Recently we’ve seen many variants of Ransomware and some clients have been infected by it. Just this year alone there have already been 15 new pieces observed in Q1 2016. That is already 50% of what was found in the entire year of 2015.
Ransomware threats such as “CryptoLocker” or “CryptoWall” are becoming more prevalent in enterprises. The cryptoware gets to your computer via a spam email with a bogus attachment such as an invoice or fax. By opening the attachment, your computer gets infected. All files such as Microsoft Office files (Word, Excel, etc.), PDF’s, and databases, as well as pictures get locked with a powerful encryption software. The virus travels to your network and it encrypts all of the same type of files in your network shared folders.
The purpose of these threats is quite simple; they are attempting to extort money from their victims with promises of restoring encrypted data.
We have seen a sharp rise in requests from customers with respect to Ransomware and it’s important to understand these risks, what to do, not to do and how to best prevent yourself from becoming a victim.
My data’s been encrypted by Ransomware, what now?
- Do not pay the ransom!
- Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place. Paying the ransom can actually increase the likelihood that you will be directly targeted for additional extortion attempts.
- Remove the impacted system from the network and remove the threat.
- With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.
- Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
Can I regain access to my files without paying the ransom or restoring from backup?
- The answer is most likely no. There are earlier variants of these threats that simply hid the ransomed files, left copies of the original files with the Volume Shadow Copy service or left copies of the private encryption keys locally or in memory. It is certainly worth the effort of researching the details of the variant you encountered to see if there are options for you, but for the majority of instances, these options are no longer the case as the threat writers have updated their methods using the funds from earlier rounds of extortion.
Can I “Brute-Force” my way into my encrypted files?
- No, the current threats employ an RSA-2048 bit encryption key. Brute-forcing the key is simply not possible currently.
What can I do to protect myself from Ransomware?
- Install, configure and maintain latest antivirus with the latest definition and updates.
- Do not click on any attachments unless you are expecting that attachment.
- Do not click on any links in the email. Be careful about visiting websites and clicking on links or downloading any programs or files.
Should you have further questions, or experience this issue yourself, feel free to contact us at: 818-501-2281 for assistance.
– Jamshid Javidi, President of CEO Computers