Technically Easy

Tag: CryptoLocker

  • The 4 Most Effective Tips to Protect Your Computer from Ransomware

    The 4 Most Effective Tips to Protect Your Computer from Ransomware

    Ransomware – a class or malware that restricts access to a computer until a ransom is paid – has been around for many years. In fact, one of the first known ransomware – the “AIDS” trojan – was found in 1989. Unlike other malware, ransomware has been in the background, not drawing much attention. In 2013, the ransomware called CryptoLocker began making news as it infected computers, and then began encrypting personal data files. Once the files were encrypted, a ransom message was displayed informing the user to pay a specified amount of money.

    Encrypting files isn’t new, of course, but now malware authors are using such encryption to extort money from unsuspecting computer users. The problem is that the encryption that is used cannot be broken by brute force methods, so either the data is lost, or the ransom needs to be paid. More and more ransomware are starting to make their rounds among computer users, and there could be much more robust, efficient ransomware, with stronger encryption, in the future.

    While this may sound disturbing, there are many ways that you can protect your computer from ransomware.

    1. Backup Your Files

    This first method is probably the most important one – backup your files. Backing up your files is probably the best method as you can just restore your files from the backup if they do become encrypted by ransomware. Of course, you want to make sure you have a clean system to restore your files onto, or you will just re-encrypt the files.

    With regards to backup, you should backup your files to “cold storage” to prevent ransomware from encrypting your backup files. Cold storage means that you can’t access your backed up files directly from your computer all the time. For example, if you backup your files to an external hard drive, only connect the hard drive when you want to backup your files, and then disconnect the hard drive from the computer. Another example of cold storage is when you backup to cloud service online.

    For me, all my backed up files are stored away on cold storage. The first is an external hard drive that sits beside my computer, but is always off until I want to get access to the files or backup new files. A second backup is stored on a portable external hard drive that is connected less often – only when I have many gigabytes of data since the last backup. A third backup is stored online with Backblaze.

    2. Use a Sandbox or Virtual Machine

    A great solution to protecting your data from ransomware is to limit what the ransomware can get access to. Two of the best solutions to this is to browse the Web and check e-mail in either a sandbox or virtual machine.

    A sandbox is the easier of the two to setup as it runs directly in the operating system of your computer. Basically a sandbox is a separate, tightly controlled area, on your computer that you can run applications in. Any application running in a sandbox has limited access to other resources on your computer – including your files. An application in a sandbox, may be able to read a file on your hard drive, but it cannot write to the file. You can also control what applications are allowed to run within the sandbox, access the Internet, and do other tasks on your computer.

    There is a great Windows sandbox application called Sandboxie that has been proven to contain ransomware.

    If you are technical you may want to look into setting up a virtual machine. A virtual machine is basically another computer that runs within your current computer. You main computer becomes the host to the virtual machine. Everything that happens in the virtual machine, stays within the virtual machine.

    With a virtual machine, you can install a Unix-flavor operating system, such as Ubuntu, to give good security, and then access the Web and your e-mail from the virtual machine. If you do download ransomware, it may not even execute in the virtual machine as it isn’t a Windows system, and if it does execute, then the ransomware can’t see the data files on your host computer.

    You can create virtual machines for free by using VirtualBox.

    3. Don’t Use an Administrator Account

    Windows users have always accessed their computers using an administrator account. This account has unlimited access to the computer, and up until recently was the only type of account used. Fortunately, starting with Windows Vista – although more with Windows 7 – Microsoft changed Windows to allow users to use a limited account.

    If you are using Windows Vista or later, you should not be logged in with an administrator account. You should always use a limited user account. The reason is simple: any application you run will run in the same context as your user account. This means that if your account has started a ransomware application, and you are logged in with an administrator account, than the ransomware application will have unrestricted access to your computer.

    While using a limited user account will not protect your data files if you accidentally ran a ransomware application, it will limit what files it affects or what restrictions it places on your computer. A limited user account can only see their own data files, and can’t change system settings, which will help limit ransomware.

    To stress the point about not using an administrator account, over 90% of Microsoft-reported vulnerabilities in 2013 could have been mitigated by using a limited user account.

    I have used a limited user account for 4 years with Windows 7, and haven’t had any issues with running applications. So if you are using Windows 7 or later, don’t log in with an administrator account.

    4. Don’t Open Suspicious E-mails

    While this tips has been mentioned for stopping malware all the time, it is still surprising that people still don’t follow it. CryptoLocker spread by an e-mail attachment, and infected hundreds of thousands of computers. That ransomware could have been stopped, or severely affected, if people just don’t open e-mail, or run attachements from unknown senders.

    Many attachments in e-mails are designed to trick users into opening the attachments. Such attachments would actually have two extensions – such as .pdf.exe or .doc.exe. All the user will see many times is the first extension and an icon associated with that extension. For example, a file called example.pdf.exe file would display just example.pdf with an Adobe Reader icon. Unfortunately, the .exe extension at the end means that the file isn’t a PDF document, but an application that will run when opened.

    One of the first things I do after I install Windows is to display hidden extensions of known file types, so I can exactly see all the extensions for all the files on my computer. This helps to determine if a file has a double or a single extension.

    There are many ways you can protect your computer from various forms of malware. What are some of the tips that you use to protect your computer from ransomware?

  • CryptoLocker – Holding Your Computer for Ransom

    CryptoLocker – Holding Your Computer for Ransom

    In September 2013 a new type of malware was discovered to be making the rounds in computers running Microsoft Windows. This new malware is not really a virus because it typically requires a user to open an infected e-mail. What makes this malware particularly dangerous is what it does once it infects your computer – it holds your files for ransom.

    This may sound funny at first, but this type of malware – called ransomware – is very serious. The malware that was recently discovered is called CryptoLocker, and has begun causing pain for many users around the world.

    Money for Your Data

    In case you haven’t heard about ransomware, it is malware that infects your computer and then restricts access to your computer. Once the restrictions are in place, the malware will then request a ransom to remove the restrictions. If the ransom is paid, the restrictions are removed.

    With CryptoLocker, the restrict is access to your data files. When CryptoLocker infects your computer it will then silently begin encrypting your local data files without you even knowing your files are being encrypted. While you may have an anti-virus product installed, it may not detect CryptoLocker, or it may detect the malware once files have been encrypted.

    When CryptoLocker encrypts files on your computer, it uses what is called a public key, which it obtains by connecting to a command-and-control server online. In order to decrypt the data, a private key is needed, which is stored on a command-and-control server. The private key is, therefore, never stored locally, so you can’t decrypt the data yourself. Decrypting the data yourself is impossible without the private key.

    Once your data is encrypted, you are presented with a message to send a specified amount of money to remove the encryption. The amount of money is about $100 USD or $300 USD. The payment is to be made through MoneyPak, Ukash, cashU or Bitcoin. After a specific time without payment, the key that is used to decrypt your data is destroyed and your data can’t be decrypted.

    What files does CryptoLocker encrypt? Files with these extensions 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, ????????.jpg, ????????.jpe, img_*.jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odc, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pdf, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, sr2, srf, srw, tif, wb2, wpd, wps, x3f, xlk, xls, xlsb, xlsm, and xlsx. This is a long list is contains most common data files that everyone uses.

    Not only can the data files on your local, internal hard drive be encrypted, but it has also been reported that files on attached external hard drives and network drives can also be encrypted.

    Protecting Yourself From CryptoLocker

    The best defense, as it is with most malware, is to ensure you don’t open strange e-mail messages. With CryptoLocker, it is send through well-crafted e-mail messages.

    The e-mail messages may inform you about a customer support-related issue, or perhaps a message from a courier company, such as Fedex, UPS, etc. The e-mail messages will include a ZIP attachment that contains the CryptoLocker program. The program itself is disguised as a PDF File – including the PDF icon – but has a name like FORM_101513.pdf.exe.

    As I mentioned above, if you don’t recognize the e-mail, or it doesn’t make any sense to you, just delete the e-mail without opening it.

    Also, you should ensure that you always backup your data. I recommend you use Backblaze (I use them) to backup your files. If CyrptoLocker, or other malware, destroys your files, then you can always restore them with Backblaze.