Protecting against Ransomware
Australian businesses have recently lost hundreds of thousands or even millions of dollars to the unbreakable Cryptolocker virus. Most people have heard the name, but few really understand what it is and the damage it can wreak on their computers.
What is cryptolocker?
Cryptolocker is a type of malware called ransomware. Malware is just any malicious software seeking to do harm to your system or data either by theft or destruction. In fact, the name malware is just a contraction of malicious software.
Ransomware is a type of malware that uses a powerful encryption program to encrypt certain files on your computer. It will then demand that you pay in order to have your data decrypted, that is, ransoming your files hence the name ransomware (us IT guys are so inventive with names). Once located the ransomware is relatively easy to remove from the system, however no-one has yet figured out a way to decrypt the data.
What are my options if I’m attacked?
You basically have three options:
- Pay the ransom – As the term suggests, you pay whatever price is demanded and hope that the files are decrypted. There are many reports of the ransom being paid and the files being left encrypted. However, the only way to recover the files is to pay the ransom and keep your fingers crossed if you do not have any unaffected backups of the files.
- Accept the loss – Sometimes the files are not that valuable and you can afford to lose them. In this case get an IT company to come and sweep through your system and purge anything remaining of Cryptolocker and start rebuilding the data.
- Restore from secure backup –Cryptolocker and other ransomware are able to go through most drives on a network, even through some types of encryption and security in order to encrypt as much data as possible on a network. However, if you catch it early enough it may not have spread to your local backup drive/s, or if you have hired a service that offers space in a secure offsite server for backing up important files. You can remove the ransomware as in the option above then restore from your unaffected backups.
How does my computer get attacked?
Cryptolocker and other ransomware are usually transferred via a Trojan horse, or Trojan, which is any malware which misrepresents itself as a useful or harmless download often attached to an email. The Trojan itself does not do anything to infect the system, it simply opens the door so that more insidious malware can get in. In the case of the Cryptolocker virus it often tries to disguise itself as a pdf file attached to an email.
Once the payload is installed it adds a key to the registry to make it run on start-up. Next the program will contact one of its servers and generate a pair of encryption keys before it gets to work encrypting data. First it will begin on the local system then move across all mapped network drives (that is, any other drives in the network that the initial computer can access). From the network drive it spreads to other systems that can access it and so on throughout the entire network.
The Cryptolocker virus and similar ransomware do not encrypt every file as the encryption process takes some time. Instead it seeks out certain file types such as Microsoft Office files and other document files, as well as graphical and Cad files like AutoCAD and any images on the drive. Then when the files are attempted to be opened the ransom demand message is displayed (see example to the right).
How can I protect my computer from malware?
There are two layers of defence that all businesses should have. First is a powerful anti-virus software package combined with well-managed IT services capable of detecting the threat. Second is a secure data backup so that even if the worst occurs you will be able to restore your files and never have to pay an extortionate ransom.