Ransomware Prevention – Cryptolocker Removal Process
Ransomware Prevention – Cryptolocker Removal Process
It’s extremely important to ensure all your computers in your network are upto date and are able to in place to aid with ransomware prevention techniques. This month has been a strange one in terms of Malware infections, and particular whats known as Ransomware, in which we had two different companies contact us, looking for assistance in cleaning the cryptolocker infection from their computers. The two clients had similar issues – documents and files were encrypted and the attacker was looking for 3BT (bitcoin), around €2,000 value. They had a time limit to purchase this unlock key – when the unlock key would be destroyed.
Cryptolocker is the name given to a specific piece of malware, known as ransomware. What this particular piece of malicious code does is encrypt your files within your profile folders on your computer, such as documents and desktop files, and also has the potential to lock files on any network shares the user has access to, such as files on a server. This virus actually came out sometime 2013, and was distributed through a botnet.
What is a botnet? It’s a series of connected devices (computers) each running several “bots” (pieces of code), where the “net” (network) of devices combine to distribute these programs through their network, seeking out computers with code vulnerabilities that can be affected through systematic attacks to deny services.
Malware and Ransomware Prevention
In order to try to prevent the Cryptolocker infection, we suggest the following steps:
- Ensure you are using a reputable AntiVirus software, with Web & Email Scanning, as was as botnet detection. We always recommend Eset Endpoint Protection Advanced for businesses, and Endpoint Internet Security for home/residential users.
- If you are running a business, try to have in place a good Firewall, with Intrusion Detection Prevention capabilities, such as the ZyXEL USG 110 series. This particular model has the ability to scan inside secure websites (https), which generally cannot be scanned with entry level modems provided by Internet Service Providers
- Always cross check any emails you may receive. Don’t open any attachments without checking out the file type. Most infections come in via an attached .zip file attachment, which executes.
- Do not disable User Account Control (UAC) within Windows, as any processes trying to execute in the background won’t have a chance to run.
- Log in as a general user, and not a local administrator. Try reserve the administrator account for installations and maintenance only.
- Keep all Microsoft Products up to date, both Operating System (Windows) and Appications (Office).
- Backup! Backup! Backup! – You can never have to many backups, and make sure you remove the backup media once the backups are complete, to prevent that data from being infected.
So back to our two service calls, each of which was in a different count, but again, we responded and dispatched one of our technicians to resolve.
So the first client had three infected workstations (windows 7 desktop computers) as well as the files that were shared on the server. We asked had the client has a backup, which they did luckily. The files affected were Microsoft office files – word and excel format. They had a firewall, they were running office 2013 and received pop3 email.
A hardware company renting out tools – file shares and an application issuing invoices in excel format via a Microsoft Access Database. The database files were encrypted as well as desktop and document files. The last functioning backup was over a month old.
Malware / Ransomware Distribution.
How was the trojan activated? Through email of course. It’s unknown if AVG was scanning the email or if the definitions weren’t quite up to date in both cases. In the first case, an email came into a book=keepers mailbox, with the subject purporting to be a statement from one of their suppliers. It was a zip file, statement.pdf.zip, and the Windows default method of hiding known file extensions was still in place. This user wouldn’t have seen the .zip extension. It ran a hidden executable in the zip folder which did the damage. The user couldn’t see the PDF, who forward it to two colleagues, each of which also opened the file!
Client 2 was using a free email service, and was viewing the emails over the web. Again, it was a book keeper, who saw a little email from an unknown source with the title, Wedding Photos. The email contained a zip file… you can guess the rest…
What we have is a common way of distributing the infection, via email, which isn’t been scanned for virus or spam, as they are using pop mail and a web interface without a scanner such as the ESET Outlook plugin, and a few users who were inquisitive or confused.
What to do if you are infected with malware. / Ransomware Removal
Removal in both cases was fairly straight forward. It was removed by an excellent piece of freeware, called Malwarebytes, which I have been using for years. Once I knew the computers were clean, we restored client 1 server files. The client didn’t deem the files on the desktop to be important, and as these files weren’t backed up, we could proceed.
Client 2 was a little harder as there were no backups of individual files, only a backup of the access database and the associated excel spreadsheets, from a month back, but had paper backups of all accounts. They were just about to pay the ransom, however in attempting to purchase the bitcoin he was asked to provide an photo of both sides of the credit card, and another with the owner of the card posing with the card in hand. All too complicated.
Ethically I suggested we restore the last backup and spend the money on some staff overtime for data entry, and rest they invest in a good firewall, and move their email platform to Office 365. It’s also important to keep Microsoft Windows and Office applications up to date.
On leaving both clients, I suggested they use ESET Endpoint Protection as it’s live grid and HIPS system block unauthorised remote access to the network with an Intrusion Detection Prevention technology. I also recommended the implementation of a good Firewall, as well as using some common sense when it comes to opening emails. In the end, neither of them could recover the encrypted files, we could only work with the last known good backup.