting Your Data from Cyber-Pirates

There are a number of ways to minimize the threat of ransomware attack. First and foremost involves the same piece of advice practically all of us are told repeatedly throughout our online lives, namely; BACK UP YOUR DATA!

Sure, it's a pain but making certain you have all your files backed up on a secure device, such as a removable drive, which is not in constant communication with your main hard drive, is the safest way to rescue your computer if it should ever become infected. Be aware that any mapped drives on your system can be compromised by unwanted encryption, including that thumb drive plugged into your CPU. If it's got a letter (i.e. C; drive, H: drive, etc.) it is mapped and vulnerable.

"Layering": The Best Way to Reduce Your Vulnerability

There is no one single action you can perform which will keep you completely safe from cyber-attack but, like protecting yourself from cold temperatures, layering helps. Each security measure you adopt provides a single layer of protection with the resulting multi-layers forming a much stauncher protective wall around your precious data than by using any single method. Here are some layers to consider:

Restoring Faith - Make sure your computer has a working "system restore protocol" with a restore point you are confidant is free of ransomware or other attack. If malware somehow slips by your virus protection software, it is much cheaper and easier to restore a previous session than pay hundreds, or even thousands of dollars, to a criminal organization. It is vital for the backup point to be serialized to avoid being contaminated by invasive programs.

Watch out for attachments that end in ".EXE". - Some email gateway scanners can weed out specific file extensions and the most popular one with online outlaws is PDF.EXE. Windows' default setting is to hide file extensions, so it may be wise to re-enable visibility of these extensions to make malware links more obvious.

Don't assume all non .EXE files are safe. - Unfortunately for innocent users, another strategy used by unscrupulous attackers has been to disguise malicious files as harmless looking installers for various legitimate applications which are routinely distributed by reputable online locations and shared networks. Careful consideration of every download event is the key to safety. Don't download or install any applications from the internet unless you are 100% sure they are trustworthy.

Turn On Your Windows Firewall. - In most cases, Crysis ransomware files are distributed as attachments to spam e-mails, employing double file extensions. Using this simple, yet effective technique, executable files appear as non-executable. Your firewall will give you another layer of protection againjst this form of invasion but only if you TURN IT ON.

Be Suspicious of Files that Run From "AppData" or "LocalAppData" File Folders. - One ransomware bug known as Cryptoblocker is designed to only open in either of those two folders. Creating a rule in Windows or your computer protection software which disallows files which bear instruction to open in either of these folders will provide yet another layer of security.

Disable your CPU's Remote Desktop Protocol (RDP). - The aforementioned Cryptolocker bug often gains access to your system through your computer's RDP program. This is the program which allows somebody in another office, or even a different city, (Pat in the tech support office in Toronto, for example) to take over your computer remotely. Disabling your RDP will block access to that specific viral pathway. You can re-enable it if you have to call Pat for anything.

Install Updates Religiously. - Be certain to download any new updates, also known as "patches" for important software (Windows Updates, antivirus, browser, antimalware) as soon as possible. Updates are created to plug the chinks in your Internet armour which are being discovered on an ongoing basis. Waiting only increases the odds of your system being damaged unnecessarily. This is true for all malware protection, not just ransomware.

Use Both Anti-Virus AND Anti-Malware Software. - Often, the bad guys will send out viral attacks with slightly different coding to try and trick your system, if not with one version, then another. Having both kinds of protection simply adds to the layers of your protection suite. We recommend www.eset.com for NOD32 antivirus and www.safer-networking.org for Spybot Search & Destroy anti-malware.

Too Late - What To Do If the Bug Gets a Foothold

If you accidently click on a link or attachment and get a sudden suspicion it is ransomware, your options, other than paying up like the U of C did, are limited. If you realize the situation immediately, you can reduce the harm by pulling the plug. Litterally, pull the plug. Unplug the power to stop a virus in action. Before you restart, unplug your internet connection and hope the whole file hadn't executed completely as yet. This is the time to try the previously outlined "system restore protocol" and hope the bug isn't a newer version which automatically deletes all your "shadow files" to prevent the restoration process from taking place.

What If It's Already In Like Flynn?

Once the ransomware has been firmly established, all may not be lost. This is because if your site is targeted by older variants of the Win32/Filecoder.Crysis virus, you may still have a good chance of getting your data back without paying a ransom. See www.eset.com website for instructions.

If Unsure, Ask an Expert

Ransomware is becoming more prevalent and more devious all the time. There is little one can do beyond "layering up" other than always being suspicious of all emails that are, in any way, out of the ordinary. Ransomware and other malware programs often arrive in emails. If you get one from the VP of Communication in your company's head office whom you have never heard from before, or perhaps receive instructions to click on a link regarding a shipment you weren't aware was en route, be very cautious. Inspect every link for slight mis-spellings (i.e. www.microsott.com). Constant vigilance is still your best weapon. And if all else fails, give Industrial NetMedia, or your own web service provider a call to see what options you have.

Anything Else We Should Know?

For more ransomware information, check out these trustworthy websites; We Live Security and Computer Weekly.