Managed backup – How to prevent ransomware: “Your personal files are encrypted”
Hopefully you have not seen a Ransomware statement or screen like this.
In this mega-post we talk about ransomware origins, some of the typical current forms of it, and actionable steps you can take today to prevent infection and keep your data safe. (Spoiler alert – use a managed backup solution)
Actual screen captures of types of ransomware
Cryptolocker examples and variants
The messages generally consist of language similar to this:
“Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”
Here is an example of an actual ransomware message:
“Private key will be destroyed on: specified date”
“Your important files were encrypted on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.”
“Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. ”
“The single copy of the private key , which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files…”
“To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”
About Ransomware
The Original form
The Cryptolocker (trojan) has been around for roughly three years now, entering the user’s system via an infected email attachment. It quickly scans the computer and the mapped network drives encrypting important business data and files.
The virus then displays a message that in order to gain access back to all your data you will need to pay the ransom amount, generally $300 – 400 dollars. Usually through an online currency such as bitcoin.
There are claims that paying the ransom is the only way to get your files back if you did not have an offline or offsite data backup in place. However, there are also other claims that paying the ransom did not successfully un-encrypt all of their business data and files.
The good news is that the international community joined forces to create a team of law enforcement agencies, tech firms, and cybersecurity experts and caught the bad guys in 2014 in what is know as Operation Tovar.
Luckily security firms also intercepted a copy of the database used in the attacks, which helped them gain a better understanding of the true magnitude of the attacks and also allowed them to create keys to help users decrypt their files which are called Decrypt Cryptolocker. However, it was possible that not all Cryptolocked files were able to be decrypted, including files encrypted by other ransomware variations. The site providing the keys is no longer active because that version of Cryptolocker Ransomware does not exist anymore. But new improved versions of ransomware are being discovered on a consistent basis.
The current form of Ransomware as described by the US-CERT and Homeland Security
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network. [reference]
Other types of messages displayed by Ransomware
- “Your computer has been infected with a virus. Click here to resolve the issue.”
- “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
- “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
Trend in ransomware cause for concern
Ransomware or ScreenLocker viruses that impersonate Law Enforcement and Government Agencies
Fake: Canadian Security Intelligence Service
Fake: United States Department of Justice
Fake: Federal Bureau of Investigations
Ransomware at home, in the workplace – no one is exempt
It is getting harder to distinguish the real from the fake, viruses are now using email spoofing and impersonating email addresses you might actually know. The attachments look like everyday documents with normal file extensions.
With all things connected these viruses are designed to discover opportunity and move rapidly through networks and systems and spread like wildfire encrypting files and covering its traces, living very comfortable and undiscovered for while until it thinks it has enough data encrypted to start making demands on your wallet urging you to purchase the key to decrypt your data, generally via an online currency.
A new form of Ransomware Maktub Locker (dubbed beautiful)
The reason they are calling it beautiful is from the GUI design and other features. It comes as an email with fake terms of service update brandishing two official-looking Office document icons.
This virus actually shows you an Office document when opened. While the user is reading the fake document the virus runs in the background encrypting files. The Maktub Locker is also unique because it operates online and offline and is not dependent on being connected to a server, like other ransomware.
As the files are encrypted they are simultaneously compressed in size and the file extensions are changed.
The website for taking payment is getting some comments in regards to its design.
#ransomware #maktub #maktublocker https://t.co/iIlabXy3YT pic.twitter.com/17GeRSdDBN
— Kevin Breen (@KevTheHermit) March 21, 2016
Interesting graphic design in the Maktub Locker ransomware: https://t.co/vhKWHvRsaM pic.twitter.com/cP9PVHwZ6p
— Mikko Hypponen (@mikko) March 21, 2016
12 Things you can do today to prevent getting infected by ransomware
1.) Stop it at the source your first point of contact – Email
Slow down on your clicking and take a little more time to inspect your emails, read the details, attributes and characteristics carefully. Don’t click or follow web links in emails that you are unsure about.
Common things to look for when inspecting your emails to avoid ransomware infections
- From sender address (ensure the domain matches the alleged company and sender in the email)
- File attachments and the file extensions (look for uncommon extensions, even if the file icon looks like a real document you are used to seeing.)
- Any phishy language demanding immediate action
- Fake email updates from known companies and brands about changes and updates that might require you to click or download something.
- The need to sign-in and authenticate your account to avoid something from happening.
2.) Use tools that can help detect and prevent ransomware infections
- Client-side email virus detection ie: Windows has free built-in Microsoft Security Essentials similar to Kaspersky, AVG, and McAfee.
- Local Malware removal tool example ie: Malwarebytes, Spybot, or Hitman Pro
- Online virus scanner tool ie: VirusTotal
- Browser-based email virus detection extensions ie: Bitdefender QuickScan
- Security Policies or Group Policies that prevent opening links in email, or specified file types.
3.) Adjust the configuration of your spam and firewall settings
The options and features will vary depending on your particular email service and firewall. It will not hurt to review the current configuration, more than likely there are tweaks you can make that will help, increase the protection that is better than the defaults.
4.) Keeping everything updated helps in reducing vulnerability
- Web browsers
- Operating Systems
- Plugins, Extensions, and Apps
- Other Software (Office, Adobe, Etc)
5.) Have a Local backup plan from your
This generally consists of a specific group of folders that are backup up locally to a vault on your hard drive or better yet an external hard drive. The local backup works best if it encrypts and writes the data using compressed blocks through a file differential backup method, this way only changed data is backed up.
In addition, creating local copies of the current system using a Window System Disk Imaging tool, this would allow you to recover the entire system from that image.
6.) Have an offsite managed backup plan
This method sends a securely encrypted copy of the local backup data to a cloud storage vault, ensuring that you have a safe restorable copy of your data, this can protect you from any type of data loss scenario.
7.) Stay informed and about what is going on with this problem
It’s easy to subscribe to the various channel and have information sent to you directly:
- Google alerts allow you to subscribe to words or phrases like “ransomware” and will send you updates based on settings you specify.
- Social media channels such as Twitter are great for real-time updates and allow you to search for topics using hashtags like “#ransomware”.
- The United States Computer Emergency Readiness Team alerts allow you to sign-up for email alerts
8.) Avoid pirated software
Pirated software is a very commonplace where viruses originate from, you can’t trust it and you wouldn’t want to do it anyway. Most software has free trials available, use that and if you enjoy it considering paying for it. It will be much cheaper than paying a ransom or losing your system and business data. [UPDATED April 29, 2016] Here is a prime example of users getting infected with crypto-ransomware from the torrent website Pirate Bay.
9.) Avoid common Social Engineering traps
- You might see an email from a friend whose account has been hacked, the criminals will send emails to all of their contacts or leave messages on their social pages.
- The messages may contain links or downloads that you are encouraged to look at or view.
- The messages may be urgently asking for assistance or help claiming they have been robbed or some other tragic related activity.
- The messages may be asking for donations or fundraising for a particular cause.
10.) Don’t trust borrowed USB drives
If you are getting data from one of your colleagues or contacts via the form of a portable USB drive, ensure you give it a quick virus scan before moving the files to your system. Some virus detection software has a feature that you can enable that will automatically scan a new drive for any problems as soon as it is plugged in.
With this method, you are specifying only the intended software you deem as safe and necessary to run on your system, which can automatically stop problems from creeping up. There are different ways you can accomplish this either via third-party software or using the native built-in functionality of your operating system. The general idea is that you turn on or enable Parental Controls then create a new account that operates under the parameters you invoked for that new account (specifying allowed software to run related to that account). If a new program tries to run it will be flagged or blocked, and require permission override.
12.) Avoid enabling macros on email attachments
Ransomware is now using macros from Word Office documents, an example is the “Locky” ransomware variant that disguised itself as an invoice.
The email subject line read: ATTN: Invoice J-98223146 with a message that says, “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.“
Microsoft has disabled macros in office files by default due to the security risk.
Advanced preparation is the best plan
As we’ve stated previously on this topic, the best form of protection is planning to be infected.
The advantage to this plan is that you are fully prepared, and you will have a fully functioning data recovery plan in place, before the problem exists.
In many cases, the ideal managed backup plan consists of your backup data living in two storage vaults that are synchronized.
The first vault will be a copy of all your critical files that will exist and live on your local system or on an external hard drive or networked drive.
The second vault will be in a secure off-site site location, such as cloud storage or another remote server that hosts backups.
Settings and features to consider in a managed backup software solution
Ensure the solution has Retention settings you can configure, for instance, you might want to set a retention period of 45 days, this would allow you essentially go back in time 45 days with your backup data, we use this feature in our re-brandable managed backup software client and server platform.
As a built in protection for people using WholesaleBackup software we have enabled a feature which will always retain two versions of a file (or the deleted version of a file) for the full retention period to ensure that there’s always a good copy of the file that can be restored.
WholesaleBackup is a provider of cloud & hosted white label backup software, which allows you to offer fully managed remote backup services securely.
You can build your very own Windows backup server using our server backup platform then provision end-user online backup clients branded with your company name. Your customers will have a local and online backup system where they can store their backup data in a local vault on their own machine in addition to having another backup storage vault on your Windows backup server.
We also provide a hybrid cloud backup platform that allows you to store customer data on very cheap cloud storage from Amazon S3 and Google cloud storage. This option does not require you to have your own server. All you have to do is provision the cloud backup clients with your company brand and logo, once they are installed and the selections are made for the files and folders to backup, the data will go through a de-duplication process to avoid duplicate files, then create file blocks which are encrypted for transmission which will be sent to your cloud storage vault.
Whether you choose to build your own managed backup server or create your own cloud backup clients, you can run and monitor your backup business from a web browser with the Backup Management Web Console, which centralizes all of your customer’s status, backups, settings, and billings information. Our Partners, MSPs, VARs, and resellers, call this the mission control center for their managed backup operations.