Malware and Virus Info

Protect your business from Wannacry Ransomware

Protect your Small Business from Wannacry Ransomware

I’m sure you’re aware of the ransomware attack that occurred recently, affecting organisations all over the country, including the NHS, and thousands of businesses across Europe!!

These kinds of attacks can be very worrying for any small business.

How does the wannacry ransomware virus spread?

The virus spreads normally hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses or malware that offer a back door for further attacks.

Emails are getting really sophisticated and it can be difficult to tell which are genuine and which aren’t.

What happens when you get infected?

The virus encrypts your files and folders so you can’t access them. Instead, you get a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

To get access to your files and folders back, you need to pay the ransom fee of around $300 (cost varies making it harder to track). If you don’t pay before the timer expires, then you will lose your data!!!. Some people have reported that even if the ransom fee has been paid, they still don’t get their data back.

Could the NHS have done anything about this?

Microsoft did release a patch recently which would have helped, however it seems that the NHS didn’t implement this in a timely manner.

What can my small business do?

There are four main things you can do to help protect your business against ransomware.

1. Don’t open any emails or attachments which don’t look genuine. This can be difficult due to the sophistication of recent emails.

2. Install all software patches as soon as possible. Software vendors like Microsoft often release patches to protect your computer. Lots of people see these updates as annoying. Worrying, some businesses don’t install them at all. It’s essential that these updates are installed in a timely manner.

3. Use good anti-virus software. Free anti-virus software isn’t any use. You need a good, paid version of anti-virus software which can help protect your computer and business network.

4. Ensure your backup is robust, working and fully tested. If the worst thing happens and your business gets infected with ransomware, then you need to be able to restore your data from backups. It’s essential that a backup is remote from the computer that ransomware infected, ideally cloud-based. You also need to be ideally taking backups several times every day so if you do need to restore from backup, the data isn’t too out of date.

Contact Goldfield today if you need any help with virus removal for your business. We also offer business antivirus software with built in anti-malware.

Here at Goldfield Computing we also offer a off site backup service which is monitored so we know your data has been safely backed up with us.

Cryptolocker – What is cryptolocker malware and how to avoid been infected by malware!

Cryptolocker – What is cryptolocker malware and how to avoid been infected by malware!

 

CyptoLocker is part of the family of ransomware whose business model (yes, malware is big business to some hitec criminlas!) is based on extorting money from users. This continues the trend started by another infamous piece of malware which also extorts its victims, the so-called ‘Police Virus’, which asks users to pay a ‘fine’ to unlock their computers. However, unlike the Police Virus, CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a time limit to send the payment) normally in some form of crypto currency as this makes tracking where your payment goes is pretty impossible.

 

Malware installation

CryptoLocker uses a number social engineering techniques to trick the user into running it. More specifically, the victim receives an email with a password-protected ZIP, excel document or PDF file purporting to be from a logistics company, or now the criminals are using hijacked email accounts to send their infected payloads which will get through many spam filters as they come from legit email addresses with genuine file attachments, the malware script is in a link with in the attached document.

The Trojan gets run when the user opens the attached ZIP file or other attached file such as excel document or pdf, by entering the password included in the message, and attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.

As soon as the victim runs it, the Trojan goes memory resident on the computer and takes the following actions:

  • Saves itself to a folder in the user’s profile (AppData, LocalAppData).
  • Adds a key to the registry to make sure it runs every time the computer starts up.
  • Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.

File encryption

The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.

 

 

Once run, the first thing the Trojan does is obtain the public key (PK) from its C&C server. To find an active C&C server, The Trojan incorporates a domain generation algorithm (DGA) known as ‘Mersenne twister’ to generate random domain names.  This algorithm uses the current date as seed and can generate up to 1,000 different fixed-size domains every day.

After the Trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCUSoftwareCryptoLockerPublic Key. Then, it starts encrypting files on the computer’s hard disk and every network drive the infected user has access to.

CryptoLocker doesn’t encrypt every file it finds, but only non-executable files with the extensions included in the malware’s code these can include the list below:

Additionally,CryptoLocker logs each file encrypted to a registry key:

When the Trojan finishes encrypting every file that meets the conditions, it displays a message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.

 

Oddly enough, the malware doesn’t ask users for the same amount of money, but incorporates its own currency conversion table.

How to avoid CryptoLocker and other malware infections

This malware spreads via email by using social engineering techniques. Therefore, our recommendation are:

  • Being particularly wary of emails from senders you don’t know, especially those with attached files.
  • Disabling hidden file extensions in Windows will also help recognize this type of attack.
  • We’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.
  • If you become infected and don’t have a backup copy of your files, our recommendation is not to pay the ransom. That’s NEVER a good idea, as it turns the malware into a highly profitable business model and will contribute to the flourishing of this type of attack.

If you find yourself infected with the cryptolocker family of malware contact Goldfield to see how we can help get your systems backup and running. We also offer a off site backup  service which backups up your data offsite at a secure location.