Contents hide
Managed backup – How to prevent ransomware: “Your personal files are encrypted”

Managed backup – How to prevent ransomware: “Your personal files are encrypted”

Hopefully you have not seen a Ransomware statement or screen like this.

In this mega-post we talk about ransomware origins, some of the typical current forms of it, and actionable steps you can take today to prevent infection and keep your data safe. (Spoiler alert – use a managed backup solution)

Navigate to the section you want to know more about:

Actual screen captures of types of ransomware

Cryptolocker examples and variants

The messages generally consist of language similar to this:

“Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”

Here is an example of an actual ransomware message:

“Private key will be destroyed on: specified date”

“Your important files were encrypted on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.”

“Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. ”

“The single copy of the private key , which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files…”

“To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”

About Ransomware

The Original form

The Cryptolocker (trojan) has been around for roughly three years now, entering the user’s system via an infected email attachment. It quickly scans the computer and the mapped network drives encrypting important business data and files.

The virus then displays a message that in order to gain access back to all your data you will need to pay the ransom amount, generally $300 – 400 dollars. Usually through an online currency such as bitcoin.

There are claims that paying the ransom is the only way to get your files back if you did not have an offline or offsite data backup in place. However, there are also other claims that paying the ransom did not successfully un-encrypt all of their business data and files.

The good news is that the international community joined forces to create a team of law enforcement agencies, tech firms, and cybersecurity experts and caught the bad guys in 2014 in what is know as Operation Tovar.

Luckily security firms also intercepted a copy of the database used in the attacks, which helped them gain a better understanding of the true magnitude of the attacks and also allowed them to create keys to help users decrypt their files which are called Decrypt Cryptolocker. However, it was possible that not all Cryptolocked files were able to be decrypted, including files encrypted by other ransomware variations. The site providing the keys is no longer active because that version of Cryptolocker Ransomware does not exist anymore. But new improved versions of ransomware are being discovered on a consistent basis.

The current form of Ransomware as described by the US-CERT and Homeland Security

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network. [reference]

Other types of messages displayed by Ransomware

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

Trend in ransomware cause for concern

Ransomware or ScreenLocker viruses that impersonate Law Enforcement and Government Agencies

Fake: Canadian Security Intelligence Service

fake-canadian-security-intelligence-service-ransomware

Fake: United States Department of Justice 

fake-department-of-justice-ransomware-variant

Fake: Federal Bureau of Investigations 

fake-police-ransomware-responsible-for-killing-17-yr-old

Ransomware at home, in the workplace – no one is exempt

It is getting harder to distinguish the real from the fake, viruses are now using email spoofing and impersonating email addresses you might actually know. The attachments look like everyday documents with normal file extensions.

Lockyransomware-from-spoofed-email-as-office-document

With all things connected these viruses are designed to discover opportunity and move rapidly through networks and systems and spread like wildfire encrypting files and covering its traces, living very comfortable and undiscovered for while until it thinks it has enough data encrypted to start making demands on your wallet urging you to purchase the key to decrypt your data, generally via an online currency.

A new form of Ransomware Maktub Locker (dubbed beautiful)

maktub-locker-example-screen

The reason they are calling it beautiful is from the GUI design and other features. It comes as an email with fake terms of service update brandishing two official-looking Office document icons.

This virus actually shows you an Office document when opened. While the user is reading the fake document the virus runs in the background encrypting files. The Maktub Locker is also unique because it operates online and offline and is not dependent on being connected to a server, like other ransomware.

As the files are encrypted they are simultaneously compressed in size and the file extensions are changed.

The website for taking payment is getting some comments in regards to its design.

12 Things you can do today to prevent getting infected by ransomware

1.) Stop it at the source your first point of contact – Email

Slow down on your clicking and take a little more time to inspect your emails, read the details, attributes and characteristics carefully. Don’t click or follow web links in emails that you are unsure about.

Common things to look for when inspecting your emails to avoid ransomware infections

  • From sender address (ensure the domain matches the alleged company and  sender in the email)
  • File attachments and the file extensions (look for uncommon extensions, even if the file icon looks like a real document you are used to seeing.)
  • Any phishy language demanding immediate action
  • Fake email updates from known companies and brands about changes and updates that might require you to click or download something.
  • The need to sign-in and authenticate your account to avoid something from happening.

2.) Use tools that can help detect and prevent ransomware infections

  • Client-side email virus detection ie: Windows has free built-in Microsoft Security Essentials similar to Kaspersky, AVG, and McAfee.
  • Local Malware removal tool example ie: Malwarebytes, Spybot, or Hitman Pro
  • Online virus scanner tool ie: VirusTotal
  • Browser-based email virus detection extensions ie: Bitdefender QuickScan
  • Security Policies or Group Policies that prevent opening links in email, or specified file types.

3.) Adjust the configuration of your spam and firewall settings

The options and features will vary depending on your particular email service and firewall. It will not hurt to review the current configuration, more than likely there are tweaks you can make that will help, increase the protection that is better than the defaults.

4.) Keeping everything updated helps in reducing vulnerability

  • Web browsers
  • Operating Systems
  • Plugins, Extensions, and Apps
  • Other Software (Office, Adobe, Etc)

5.) Have a Local backup plan from your

This generally consists of a specific group of folders that are backup up locally to a vault on your hard drive or better yet an external hard drive. The local backup works best if it encrypts and writes the data using compressed blocks through a file differential backup method, this way only changed data is backed up.

In addition, creating local copies of the current system using a Window System Disk Imaging tool, this would allow you to recover the entire system from that image.

6.) Have an offsite managed backup plan

This method sends a securely encrypted copy of the local backup data to a cloud storage vault, ensuring that you have a safe restorable copy of your data, this can protect you from any type of data loss scenario.

7.) Stay informed and about what is going on with this problem

It’s easy to subscribe to the various channel and have information sent to you directly:

8.) Avoid pirated software

Pirated software is a very commonplace where viruses originate from, you can’t trust it and you wouldn’t want to do it anyway. Most software has free trials available, use that and if you enjoy it considering paying for it. It will be much cheaper than paying a ransom or losing your system and business data. [UPDATED April 29, 2016] Here is a prime example of users getting infected with crypto-ransomware from the torrent website Pirate Bay.

9.) Avoid common Social Engineering traps

  • You might see an email from a friend whose account has been hacked, the criminals will send emails to all of their contacts or leave messages on their social pages.
  • The messages may contain links or downloads that you are encouraged to look at or view.
  • The messages may be urgently asking for assistance or help claiming they have been robbed or some other tragic related activity.
  • The messages may be asking for donations or fundraising for a particular cause.

10.) Don’t trust borrowed USB drives

If you are getting data from one of your colleagues or contacts via the form of a portable USB drive, ensure you give it a quick virus scan before moving the files to your system. Some virus detection software has a feature that you can enable that will automatically scan a new drive for any problems as soon as it is plugged in.

11.) Use application whitelisting to prevent unauthorized software from performing tasks and running

With this method, you are specifying only the intended software you deem as safe and necessary to run on your system, which can automatically stop problems from creeping up. There are different ways you can accomplish this either via third-party software or using the native built-in functionality of your operating system. The general idea is that you turn on or enable Parental Controls then create a new account that operates under the parameters you invoked for that new account (specifying allowed software to run related to that account).  If a new program tries to run it will be flagged or blocked, and require permission override.

12.) Avoid enabling macros on email attachments

Ransomware is now using macros from Word Office documents, an example is the “Locky” ransomware variant that disguised itself as an invoice.

The email subject line read: ATTN: Invoice J-98223146 with a message that says, Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Microsoft has disabled macros in office files by default due to the security risk.

Advanced preparation is the best plan

As we’ve stated previously on this topic, the best form of protection is planning to be infected.

The advantage to this plan is that you are fully prepared, and you will have a fully functioning data recovery plan in place, before the problem exists.

In many cases, the ideal managed backup plan consists of your backup data living in two storage vaults that are synchronized.

The first vault will be a copy of all your critical files that will exist and live on your local system or on an external hard drive or networked drive.

The second vault will be in a secure off-site site location, such as cloud storage or another remote server that hosts backups.

Settings and features to consider in a managed backup software solution

Ensure the solution has Retention settings you can configure, for instance, you might want to set a retention period of 45 days, this would allow you essentially go back in time 45 days with your backup data, we use this feature in our re-brandable managed backup software client and server platform.

As a built in protection for people using WholesaleBackup software we have enabled a feature which will always retain two versions of a file (or the deleted version of a file) for the full retention period to ensure that there’s always a good copy of the file that can be restored.

WholesaleBackup is a provider of cloud & hosted white label backup software, which allows you to offer fully managed remote backup services securely.

white box of bundled software

WholesaleBackup provides a full suite of white label backup software

You can build your very own Windows backup server using our server backup platform then provision end-user online backup clients branded with your company name. Your customers will have a local and online backup system where they can store their backup data in a local vault on their own machine in addition to having another backup storage vault on your Windows backup server.

We also provide a hybrid cloud backup platform that allows you to store customer data on very cheap cloud storage from Amazon S3 and Google cloud storage. This option does not require you to have your own server. All you have to do is provision the cloud backup clients with your company brand and logo, once they are installed and the selections are made for the files and folders to backup, the data will go through a de-duplication process to avoid duplicate files, then create file blocks which are encrypted for transmission which will be sent to your cloud storage vault.

Whether you choose to build your own managed backup server or create your own cloud backup clients, you can run and monitor your backup business from a web browser with the Backup Management Web Console, which centralizes all of your customer’s status, backups, settings, and billings information. Our Partners, MSPs, VARs, and resellers, call this the mission control center for their managed backup operations.

How Can We Help?

The team at WholesaleBackup is happy to listen and share their backup & recovery expertise spanning over 15 years of business-class backup software solutions for resellers, MSPs, and IT Pros. If you are ready to begin building a more profitable and reliable backup service you’re in the right place.

  • Learn how to get started with labeling & deploying your own backup service
  • See how to schedule, run backups, and restore data
  • Understand how to remotely manage and monitor end-user’s backups
  • Get any questions you have addressed

Take a minute to fill out the form and we’ll follow up with you about your request. For a quicker response start a conversation in the chat.