Ransomware:  PAY UP or you will NEVER see your computer’s data again!

“YOU HAVE THREE DAYS TO PAY THIS RANSOM OR YOU WILL LOSE YOUR FILES FOREVER!”  Ransom.  The very essence of this word causes an adrenaline surge that induces intense bodily reactions.  Your hands begin shake; palms are sweating.  Your eyes clench shut in response to the deep throb forming at your temples.  Heart pulsations are penetrating from deep within your inner ears.  Your chest is tightening with each shallow breath you draw in.  It’s emotional and physical warfare—and you are extremely unprepared for this battle!

CryptoLocker is among the many variations of ransomware lurking in cyber space today (1).  Users inadvertently install this grisly malware by opening malicious email attachments or clicking on links supplied in phishing emails (1).  Once engaged, the malware installs itself in the “Documents and Settings” folder and begins to encrypt any files you have stored on network file shares and drives as well as attached USB drives and external hard drives (2).  Ransomware has the potential to become a systemic problem; once one computer on a shared network becomes infected, mapped network drives will likely be targeted as well (1).       

Victims of ransomware are presented with a pop-up window which will dictate the terms of the ransom…AFTER all their files have been encrypted (3).  Payment is always directed through a third-party source, such as MoneyPak and Bitcoin (1).  A time clock will begin to countdown the hours and minutes until destruction of the decryption key (2).  The cybercriminal retains the only copy of the private decryption key, which is unique to each victim’s computer; therefore, there is no chance of data recovery without paying the extortion (3). 

However, it is important to note that payment does not guarantee access to the decryption key; you are dealing with criminals after all!  In fact, law enforcement officials strongly advise against paying these attackers.  There are prevention methods to mitigate your loss from malware attacks.  Follow these best practices to beat the crooks at their own game!

  • Enable your firewall and keep your anti-virus, operating system, and software up-to-date.  Ransomware is usually installed through malicious attachments and links supplied in phishing emails; however, some cybercriminals are using existing malware infections or other security holes as ‘backdoors’ to infect users (3). 
  • Review your access control settings on network shares.  Do not grant yourself or any other users write access to files that should be set to read only (3).  Remove all access to files you do not need to see; this will prevent any malware from viewing and stealing them as well (3). 
  • Do not grant administrative privileges to your user accounts.  Malware infected Administrator accounts are much more destructive than an infected user account (3).  The built-in Administrator account should be reserved for setup and disaster recovery only; create a separate Administrator account for those rare instances when you need heightened privileges (4).  Each user should have a unique user account for daily tasks which includes email, games, social networking, web surfing, etc. (4). 
  • DO NOT click on direct links provided in an email.  Ransomware has been spreading through fake emails designed to mimic legitimate businesses as well as spoofed FedEx and UPS tracking notices (1).  Therefore, even if it appears to be from a known source (PayPal, your bank, or credit card agency), never click on a direct link supplied in an email.  Type the company’s web address directly into your browser to access your personal accounts.  
  • Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber attackers to gain control of your computer system and files.  Delete spam and phishing emails immediately.   NEVER ‘unsubscribe’ or respond to these types of messages.  
  • Backup your operating system and important files.  Backups can mitigate your loss if you become a victim of malware or if you experience a hardware failure.  Store the backup copies offline in a secure location (3). 

Already infected?

  • Immediately disconnect the infected machine from all wired and wireless networks and consult a security expert regarding malware removal (1).
  • Change all of your online account passwords and network passwords.  Once the malware is removed, change all system passwords (1).
  • Report ransomware infections to the Information Security and Access Management (ISAM) team at isam@missouri.edu

For more great tips, security news and all the latest alerts, visit http://makeitsafe.missouri.edu/

References:

1.  United States Computer Emergency Readiness Team (US-CERT).  (2013).  CryptoLocker ransomware infections.  Retrieved from, http://www.us-cert.gov/ncas/alerts/TA13-309A

2.  Neal, R.  (2013).  CryptoLocker virus:  new malware holds computers for ransom, demands $300 within 100 hours and threatens to encrypt hard drive.  Retrieved from, http://www.ibtimes.com/cryptolocker-virus-new-malware-holds-computers-ransom-demands-300-within-100-hours-threatens-encrypt

3.  Ducklin, P.  (2013).  CryptoLocker ransomware-see how it works, learn about prevention, cleanup and recovery.  Retrieved from, http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

4.  Johansson, J.  (2008).  Security watch:  why you should disable the Administrator account.  Retrieved from, http://technet.microsoft.com/en-us/magazine/2006.01.securitywatch.aspx

Last updated: April 11, 2016