"Alright. Nobody move or the spreadsheets get hurt. Just do as I ask and I won’t hurt any files. Give me all the money in the drawer and I’ll leave quietly."
Unfortunately, this is not the plot for the next Mission: Impossible movie. It is actually the most recent big spyware attack, called Ransomware. Although it has been around for years, it is currently gaining in popularity.
Ransomware is pretty descriptive of what it does. It takes over your computer, denies you access to your data, then requires a payment of some sort to return that access. The first ransomware attacks occurred as early as 1989, and have grown extremely sophisticated over the years. The current versions are able to place an encryption key on your data requiring a password to unlock it. Then they can demand whatever they want in order to get that password. In order to ensure you can’t get your data back without that key, they also delete any backup files they can get their hands on, preventing a rollback to before the infection.
So this brings up two topics: how do I avoid getting infected, and how to I protect myself in case I do get infected.
In order to prevent an infection, you need to know a little more about how the current ransomware is spreading. There are 3 main ways it does so. The first two are very commonly used for most spyware, through email attachments, and through web browsing pages. The third way is through direct attacks using remote access against known usernames on a network. Email attacks are preventable by having an virus scanner check the email before it gets to users. Viruses that never reach the desktop can’t infect anything. With web browsing attacks, the common defensive techniques apply here too. Keep your computer’s antivirus/antispyware software up to date, keep your web pop-up blockers active, and be very careful about visiting less common websites. Always double-check to make sure that a link is taking you to the same place it says it’s taking you! And finally, unless there is no other option, NEVER surf the Internet from the server. If the server never goes to an infectious website, it can’t get infected.
The third option is the rarest form of attack, but it has been more commonly used recently. Fortunately,
there is a quick adjustment to your network that can effectively block all of these attacks. The most common account attacked with this method is "Administrator". Every workstation and server shipped by Microsoft is delivered with this account active and having full access to every part of the computer. Also, because it is the core account, it can never be locked out due to too many failed password attempts. This makes it ripe for the picking. However, this account can be renamed, and should be. By renaming it, you prevent it from being attacked. Additionally, you can then create a new disabled account called "Administrator", to further discourage attacks on your system.
One last preventative measure is to protect yourself, just in case all of these methods fail, and you find yourself infected. Review your backup plan. Is it up to date? The key for curing this attack is to pay close attention to the “keep backups offsite in a secure location” step. If you have a backup offsite, even if you do get infected, it cannot find and delete those offsite backups.
So, although this is a dangerous attack that can cause critical damage or trouble, the methods it is using are not all that different from any other spyware out there. The common defenses still apply here. However, the damage it can inflict warrants a review of the common preventative methods and safety concerns.
If you would like more information about any of the items mentioned above, let us know at InfoStream.