By Patrick Devlin, Regional Director, Australia and New Zealand for Watchguard Technologies.
What is it?
Ransomware has been around for a while but it’s really taking off at the moment. It’s a program that looks for files and then encrypts them. Data is not removed or stolen but you can’t touch it until you pay a ransom fee to get an unlock code. There’s often a timebomb countdown attached to make you pay faster, when the timer stops, your data is gone. A variant call Cryptolocker is very common right now, with millions of new infections in the past few months.
How did I get it?
There are a few ways this one might hit you. Most common is as an email attachment. You may also be infected by unknowingly being part of a botnet, or hackers reached your servers from the internet via Remote Desktop (RDP) password guessing, an RDP vulnerability or some other method.
What to look for?
Ransomware is easy to spot because it wants to be found. A pop-up message often with an official-looking AFP or FBI logo will pop up and give you payment instructions and may start an ominous count down. For advanced users, the warning sign can be very high CPU and disk usage when nothing should be happening. It takes a lot of grunt to do all that searching and encrypting!
How do I prevent it?
The best way to stay safe is be cautious. Don’t open anything you are not sure about and run regular scans on your system with up-to-date security software. As a golden rule, if you are not sure, don’t open it! Never open an attachment that ends in “.exe” unless you really know what you are doing! Turn off the default Windows setting ‘Hide extensions for known file types’, as it hides the “.exe” extension, which means you might open up an executable file without even realising it. Having a network security system is better still. A smart firewall can block this type of thing before it ever gets to your desktop.
Too late, how do I recover?
Okay… you’ve been hit. If it’s Cryptolocker, I have bad news. The encryption these guys use is very good. The first thing to do is get your system disconnected. Cryptolocker will lock up anything it can find and that includes network file shares. If you have a backup, then get a professional to remove the infection and restore your old data.
But what if you have no backup? If your data really is critical you might just end up having to pay the ransom. In many cases, you will get your data back but it’s a big gamble. Criminal hackers are not known for their ethics or customer service!
Getting hit once is bad. We’ve been contacted by folks who have been hit several times, and that’s just awful. The take home message is this: get some protection in place, backup your data and be careful what you open, even if it is coming from an email address you trust!