What is ransomware?
Ransomware is software that hackers use to hold your computer files hostage while demanding some sum of money for you to recover them. There are a number of different ransomwares but Cryptolocker is one that has received a lot of news coverage lately. Cryptolocker hackers have targeted the US and UK by emailing it out and it has been associated with spammers, password theft, backdoor Trojans, and may also find its way to your computer through a download or ad-click. When Cryptolocker first began going out, it targeted home users but has progressively come to focus more on small and mid-sized businesses. The malware can affect users' files that are on drives that are mapped or have been given a drive letter.
Here are some steps you can take to prevent ransomware from doing damage beyond repair:
- Backup your data: As long as you are regularly backing up your data, even if you are attacked with ransomeware, you can restore your data to a previous snapshot and will lose only minimal data. Because cryptolocker can encrypt files that are mapped to drives, your backup plan should include backing up to an external drive or backup service that is not assigned a drive letter.
- Disable Files Running from AppData/LocalAppData Folders: Cryptolocker commonly runs its executable from the App Data or Local App folders so you should create a rule in Windows to disallow.
- Show Hidden File Extensions: Often, Cryptolocker comes in a file named with the extension “.PDF.EXE.” As a default, Windows hides known file-extensions but you can re-enable this to make it easier to spot these types of files.
- Email Filtering: You may be able to filter emails that contain “.EXE” files. If you generally need to exchange executable emails however, you can consider using password-protected ZIP files or cloud services.
- Disable RDP: Cryptolocker commonly accesses machines via Remote Desktop (RDP). You can consider disabling RDP if you aren’t using it.
- Patch and Update your Software: Malware writers exploit known vulnerabilities on machines that are running outdated software and can silently get into your system.
- Disconnect Immediately: It does take a bit of time to encrypt all files so if you open a file that you suspect may be ransomware, you may be able to stop communication with the server before the encryption is complete. This, of course, won’t prevent all damage but may prevent some if you act immediately by disconnecting.
- Don’t pay the ransom! Cryptolocker generally has a payment timer set for 72 hours and when that initial period expires, the price will go up significantly. While paying the ransom MIGHT get you your data back, there have been cases where the decryption key never came or it was unable to properly decrypt the files.
- Add Ad Blocking- Clicking on ads are another way that ransomware can affect your machine so enabling blocking of adds will help reduce this risk.
- Authenticate In-Bound Email: Ransomware, especially Cryptolocker, uses email and often these emails will appear to come from someone that the target user actually knows and communicates with. These emails may have a malicious attachment that will download ransomware onto the machine once opened. Organizations can consider validating the origin of inbound email through sender identity technologies to identify suspicious email.