Managed Backup – How to prevent ransomware: “Your Personal Files are Encrypted”

Hopefully you have not seen a Ransomware statement or screen like this.

In this mega-post we talk about ransomware origins, some of the typical current forms of it, and actionable steps you can take today to prevent infection and keep your data safe. (Spoiler alert – use a managed backup solution)

Navigate to the section you want to know more about:

Actual screen captures of types of ransomware

Cryptolocker examples and variants

The messages generally consist of language similar to this:

“Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”

Here is an example of an actual ransomware message:

“Private key will be destroyed on: specified date”

“Your important files were encrypted on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.”

“Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. ”

“The single copy of the private key , which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files…”

“To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”

About Ransomware

The Original form

The Cryptolocker (trojan) has been around for roughly three years now, entering the user’s system via an infected email attachment. It quickly scans the computer and the mapped network drives encrypting important business data and files.

The virus then displays a message that in order to gain access back to all your data you will need to pay the ransom amount, generally $300 – 400 dollars. Usually through an online currency such as bitcoin.

There are claims that paying the ransom is the only way to get your files back if you did not have an offline or offsite data backup in place. However, there are also other claims that paying the ransom did not successfully un-encrypt all of their business data and files.

The good news is that the international community joined forces to create a team of law enforcement agencies, tech firms, and cybersecurity experts and caught the bad guys in 2014 in what is know as Operation Tovar.

Luckily security firms also intercepted a copy of the database used in the attacks, which helped them gain a better understanding of the true magnitude of the attacks and also allowed them to create keys to help users decrypt their files which are called Decrypt Cryptolocker. However, it was possible that not all Cryptolocked files were able to be decrypted, including files encrypted by other ransomware variations. The site providing the keys is no longer active because that version of Cryptolocker Ransomware does not exist anymore. But new improved versions of ransomware are being discovered on a consistent basis.

The current form of Ransomware as described by the US-CERT and Homeland Security

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network. [reference]

Other types of messages displayed by Ransomware

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

Trend in ransomware cause for concern

Ransomware or ScreenLocker viruses that impersonate Law Enforcement and Government Agencies

Fake: Canadian Security Intelligence Service

fake-canadian-security-intelligence-service-ransomware

Fake: United States Department of Justice 

fake-department-of-justice-ransomware-variant

Fake: Federal Bureau of Investigations