Ransomware and Encryption Viruses
We would like to reiterate that all users must be very careful when clicking any form of link be it a link to an unknown website or an attachment embedded within an email. If the sender is unknown or you feel that the email is not actually from the stated sender, it is always better to ignore the email than risk opening it.
Fake emails or emails containing fake links & attachments are routinely used to gain access to small business accounts or banking information. Anti-virus and Anti-spam tools will stop most of these but users still have a vital role to play.
Key information on Ransomware/Viruses
By now you will probably be aware of the term ransomware, but in short it is a type of malware that will attack your computer, locking you out and displaying a message that demands you take a certain action, almost always involving some form of forced payment before your computer can be returned to its normal state.
Following on from this you may have heard of a type of ransomware known as an Encrypto or Encryption virus. This is an extremely intrusive and potentially costly piece of malware that will in addition to locking you out of your computer, set a fixed time that you have to unlock it.
After a computer or server has been infected with the virus, a message will come up on your screen stating that your files have been encrypted and a warning saying that if you do not send a specified amount of money within a fixed amount of time, all of your information and user data will be lost indefinitely.
So how does the Encrypto virus spread?
It is typically distributed via email, the hackers hide strings of code containing the Encrypto virus within an attachment that for example may look like a normal PDF but in reality is an executable file.
If you or a colleague opens the fake PDF, the virus is given access to your PC and all of your files. It will then start encrypting the files on your computer and begin telling you that the only way you can get the key to decrypt all of your files on your PC is to pay them before time runs out.
Two new types of Matrix Ransomware.
Recently two new aggressive forms of Matrix Ransomware variants have been discovered that are being installed via hacked/intercepted Remote Desktop services. While both of these variants will encrypt your computer’s files, one is a more advanced and makes use of cipher strings to wipe free space on the infected systems.
This form of ransomware is being sent to victims from the attackers who are brute forcing their way through the passwords of Remote Desktop services connected directly to the Internet. Once the attacker has gained access to a computer, they will then upload the ransomware installer and execute it via the remote connection.
Basic info about the two viruses and what they do to an infected machine:
• Installed over hacked Remote desktop tools.
• They encrypt unmapped network shares.
• Displays a status window while encrypting data.
• Clears all shadow volumes and copies on the machine.
• Encrypts all of the machines filenames.
• Uses ciphers to wipe free space on the machines.
Due to the fact the Matrix Ransomware is installed via hacked Remote Desktop services, it is extremely important to ensure that all access is locked down correctly. This includes making sure that computers running remote desktop services are not connected directly to the Internet, instead placed behind secure VPNs or remote desktop gateways that are secured with an active SSL.
How can all of this be prevented?
Unfortunately, there is no way to 100% prevent these types of attacks, our recommendations to help safe guard you are:
Make sure that all staff are vigilant when it comes to emails from senders that you don’t know, especially those of which that contain files.
Enabling file extensions within Windows, which is done so that you can easily recognise this type of attack by the file name containing .exe, .cmd or .bat instead of the standard .docx, .docs or .pdf.
Lock down remote desktop access. We have been actively locking down RDP to known ip addresses and helping to ensure that computers on your servers are placed behind VPNs or remote desktop gateways secured with SSL.
Have up to date Anti-virus and Anti-spam filters. Cortec recommends the use of ESET, which is a record-breaking antivirus and antispyware protection software. We also recommend the use of Email Filtering, using advanced predictive analytics giving the reassurance that the software will identify malicious sources before they can attack, keeping your email and IT systems safe. Feel free to get in touch to find out what we can offer you.
Having regular and secure backups of critical data. We’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well. Cortec offer a range of offsite backups and cloud services that we are happy to talk to you about.
Don’t give them money. If you are unfortunately infected by a ransomware virus and do not have a backup of your files, we would always recommend that you DO NOT pay the ransom. We say this because it makes malware attacks like the aforementioned into a highly profitable process, not to mention the chance that you will not even receive an encryption key.