Ransomware – What you need to know

Ransomware Warning SIgns

Ransomware Warning SIgnsSo what is ransomware? It is when your computer gets compromised by an evil piece of software that detects files and encrypts them with an almost impossible way to recover your data. Why “almost impossible” you ask? Well, you could pay the ransom (typically $100-500) and you’ll actually get a key to unlock your drive. You could back up all your data on a regular basis, wipe the hard drive clean, then restore your data. Finally, you could try Shadowcopies of your data (if running a newer version of Windows), although this is less likely to be of use. I also want to take a moment to note that MACS are also vulnerable to the newer versions (Cryptowall 3.0), because they can detect 64 bit OS’s and encrypt their drives too.

So let’s talk about the steps you can take as a home user (and later we’ll add some information if you are a business or corporate level user) to protect yourself.

  • BACK UP YOUR DATA REGULARLY. So if that wasn’t clear enough as the #1 tip, let me restate it BACK UP YOUR DATA REGULARLY. What does regularly mean? Well if you can’t lose one day of data, then back it up every day. If you could withstand a few days of data missing, then back it up every few days or once a week.
  • Filter the extension “.exe” from your email. What this means if someone sends you a file disguised as something else but is a harmful executable file, your email will automatically reject it or discard it.
  • Disable files from running from the APPDATA/LOCAL folders (which may be hidden, you’d have to choose to show all files folders on your system). If you don’t know how to do that, Third Tier made this awesome tool just for you and it does the work automatically.
  • If you don’t use RDP (and many businesses do) disable this feature. This is one of the methods that this virus spreads.
  • Make sure you’re keeping your windows updates and AV updates current. Nothing screams “infect me” like a system where the user keeps clicking “remind me later”.

Some other items of note: If you get infected by the Cryptolocker ransomware, you might be able to decrypt using  this tool or this one, depending on version that attacked you. Let me also point out that if you have mapped drives (you go to computer and see a bunch of letters with drives attached) these pieces of ransomware software can encrypt those too. So if you’re at work, your coworker opens something they shouldn’t and gets encrypted, time is of the essence to get that machine completely disconnected from the network. Within 10-60 minutes, all mapped drives (company drives) could be affected, effectively shutting you down.

For business networks (and even the tech savvy home user) there are some advanced trickery you can try. It’s no guarantee it will stop these ransomware thugs from getting to you, but it has worked in the past.  Much of the new code doesn’t execute itself until it checks to see if it’s on a virtual machine or a real machine. If it’s on a virtual machine, the software shuts itself down and deletes itself. Why? Because your data isn’t stored in a virtual machine, so there is nothing for it to encrypt. If it installs itself, it runs the risk of being discovered and defeated. Cisco writes a nice post about it here that is well worth the read. They talk about adding code into your physical servers to trick the ransomware into believing it is on a virtual machine, thus not attacking it at all. Very sneaky, and well worth inserting the code. Won’t hurt, and could very well be the difference in becoming encrypted or not.

Skip to toolbar