About eighteen months ago a ransomware trojan called CryptoLocker started infecting corporate computer systems worldwide. CryptoLocker is malware that encrypts files on mapped network drives and then demands money in exchange for the decryption keys. This malicious cyber-attack is spread via infected email attachments. A single infected PC on a corporate network can encrypt thousands of critical company files (Word, Excel, PDF) in only a matter of hours and worst of all, the only way to recover files is to pay the ransom. And then hope you receive the keys, or restore from a backup, if available. All of which is not ideal, and often critical data can still be lost and the monetary impact of being offline for even a few hours can be huge.
Around six months after the first outbreak, the private keys for CryptoLocker were obtained and made freely available to the public. This was great news and meant that new victims could request keys and decrypt files without having to restore.
However, since then similar crypto malware attackers have popped up, using different keys. One variant that started doing the rounds last year spread via a fake Australia Post parcel email. many people clicked the email expecting to see legitimate parcel tracking information.
The threat from crypto ransomware is still very real and new infections are popping up daily.
Many people think that having an up to date antivirus on PCs and servers will protect them against crypto ransomware. In my experience, this is not the case. Many well-known AV packages will not protect against crypto ransomware without specific configuration settings. Default settings in most cases provide little protection. I have seen infected PCs with up to date AV protection, the AV software none the wiser.
So, how can you protect yourself and your data?
- Make sure your antivirus software is up to date and configured to protect against Crypto variants. In many cases these settings are not enabled by default. Often these settings look at program behaviour and don’t rely on pattern matching to detect a virus.
- If the user that executes the virus doesn’t have permission to a folder in a shared directory they won’t be able to encrypt it. Only give employees the permissions they require to do their job.
- Make sure you are scanning your email for viruses and malware and, if possible, block file types such as EXEs from coming in through email. Similarly, deploy web protection that scans websites and blocks malicious sites and content.
- It is a good idea to install a second level of malware protection on PCs. No AV vendor is perfect and I’ve found products that are designed to run alongside the primary antivirus program, provide an excellent second level of protection.
- Most malware and crypto variants copy themselves to a set of folders called the user profile. It’s possible to place policies on these folders to ensure only good known programs run. This is very effective and stops many malicious programs from running.
You can read more about Professional Advantage and hosting and managed services here.