The growing ransomware malware threat is infecting many personal and corporate computing devices around the world. This may sound like science fiction but unfortunately, these attacks are very real. This notice is intended to alert you to this threat if you are not already aware, and to advise you of what you may do to protect your digital assets.
What is Ransomware?
Ransomware runs on your local computers and encrypts files rendering them unusable and then demands a ransom to decrypt them. Your system can become infected via email links, popup ads, websites, and other methods reported on a regular basis. Ransomware can potentially encrypt every document file it can access, including those on network volumes and shared folders that are stored on managed servers. Because of this, there is the potential for considerable impact from even a single end user infection. The only way to recover from an attack without having to pay a ransom is to have a pre-infection backup of your documents that pre-dates the time of the actual infection.
The seriousness of these threats cannot be understated. Recently, the University of Calgary paid $20,000 to recover data in a ransomware attack. The FBI often recommends companies simply just pay the ransom, however, cybersecurity professionals generally advise otherwise. Complying with ransomware criminals just opens the door up for future attacks.
For these reasons WatServ recommends taking the following measures to protect your documents:
- In addition to implementing standard backups, we can activate Shadow Copies of your file shares that are stored externally. This basically creates extra backup protection for your at-risk shares for the same duration as your contracted backups
- Educate employees of the risks and preventative measures regarding Ransomware attacks
- Ensure that all servers that share files are running up-to-date Antivirus software that will prevent viruses from spreading from end-user systems to other systems
There are many things you can do on your systems to ensure you do not have to pay a ransom to retrieve your critical business data:
1. Consider implementing strict Group Policy Rules
There are Active Directory Group Policy rules that can minimize the likelihood of an attack, (additional information can be found here). There are also products available that can assist in this area. A good listing can be found here.
WatServ is in the process of implementing such changes on any Active Directory services that we provide.
2. Back up your data
The single biggest thing that will defeat ransomware is having frequent, verified backups with a retention period certainly longer than a day or two. Ransomware will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network shares or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup routine to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.
3. Do not map shares with a drive letter
Instead of mapping drives to a letter like S: or D:, save a link to the share as a shortcut like this for example: (\\server\\sharename\)
4. Show hidden file extensions
Viruses frequently arrive in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file extensions. If you enable the ability to see the full file extension, it can be easier to spot suspicious files.
5. Filter file extensions from email
Use an email gateway mail scanner which has the ability to filter files by extension and deny emails sent with “.EXE” files and password protected ZIP or RAR files.
6. Always check who the email sender is
If the email is supposedly coming from a bank, verify with your bank if the message is legitimate. If the email came from a personal contact, confirm if your contact sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of a ransomware attack as well. It would not be uncommon for an attack to also email the user’s contacts as well.
7. Double-check the content of the message
There are obvious factual errors or discrepancies that you can spot. Example, if your bank or a friend claims that they have received something from you, try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
8. Refrain from clicking links in email
In general, clicking on links in email should be avoided. It is safer to visit any site mentioned within an email directly. If you have to click on a link in an email, make sure your browser uses web reputation to check the link – or use free services such as Trend Micro Site Safety Center.
9. Disable files running from AppData/LocalAppData folders on your computer
Create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Ransomware, which is to run its executable from the App Data or Local App Data folders.
10. Use the Cryptolocker Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.
11. Disable RDP
The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP). If you do not require the use of RDP, disable RDP to protect your machine from RDP exploits.
12. Routinely Patch or Update your Antivirus software and Operating System
Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
13. Use a reputable security suite
Install both anti-malware software and a software firewall to help you identify threats or suspicious behavior.
IF A DEVICE HAS BEEN INFECTED
1. Disconnect from WiFi or unplug from the network immediately
If you run a file that you suspect may be ransomware, but you have not yet seen the characteristic ransomware screen/message, quickly disconnecting from the network might stop communication before it finishes encrypting your files.
2. Use System Restore to get back to a known-clean state
Enable System Restore on your Windows machine, as you might be able to take your system back to a known-clean state.
3. It’s not too late – 3 tools that may help
There are two types of Ransomware: Lock Screen which limits the users from accessing the computer, and Crypto (File Encryption) which encrypts files to limit users from accessing their files.
1) Download the free Trend Micro™ Ransomware Screen Unlocker Tool to eliminate Lock Screen.
2) Download our free Decrypt Tool to attempt to retrieve files encrypted by a Crypto Ransomware.
3) Or manually restore encrypted files after a Crypto Ransomware infection.
4. If you have to pay …Set the BIOS clock back
Most Ransomware has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72-hour window is up. We give this advice reluctantly, as all it can do is keep you from having to pay the higher price, and we strongly advise that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files.
More detailed information regarding Ransomware can be found here: