The purpose of this article is to educate users on the dangers of Ransomware, or Cryptolocker.
Definition: Ransomeware is malicious software that is delivered usually via emails that look legitimate, and are designed to trick users in to opening attachments or opening links to files in order to encrypt files (making them unreadable) and demanding a fee to have the data de-crypted.
What is CryptoLocker?
CryptoLocker is a ransomware program that was released in the beginning of September 2013 that targets all versions of Windows computers. This ransomware will encrypt files using a strong encryption that is almost impossible to crack. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransompayment in order to decrypt the files.
If the payment is not made in time, access to all of the files will be lost. The only good way to recover from CryptoLocker is restoring from a backup (if you have one, and hopefully it’s recent).
How do you become infected with CryptoLocker?
This infection is typically spread through emails sent to company email addresses that pretend to from Fedex, UPS, DHS, or even invoices. These emails traditionally contain a zip file that when opened will infect the computer. These zip files contain executables that are disguised as PDF files , office files or any sort of document that can use macros. The infection can also spread and wreak havoc on your network if not stopped. According to Newsweek, in 2015 affected Americans paid about $325 million due to ransomware attacks; in 2016 cyber security analysts estimate it will be much higher.
If these attachments are opened, they will change files files on the network (workstations and servers) to an encrypted version that can only be unlocked with a special key. Without this key, your data is impossible to get to, and must be restored from a backup.
These unlock keys are available for purchase, typically for thousands of dollars. Without a backup, even the FBI says “pay the ransom”
i.t.NOW does its best to ensure data that resides on servers is protected, but we typically do not back up every single workstation we manage. This means if you were to open one of these attachments, the data on your C: drive would be unrecoverable.
Even with backups, downtime is costly. It can take hours to restore from backups, and during that time the entire company is typically at a standstill waiting to regain access to valuable data.
What about protection??
i.t.NOW provides several layers of protection to prevent these types of attacks on your network. Emails are filtered by a spam and virus firewall. Workstations are loaded with the latest OS patches and anti-virus software. However, these attacks are typically referred to as “Zero Hour” attacks. This means that the anti-virus and anti-spam databases of the world don’t yet know about this particular flavor of virus, and can’t flag them as such until they are identified, and virus definitions are created and applied. Additionally, attackers are getting more and more clever at the delivery methods, like embedding viruses into word documents and java scripts.
i.t.NOW is providing this information because some of these messages look so legit, they would trick even the most savvy of users. Have a look at the copies of actual emails below and let us know if you would open the attachment.
Generally, if you’re not expecting an email with an attachment, don’t open it! Especially if it says is from a scanner or e-fax. When in doubt, have someone check it out! We’re happy to help, we’d rather get 1000 calls asking if you should open an email than have to spend hours, or days cleaning up damage caused by ransomware. We’ve had several infections this year and with each one we sure up our defenses. However part of those defenses is you! We want to educate you so that you can be better prepared against this ever changing threat landscape.
Social Engineering attacks- Additionally, we’ve had a couple cases where an attacker will purchase a domain that is very close to your domain- for example, if your domain was acmepartners.com, an attacker may purchase acmepartnars.com and use it to send emails that seem to be from the CEO to the Controller asking for a wire transfer. If you see something like this- pick up the phone and verify! We had a client wire $60,000 to what they thought was their vendor, who at the last minute changed the bank routing number for the payment they were expecting. Closer inspection showed the from address was one letter off on the domain name.
The bottom line is to be cautions when opening email attachments, or requests for large sums of money to be transferred, even from an email that looks legit, it could be a spoof or a domain thats one letter off.
If you see anything suspicious, feel free to forward the email to firstname.lastname@example.org, or you can open a ticket by right-clicking your i.t.NOW icon and selecting “Create Service Ticket”.
Thank you for helping us protect your networks!