Ransomware is malware which locks users out of their computers and encrypts their data. The users are told to pay money to unlock their machines. Australian businesses are being targeted by this malware, which is also being reported on Skype.
This isn’t exactly new software. Some kindly soul invented it in 1989 and it was developed as time went on, including a remote control of infected computers. This isn’t quite as advanced and it’s based on botnets, but it’s still pretty grim.
The current “extortion-based” type of ransomware started in Europe/Russia some time ago, but it’s spreading, with 20,000 attacks being reported daily. All that’s required is to hit a link.
ABC Australia describes the Australian experience:
The data ransom first hit four Queensland medical centres a few weeks ago.
The centres do not want to be identified, but police say their data was locked up and encrypted by criminals possibly operating out of eastern Europe.
A ransom of $3,000 was then demanded, increasing by $1,000 a day until paid.
Other Queensland businesses were also hit, and some paid up.
"We don't advocate paying this money, but if it comes to the payment of money or a business going under, they were in a position they had to pay the money," Brian Hay from Queensland Police said.
Matter of opinion here- A locked database is get-aroundable if you have backups and simply reroute. Depending on the extent of the lockout, you may have either a compromised system or a compromised computer.
That said, it’s understandable that a lot of people don’t know what their options are. Even a simple hard drive backup could be used to get up and running while you deal with the locked computer(s)/data.
Actually getting rid of Ransomware isn’t all that difficult, but it’s a picky process.
F-Secure.com, a security company has a simple fix for getting rid of some of the files that do the damage which also illustrates how this malware works. Referring to “police themed” ransomware, which turns out to be Trojan-based:
We detect police-themed ransomware with multiple detections, including Trojan:W32/Reveton, Trojan:W32/Ransom and generics.
In most cases, F-Secure's Easy Clean removal tool is able to remove the ransomeware, restoring normal access to the system.
Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.
Trojan:W32/Reveton variants may also be manually removed from the machine, using the following instructions:
1. Boot the system into Safe Mode. To do so:
1. First, restart the system (Click Start, then Shut Down, select Restart in the drop-down dialog box that appears, then click OK).
2. As the computer restarts but before Windows launches, press F8.
3. Use the arrow keys to highlight 'Safe Mode' and then press Enter.
The rest of the process involves removing a file:
In Safe Mode, find the file ctfmon.lnk in the Startup folder (C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Program\Startup\ctfmon.lnk) and delete it.
There are further options stated if that doesn’t work, but you get the idea. It’s a 2k file. See the F-Secure page link for detailed information.
The Skype problem
A much nastier version of ransomware, although comparatively rare, uses Skype. If you’ve seen those dreary little macro messages, “Hi, I was just looking at your profile and I thought you looked cool/interesting/adorable/hygienic”, or something equally brilliant, start getting suspicious. This is a worm.
For example, if anyone has ever tweeted or messaged you with some variation on “lol is this your new profile pic?” followed by a link, that could have been the Dorkbot worm in action. On security firm Trend Micro’s blog post today, researcher Rik Ferguson refers to the Skype worm as “spreading fast.” He says users have seen messages in both English and German, and links point to a download on Hotfile.com labeled as “Skype_todaysupdate.zip,” containing the payload.
….Historically, however, there have been many variants of the Dorkbot attack on other social networks, and it can also spread on USB sticks and via IM.
Read the Tech Crunch article, it explains a lot about the current thinking on managing ransomware. Skype say making sure your Skype is up to date is the best way around it. I’d add that making yourself invisible on Skype to everyone but your contacts is also a good idea.
Internet security blows it again
Wow, did the eagle-eyed internet security gurus do a great job of keeping everyone informed about ransomware. Trojans? A 2k file? Encryption? Talk about high tech. It’s about as advanced as a password. It uses standard software operations. Ransomware is only now a news item among the infinitely superior thinkers of only-we-understand-these-things sagacity. It hasn’t exactly been shouted from the rooftops, to my knowledge, until now. Meanwhile 20,000 users a day are getting hit? Great job, guys.
Put it this way, esteemed idiots, if any type of malware includes a way of making money out of it, it’s a dead certainty that it's very likely to become a major threat by definition. This should have been flagged a long time ago, before it became a plague and fixes should have already been in place before it got to this stage.
So- Gettums diddums blogsy-wogsies wound up, put on Spandex bicycle pants and makeums visibly-wisibly to consumers, OK?
While you’re at it, get organised and start at least looking like you’re trying to shut down malware events, not just make money out of avoidable situations. Every decent anti-virus software has a reporting capability. Attacks can be monitored automatically in real time, if someone will condescend to write the two lines of code required to generate those reports. That’d give a much clearer picture of what’s actually going on instead of these endless post mortems and sage advice months or years later.
There’s no way of knowing how widespread this problem really is, (thanks again guys) but a bit of advice, such as it is, that might possibly help stop things before they start- These things apparently include .exe files. If you turn up your security to max, (“block everything”) no .exe file can run without prompts. It should be blocked automatically. So if you see “a webpage wants to….” Or “run” dialog boxes, say No/don’t allow. Firewalls on max security tend to block everything by default, too.
Good basic anti-virus software should pick up the Trojans. There’s quite possibly a spam-based version of ransomware, too, so consider anything unusual to be spam and filter your emails by checking where the email comes from.
This opinion article was written by an independent writer. The opinions and views expressed herein are those of the author and are not necessarily intended to reflect those of DigitalJournal.com