A Nightmare Has Arrived – Locky Ransomware
Most of our customers have probably heard about attacks by viruses that hold people at ransom after encrypting some or all of their hard drives. The first known ransomware was the 1989 “AIDS” Trojan (also known as “PC Cyborg”). Since that time the level of sophistication has increased more than is conceivable. The newest version is called Locky ransomware. There is only one word that properly describes this new virus and that is NASTY. Not only will it encrypt the drive of the person initially infect. It migrates across a network doing the same to every drive encountered Including things like Network Attached Storage or USB connected external hard drive used for backup. We know first hand that the infection is as described because one of our customers – a large church – experienced the situation just described and after spending a pile of money using the most current backup available, we were able to get their systems to approximately the point that existed before the infection.
While there are a couple of things you can do to prevent infection, the most important task you should complete is performing a complete backup of critical data periodically – maybe weekly then disconnect the media used for backup from the network. If you leave it connected, the infection will spread to the backup media and encrypt it along with everything else.
How do users become infected? Remember you must give the software permission to run. In many cases, the infection is spread in an email attachment. When you open the infecting programs are off and running.
Ramsomware is typically disguised as an email attachment. Once opened, the virus spreads, locks the computer and holds it hostage. In many cases, the ransom includes a deadline, in which the amount a user must pay increases if ransom isn’t paid within the hacker’s time period.
Does paying the ransom work? Sometimes yes other times no. The situation is a “crapshoot”.
Although not opening attachments from unknown senders is a basic security measure, some variants are very effective in that such emails and attachments seem legitimate. For instance, cybercriminals hit businesses that use online sites for recruitment. Cybercriminals search for job postings, then send resumes carrying the virus. Thinking the sender is a job applicant, businesses open the attached resume, triggering the ransomware.
So, you paid good money for an antivirus why won’t it protect you against this stuff? Spreading the infection and collecting from victims is a very lucrative “occupation” so very clever people are involved making protection by Antivirus next to impossible.
These programs create a malicious website, run a spear-phishing campaign to get the malicious software distributed — including inserting themselves into known good sites — and then disappear after six hours. It takes any antivirus company a few hours to find out about the new variant and update their malware definitions and your PC may only get these updates a few hours later, depending on your settings.
So, even when an antivirus updates its definitions to allow the malicious code to be detected, the virus “mutates” or changes its self very often. Getting ahead of the bad code is next to impossible.
Second only to backing up data, is education of your workforce. Make sure they clearly understand that they should never, ever open an email from an unknown source or open an attachment to an email from an unknown source.
If you suspect locky ransomware or other malware, it is important to immediately shutdown your computer to prevent the virus from spreading throughout your network, and notify us or just bring it to the Friendly Computers shop. We can connect an infected drive to our tech stations and attempt to recovery data which has not yet been encrypted by the ransomware without risk of infecting our network or further infection or data loss on your hard drive.