There's a new, very serious, and worrisome threat that can affect any Windows user. Even if you're a Mac or Linux user, keep reading because you inevitably know someone with a Windows PC. Even if you don't know any Windows users, it's only a matter of time before a special version of this threat is made just for you.
Before I describe the ransomware and its very serious threat, let me stress that prevention is the best defense. Do not assume that you are safe just because you have anti-virus or anti-malware software installed.
Follow these recommendations
1. Avoid being tricked by phishing email.
Do NOT click links in email or open attached applications. If you get an email that looks reasonable and has a link, do not click it unless you are certain about where that link is going to take you. Typically you can mouse over a link (without clicking it) and you will be able to see where it's going to take you. Most browsers show this at the bottom left of the browser window.
2. Avoid the use of Internet Explorer. I have lost faith in Microsoft to adequately secure this browser. They have been endlessly trying and do not seem to be able to do it for any significant length of time. Exploits are frequent. For secure browsing I suggest any of the following browsers for Mac, Windows or Linux users
Firefox, Chrome, Safari (for Mac users) or Opera
3. Avoid web pages that you are unfamiliar with or that look official, but something is not quite right. If you are unsure, do a Google search and look for search results that show the name of the service or company in the first part of their web address. This is not always the case, but very often it is what the company or service will use.
Example: Although Microsoft has many other websites, you are safest to navigate to a Microsoft satellite website by first starting from www.microsoft.com and searching for what you are looking for from there.
4. Look for secure sites where they should be secure. This is not to say that every site must be secure, but where appropriate, you want to verify that the site is using what is known as an SSL certificate (Secure Socket Layer) and that it is valid. If your are navigating to your bank for example, it should always start with https: when you are at the login page, not http:
Your browser should automatically notify you when an SSL certificate is not valid or has been revoked.
Note: Although ihelpinnovate.com does not use an SSL certificate, it is hosted by Google and you can check that it does not contain any threats by using Symantec's Norton Safe Web, where it is registered and has been verified.
View my Norton Safe Web report at https://safeweb.norton.com/
While we're on the topic of site security certificates, any site that asks for you to enter a username and password for an account you hold, should always start with https: when you are at the login stage. Some exceptions are certain sites that have a separate drop-down window for login. This annoying trend practiced by companies like Bell Canada is in-fact connecting you by a secure link. Unfortunately, non-technical users do not have the simple method of verification by looking at the browser address bar before entering confidential username and password information when logging on via their home page. If you're a Bell Canada user and you want to be sure you're logging onto your account via a verifiably secure webpage, use the link https://mybell.bell.ca/
OK, so now that we've reviewed basic prevention, let me tell you about the ransomware and its very serious and costly threat.
There's been a lot written about this and it's been in the mainstream media lately as well. This latest malware threat called CryptoLocker holds victims hostage to pay a $300 ransom within 72 hours. They do this by using a very strong, unbreakable encryption algorithm and systematically applying it to all files on your local disk and attached drives.
In order to decrypt the files, you must obtain what is known as a private key. This is required to "unlock" the encryption. Since this malware attacks "hot" volumes with mapped drive letters, like Drive C, D, E, etc., your files on services like DropBox are also at risk of being encrypted. Even if you've already encrypted your files before storing them, the encrypted files can still be encrypted by the malware, making access by your own decryption software impossible without the private key from the attackers.
If you don't have the files backed up via a "cold" backup solution that is either offline at the time of the infection or that is not backed up via a shared drive letter (i.e. Drive C, D, E, etc.) then you will not be able to regain access to your files unless you pay the ransom, get the decryption key and hopefully, it works. There have been reports of all types. Ranging from the ransom being paid without a decryption key being delivered or the ransom was paid and the key did not decrypt the files, to the ransom was paid and the files were successfully decrypted, making them once again accessible.
It's easy to recommend not paying the ransom because it encourages this kind of criminal activity in the future or you might not regain access to your files anyway. But if you don't have the files safely backed up and you really need them, then there is no other way to decrypt your files. It is not possible to break this encryption level.
Worse still, the ransomware is reported in recent incarnations, to also be deleting windows shadow copies. A shadow copy is the technical term for Microsoft's roll back technology that normally allows you to restore the system to an earlier state, before a problem existed.
In the latest security news covering this, there is apparently a service being offered by the offenders that will get your files back even after the 72 hour period has past, but it will cost you 10 Bitcoin, which is about $3200 at the moment.
One particularly bad result of this is, people who have not backed up might misunderstand the exact severity of this whole thing. Part of the reason I felt compelled to write about this in the first place. If you simply remove the malware, well that may not be what you wanted if you were willing to pay the ransom. It's not so easy to just say goodbye to data that is critically important, when you had no backup and there's a chance for recovery.
It's not all grim. There are some effective means of protection.
1. Use Sandboxie.
By using this software to "Sandbox" (isolate) your web browser and email client, you are able to stop the malware from encrypting files on your local hard drive or shared drive.
2. Backup your files using products that run backup applications to backup to cloud backup, without mapping the drive. An example is a product like Cryptonite Cloud Backup.
3. If you're a slightly technical user, you can always run your web browser and email inside a virtual machine, like Virtualbox
4. For now, users of the paid OpenDNS Umbrella service are reportedly safe, because the malware cannot reach the randomly generated domains it needs to, in order to begin encrypting the victims files. However, a solution like this may not last if the attackers modify the malware to generate an encryption key locally that could still be effective at ruining your day.
5. Lastly, there is CryptoPrevent, but this is one of the less favorable forms of protection and it can cause a lot of false positives.
I hope this information helps to prevent you from getting the malware. I'm following this in the security arenas and I'll update this blog if I find some good updates.
Please share this blog. I know it's long, but if not in its entirety, please at least share the information regarding best practices and prevention.
For more information about this, please visit the following safe links, leave me a comment or send me a tweet @dougkrug
Image courtesy of Pixomar/FreeDigitalPhotos.net