Ransomware Viruses – Retaining control of your Data

Over the past year, ransomware viruses have been front and center. They have infected computers in all sectors (Residential, Public Services, Emergency Services, Technology Managed Services, Commercial, Not-For-Profit, etc). 55 per cent of cyber-attacks last year in Canada (and Abbotsford and Vancouver especially) were ransomware attacks. There just doesn’t seem to be a way to stop it, or is there?

Most viruses can be removed without a lot of damage occurring (if you catch them fast enough). Take for instance a Trojan Virus.

A Trojan virus usually resides inside another program that the user installs (either on purpose or without their knowledge). It emerges when the host program is installed. These viruses often act as “backdoors”, allowing other malicious content into the system. They are also characterized by not infecting other files (like a computer virus), and not propagating (like worms). There job is to simply open backdoors to your system, and steal data. Once they are removed from your system, they are usually gone for good, and your data stays within your control.

Ransomware viruses are completely different, as they typically don’t infect your files, don’t propagate, and do not open backdoors. They simply hold your system at Ransom. The first of it’s kind was Cryptolocker (identified in the last part of 2013). It encrypted users files using asymmetric encryption and then demanded $300 in order for the users files to be dycrypted. This demand was also subject to a time limit as well. If the user didn’t pay the ransom within the defined time limit, the offer was be rescinded and the user lost access to their files forever. This virus had a longer lifespan than most, as the Department of Justice final took down the threat in early June 2014.

However, this type of virus attack was just beginning. On June 19, Cryptowall emerged as a more deviant version of Cryptolocker. The developers hence fixed the vulnerabilities that allowed Cryptolocker to be taken down.

July 2014 brought yet another player to the Ransomware arena, CTB-Locker. This nasty little virus I had the pleasure of meeting. IT comes in via email from a reputable source (CAB or ZIP attachment), claiming to be a Fax or Invoice. The user clicks on the attachment to open it up, and Voila you’re infected. CTB-Locker is particularly nasty because it has taken stealth to an entirely different level. CTB stands for Crypto-Tor-Bitcoin, meaning that it encrypts your files, and demands to be paid in Bitcoins (like it’s predecessors), but also uses the Tor anonymity network for its communication to the Encryption key servers. The only way I was able to save our client’s data was to reinstate the previous night’s backup (after I removed the virus, and all supporting files).

In Summary, Ransomware looks like it is going to be here for a while. Here are a few tips to ensure that if the inevitable happens, you are not caught unprotected.

1. Ensure that you have an Anti Virus program protecting your computer, and that it’s virus definition files are ALWAYS up to date.
2. Set your Anti Virus’ mail filter to remove the following attachments from your incoming mail.
   • SCR
   • CAB
   • EXE
3. Make sure that you have nightly backups of your data. If you find that you are often to busy to remember to back up each night, have the process automated.
4. Test your backups periodically to ensure that your backup data is intact.

TSG Computer Services is an Abbotsford and Vancouver-based IT Support company who specializes in Solutions for Increased Productivity. Call us now for your free, no-obligation, comprehensive 35-point network audit.