It is more than 9 months since the Cryptolocker malware was unleashed by the cyber crooks, and the ransomware has been modified into variants under slightly different names like Cryptobit, Cryptowall and Cryptodefense.
Though there were cases of infection reported around the world, with the most famous incident (to me) being the ransom paid by a police department in Swansea, Massachusetts, I had never come across an actual cryptolocker ransomware attack till now.
The incidents that I have heard were 3rd or 4th-hand-word-of-mouth types. A friend would snicker that a friend of his friend reported that his cousin’s workplace system was infected with cryptolocker ransomware, so her chances of pay-raise this time around is zilch.
All that changed last weekend. A neighbour frantically called to ask what to do as his workstation displays the dreaded screen asking for $500 to be paid within 3 days. I told him that nothing could be done to retrieve the encrypted files.
I was surprised as the firm he works can at best be termed a small scale industry (if not a micro), with a low profile. Probably the couple of export orders a month they fulfil made them a target.
A cryptolocker attack can only be protected against, and recovery measures have to be in place ‘ahead’ of an infection. Though an infection can be cleaned, the encrypted files cannot be retrieved.
With that in mind, here are my two cents worth of advice, for small setups like the affected one. Though all 10 are important, the last 3 points are a must-do.
Here is a screenshot of the CryptoPrevent from FoolishIT which now protects (version 4.4.1) against the latest (May 2014) variants using SYSKEY.EXE to infect PCs.
Though there were cases of infection reported around the world, with the most famous incident (to me) being the ransom paid by a police department in Swansea, Massachusetts, I had never come across an actual cryptolocker ransomware attack till now.
The incidents that I have heard were 3rd or 4th-hand-word-of-mouth types. A friend would snicker that a friend of his friend reported that his cousin’s workplace system was infected with cryptolocker ransomware, so her chances of pay-raise this time around is zilch.
All that changed last weekend. A neighbour frantically called to ask what to do as his workstation displays the dreaded screen asking for $500 to be paid within 3 days. I told him that nothing could be done to retrieve the encrypted files.
I was surprised as the firm he works can at best be termed a small scale industry (if not a micro), with a low profile. Probably the couple of export orders a month they fulfil made them a target.
A cryptolocker attack can only be protected against, and recovery measures have to be in place ‘ahead’ of an infection. Though an infection can be cleaned, the encrypted files cannot be retrieved.
With that in mind, here are my two cents worth of advice, for small setups like the affected one. Though all 10 are important, the last 3 points are a must-do.
- Keep Windows (& other software) updated;
- Use a good (even if free) Internet Security Suite, and keep it updated;
- Restrict internet access - the most frequently forgotten advice;
- Disable Remote Desktop Protocol (RDP) - in such small setups, 99% of workstations, 99% of the time do not need remote access. if you do not know how, Google ‘disable remote desktop’;
- Turn off ‘Hide extensions for known files’ in Folder Options, as there is a chance that you will notice a file with double extension, get suspicious, not run the file, and call me; instead of calling me after running the file. Cryptolocker usually arrives with a file extension ‘.PDF.EXE’.
- Modify Windows settings through Group Policy Editor as per Cryptolocker Prevention Kit from thirdtier. [http://www.thirdtier.net/downloads/CryptolockerPreventionKit.zip]
- Since poking around Group Policy Editor is not easy, use the alternate CryptoPrevent from FoolishIT.
- Both the Prevention Kit and CryptoPrevent protect only against ‘current’ strains. Though both are constantly updated, they do NOT guarantee protection.
- Cryptolocker encrypts online back-ups too. So it is essential that backups of data files are made once (or even twice a day) to an offline backup device - say an external HDD.
- Set an hourly (or bi-hourly) backup, even if only to other PCs on LAN, and an end-of-day backup to an external HDD, which is taken away. If the end-of-day is forgetful, make it a noon-time backup to be run when you have your lunch. Take out the external HDD with your lunch box and pack it up once you finish the lunch.
- careful about running EXE files;
- do not click on email attachments, especially from unknown sources;
- hover over clickable links to ‘read’ what the URL says;
Here is a screenshot of the CryptoPrevent from FoolishIT which now protects (version 4.4.1) against the latest (May 2014) variants using SYSKEY.EXE to infect PCs.
No comments:
Post a Comment