Locky. CryptoLocker. CryptoWall. Many names and variants exist for 2016’s biggest threat to IT security and productivity, but the outcome is extremely predictable. A user clicks a link in an email, opens an infected email attachment, or visits an infected website, and unknowingly invites the ransomware malware to encrypt files on their machine. If the machine is also networked, the ransomware may also attempt to encrypt files on their network locations as well.
Below our technicians share tips and anecdotes from the increasing number of ransomware cases experienced by clients.
Prevention is the Best Medicine
•Unless you plan to pay the ransom to purchase the encryption key, the only way to restore your files is to 1. Restore them from backup or 2. Recreate them. Maintaining a viable backup solution and periodically testing your backup is vital.
•Emails are often the carrier for multiples types of viruses or malware; educate coworkers on what information to look for in an email to validate the authenticity. Can you hover over the link and see the web address? Is the file type something you would expect to receive from this person? Is the grammar and wording standard for the sender? Is the sender a familiar contact?
•Develop good web browsing skills. Pay attention to new tabs, extensions, tools and other oddities that are installed in your web browsers. If your default search engine suddenly changes, or a new weather forecasting tool appears, you may have accidentally installed something that could lead to more problems. Avoid clicking on ads or banners that sound too good to be true, sound like a huge waste of time, or claim to offer you exciting rewards, trips, etc.
•If you are logged into a server or utilize a shared network setup, limit recreational web browsing to your local computer whenever possible.
•A spam filter will limit some potentially harmful emails. Spam filters look for file types and keywords in the metadata. Use a spam filtering tool and follow the recommended steps to help train your spam filter settings.
•An antivirus program catches and blocks several types of viruses, malware and PUPs (Potentially Unwanted Programs) Antivirus programs work by checking files that are installing on your machine or contained in attachments against a database of known offenders. If you do not keep your antivirus program updated, new viruses and malware will not be part of your database.
What should we do if we suspect ransomware?
•Call ITS. We can help you limit exposure, remove the virus and restore data from backup. Are you curious about what steps we would take? Read below.
•Identify the source; is it limited to one machine? Did it also infect their network share? Ransomware commonly leaves a set of decryption/ransom instructions in the infected directories; search for names such as “how_decrypt.html”or “decrypt_instruction.html”
•Once found, check Windows Explorer to see which user created the files.
•Contain the bug; usually this entails wiping and reloading the infected machine(s).
•Restore files from backup or recreate files.