Interpreting Technology Logo

Why you need to know about ransomware.

Updated on April 9, 2016

Imagine for a moment that you leave your computer and come back to find a menacing black screen telling you that your system is encrypted and you must pay money to get your files back. This would seem like a prank, but it is no laughing matter. According to antivirus vendors, well over 4 million computers were held hostage last year and that number is only increasing, and the seriousness behind the threat more menacing.

Most everyone knows you are supposed to have some type of antivirus on your system to protect it from viruses. What many aren’t aware of is viruses really aren’t a threat anymore. It’s the malicious software, aka “malware,” which you need to look out for! Most importantly, the rise of ransomware is something EVERYONE should know about, regardless of operating system. Both Windows PCs and Apple’s Mac are at risk with samples seen causing issues “in the wild.”

We have created an informational two sided flier for your ease of sharing with friends and co-workers. Continue reading below for detailed information on what to look for, how to avoid a ransomware, and how to ensure your data remains protected.

Download complimentary ransomware info. sheet.

Please share at
your work.

Download ransomware information sheet.

Most antivirus or even antimalware programs won’t defend against the latest ransomware infections.

What is ransomware?

To put it simply, it’s malicious software that holds your personal files for ransom, hence the name. It does this by encrypting them, which is like scrambling their contents and only allowing them to be unscrambled with a special key. This key is only available if you pay the ransom (usually from $400 to $1700.) Except in very rare circumstances, you cannot recover your files without the key.

Ransomware example

Ransomware example.

How can I protect myself?

There are two main ways to avoid being a victim: Knowledge/Education and Backups. First off, knowing what to look for and educating others is critical. The less money the cyber criminals get from their scheme, the less that will do it. So what do you look out for? Most of the ransomware infections come through email using the ancient trick of an infected attachment.

What do I look out for?

“Phishing emails” became popular back in 2003 and have stayed true for attackers ever since. The term “phishing” comes from a fisherman tossing a hook into the water, hoping to catch a passing fish. Criminals use phishing emails hoping to catch a passing victim. A good attack will be almost indistinguishable from an email you may normally receive, whether at business or home. Ransomware will commonly use what is known as “spear phishing,” meaning the attacker tailored the message in some way towards the recipient, be it a person or an organization. That brings us to the social engineering paradox of phishing emails: You don’t know what you don’t know. Criminals play on the easy deception in mass numbers and are bound to catch a few fish if they drag their line through a few million a day like ransomware currently does.

Email example of ransomware

Email example of ransomware.

It could appear to be a PDF or Word document, frequently disguised as an invoice from some company, or a resume looking for a job, or claim to be FedEx/UPS tracking information. Frequently the “payload” (the computer code that does the nasty stuff) is enclosed in a ZIP file that is attached. Frequently the icon of the file within this ZIP will be changed to look like something it may not be, such as a PDF for DOC. In all cases, it’s an executable of some kind, meaning once you open it, you’re granting it permission to do whatever it is programmed to do on your computer. In most cases, this will download other nasty stuff in the background, causing the headache that ransomware does. Make sure to look VERY closely at the file for a “double-extension” like .pdf .exe or .doc .js – never open anything like that as it’s almost always bad news. In fact, as we’ve said for over 20 years: Never open any executable attachment EVER from an email.

Ransomware example zip file

Example of a ransomware in a zipfile.

Other times, the email will appear to be from someone you know, but may look “funny” or off. It may contain a link asking you to “check out this video” or visit a website. The links are malicious and may lead you to what is known as a “drive-by exploit” to take control of your system without any other interaction from you. (This usually happens because of out of date software that is loaded by your web browser, such as Adobe’s Flash Player, or Oracle’s Java. The bad guys look at the new stuff that comes out and compare it to them old, allowing them to know exactly what was fixed… then look for systems that aren’t patched with the fix.) Keeping your system up to date by installing Windows and software updates will help mitigate such a risk. (But be careful with that too as there are a lot of malicious ads that pose as fake updates out there! But that’s another write-up entirely.)

Example of encrypted ransomware system

Example of encrypted ransomware system.

I’m careful so I’m safe, right?

Even though you know what to look out for and you’re super careful… it can still happen to you. Maybe someone else uses your system and causes an issue. Or maybe you’re trying to work late and in your sleepy stupor you click the wrong thing. Never fear because you’re prepared with the other important defense: Backups! Ransomware aside, you should really have proper backups already. Hardware can fail and data can get corrupted in hundreds of non-malicious ways. Backups help recover from all that – but it’s critically important when dealing with ransomware. Once hit, you have three options: Restore from backup, Pay the ransom and hope for the best, or go cry in the corner because all your personal data is gone. I don’t want to see anyone crying in the corner, and paying the ransom is a crap-shoot at best (it doesn’t always get your data back and now you’re out lots of money, PLUS you’re supporting what is basically cyber-terrorism) SO we’re left with making sure you have a backup. Unfortunately this isn’t as easy as it should be as the ransomware authors are actually pretty smart people. They know people may have a backup and will try to make sure you lose access to that too. On top of that, some of them will crawl the network and try to encrypt files that aren’t even on your computer, but rather on a network share, like a server or another computer near you.

How do I know my data is safe?

The most common way is to get an external (USB) hard drive and setup your system to backup to it. There are many ways to do this (file level, system image, incremental, differential… that’s also another write-up entirely), but just make sure you do it. First off, almost always, never use the software that comes with an external drive. It likely won’t work the way it should, be overly resource intensive, or simply not backup everything it should. We used to recommend the integrated Windows backup as it worked well and was easy to use. Unfortunately ransomware got smart and the last one we worked with encrypted the Windows backup as well as the personal files. (Luckily we were able to perform data recovery – so there may still be hope.) Because of this, we’ve started using another free backup solution called Veeam Endpoint Backup (VEB). There are some hoops to jump through to get it, but it is really free and works extremely well. It’s nice because, as of right now, no known ransomware encrypts the backups that it makes. This could change easily, which leads me to another reason we’ve come to love VEB: it allows you to set it to backup when the external hard drive is plugged in. This is great because that means you do not have to leave the external drive always plugged into your system. This secure the data on it with what is known as an “air gap.” Ultra secure systems are kept isolated from everything else, meaning only air surrounds them, hence the term “air gap.” The same security is yours if you leave your backup drive unplugged while using your system normally, then plugging it in and letting the backup do its thing. (It can even shut it down for you when finished. Very fancy!) There are other backup programs out there that work very well. As long as you’re doing one, protecting it when finished, and verifying it worked, you’re ahead of many others we see on a daily basis.

If you would prefer a paid solution, we are recommending a few software programs that at this time we feel are performing the best. We do not make our recommendations based on our profit margins, but rather the level of protection it provides to our clients. We also offer manages services that we provide to both our business clients and a personal protection package that starts at $19 a month. We’re currently working on adding more features to our offering, and the cost will not go up. Please inquire for more information.

Ransomware has been the fastest rising malware on the planet, and it likely one of the worst imaginable. It’s like a hard drive crash with no warning, but also no way to recover your files. All family pictures are just gone, all your school documents just vanished, all your office work disappears. Please, educate yourself on how to protect against it, make sure you have a good backup method in place, and spread the knowledge. (More information can be found at Microsoft’s “Malware Protection Center” article on ransomware: https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx)

We are happy to answer questions, assist with setting up and verifying backups, or if worst comes to worst, help with data recovery. We have forensic tools, and owner Adrian Santangelo has 20 years of experience and knowledge with data security no one else in the region can match.

For a consultation please call (360) 419-5555. Thank you and stay safe out there.

Thank you and stay safe out there.

adrian's sig

How can I protect my business?

The same advice of smart computing will carry over from personal safety to business.

Share the following link with your team (www.InterpretingTech.com/ransomware) as we are actively adding to that page with examples and updates.

With respect to your own backup verification and network security, that advice is more complicated and individualized than can be shared in this format.

Please call (360) 419-5555 or email team@intptt.com for help securing your important data.

About the author:

Adrian SantangeloAdrian Santangelo has nearly 20 years of computer forensic experience which started with deep roots in information and network security. He has been a self-employed computer security and forensic consultant all his adult life. After starting ISC Unlimited as a computer security consulting firm in 1996, he quickly branched out to digital forensics and cyber sleuthing. He has been an active participant in many online forums and mailing list discussions, with plenty of information readily available about him with a simple Google search. Due to the sensitive nature regarding computer forensics and security, most of Adrian’s online security history is performed under an alias.

He currently owns and operates Interpreting Technology, an information technology consulting firm. In February 2012, he was sworn in as a Skagit County Sheriff’s Deputy, commissioned for computer crime and forensics. He is currently a computer crime and forensic consultant to both law enforcement and attorneys.

His current career goal is to branch out as either a law enforcement team leader for digital forensics, focusing on northwest Washington state, or continue to be a professional forensics consultant to the public and private sector. He is well known locally for his network security and computer repair talents. Currently held (or close to acquiring) certifications include: MCP, MNE, A+, Security+, Network+, MCSE, CEH, CISSP, CCII, CFCE, CCE, and CHFI.

GET MORE INFORMATION!

Interpreting Technology is here to help you!

SHARE THIS!

Help spread the word about your experiences with Interpreting Technology. Click on your preferred social network below to share.