What is Ransomware you ask and would they really bother targeting me?

In a nutshell, Ransomware is malware that infects your computer and encrypts all your files and demands you pay a ransom to have them unencrypted.

Are you at risk?

Unfortunately, YES. Ransomware is growing at such an exponential rate that it is going to affect everyone sooner or later. Why is it growing? Well, Money, virtually untraceable cryptocurrency which continues to make this type of malware nearly unstoppable. It’s just like the old saying, “Why do crooks rob banks?” “Because that’s where the money is.”

What can you do to protect yourself?

Your best protection is the software between your ears.

  • Make sure that your operating system and applications are fully up to date and if the application offers it, turn on automatic updating. Your operating system will perform automatic critical updates anyway with no interaction required from you.
  • Use a modern, up to date, are you spotting a theme here, anti-virus and anti-malware system that monitors activity in the background.
  • Have backups that run on a schedule.
    • If you are setting up a new system or have recently performed a clean install to freshen up your computer you should also create a drive image once you have your system at a point where everything you need is installed, updated, and operating correctly.
  • Practice safe computing, i.e. don’t go to questionable websites, don’t click links in emails or social media posts or just about anywhere, and don’t open attachments on emails or instant messages.
    • A practice that I follow, because I need to check links in suspicious emails and messages for your benefit is to re-type the link address in a web browser myself and not click the link because sometimes what the link displays is not where the link goes. For example, a link in an email might be written as http://www.bigbonus.com/win5Mdollars but hidden in that link it might actually go to http://www.onlinecrimefamily.co/
  • If this is the case most email programs will display the actual destination address in the bottom status bar when you hover over it with the pointer. If you are on a phone or tablet a long press will pop up a menu which will allow you to copy the link and you can paste it into a note or somewhere else safe that won’t immediately try to open the address.

Sadly, even with doing all this you are still at risk. The bad guys are very sneaky, they want your money and will do anything to get it, that’s why anti-virus and anti-malware applications have such a hard time detecting everything. New strains of ransomware are being detected at a very alarming rate.

Ok, now some good news. A new tool to add to your arsenal has just recently been released, it’s called RansomFree from Cybereason. https://ransomfree.cybereason.com/

OK, looks good but can you trust these guys and more importantly how does it work. The secret to RansomFree’s success is not in signature files like antivirus applications, but rather in how it detects ransomware-like behavior (i.e., the local encryption of user data). This makes the application good at doing its job, since all ransomware, so far, has displayed the same characteristics regardless of its payload. Whether the attack is a Trojan, vulnerability exploit, or malicious code, RansomFree is designed to deal with the interaction of the file(s) with the system and bring it to an immediate halt once the

I checked out the company’s web site and read up on the team behind Ransomfree and they are big in the corporate system protection field, ok anyone can say they are experts etc, etc. The proof would be in the pudding.

Does RansomFree do what it says?

First of all, a disclaimer, DO NOT TRY THIS AT HOME. You have been warned. I created a virtual, sandboxed installation of Windows 7 with just a fully updated Windows and Office 365 installation, because ransomware targets doc, xls, ppt, pdf, and other common data files types. I created some useless dummy files with these extensions with nothing in them but sample text. My next step was to save a copy of the updated virtual Windows in its clean state. Why will become obvious shortly. I had a Word document that contained a malicious macro so I opened it in Word in the sandboxed Windows. Now Word does offer a little protection because it disables macros by default, I say a little protection because you can override that setting by clicking the Enable Editing button in the big yellow bar at the top of the document. I clicked that button and this started the infection process by communicating with remote servers to download payloads and/or additional commands to compromise my system and its data. No warnings or prompts were provided while the script ran in the background, hidden from view and because I only had a few files the encryption process took less than a minute. Of course, on a live system that had hundreds or even thousands of files, this would take longer, but one important thing to note is that the copy/encrypt/delete originals process employed by ransomware can process up to 200 files a minute. So, my files were now encrypted, to verify this I changed the extension back to the files original extension, ransomware will rename the encrypted file, e.g. yourimportantletter.docx will become yourimportantletter.docx.xxx (xxx will depend on the type of ransomware that deployed).

I tried to open the Word document and immediately Word threw an error message at me stating that the file could not be opened because there was a problem with its contents. So, I was well and truly stuffed. No just kidding, I made a copy of the clean system, remember.

I deleted the sandboxed encrypted drive and re-instated the copy and was back where I started. That right there is why we do backups. This time before I open the infected Word document I installed RansomFree, it took maybe two minutes and sits itself down in the notification area near the clock and just watches for suspicious activity. I opened the infected document again and enabled macros, this time, however, things went down a different path. The malicious macro did manage to “phone home” to the bad guys server and download the payload, but that isn’t what RansomFree detects. As soon as the payload started to execute and tried to copy/encrypt/delete original files RansomFree stopped it and displayed a message on the screen that malicious encryption activity has been detected. It does also go on to say that if you intended this type of behaviour, you might be zipping up some files to email, for example, then you have two choices. RansomFree asks you a simple question. “Will I stop and clean the threat?” NO or YES. I clicked YES of course, the process (and its dependencies) were stopped permanently and removed from memory, effectively preventing any files from becoming encrypted.

The application provided a confirmation message indicating that the threat was prevented and eliminated from the computer. This all took less than one minute from the time I opened the infected Word file to RansomFree stopping and displaying the message. RansomFree saved the day! Well, the data was spared and the system kept going along without missing a beat or needing any reboots. True to its word, RansomFree worked as advertised. It’s also small and runs largely in the background, checking processes for malicious activity. And did I mention that it’s free? Not for a trial period or pending an ongoing subscription, but as in free for personal and commercial use on both client and server versions of Windows operating systems. There’s really no excuse not give it a shot and let it work to stop a possible ransomware infection from occurring like it did for me. If you’re not targeted, you’d never know it was there—but isn’t it great peace of mind to have it on your side in the event of a breach? I think so.

 

Advertisements

About Craig Griffin

Digital Marketing Consultant. I look after this website, a Facebook page and Instagram accounts for Fay Boyd.
This entry was posted in malware, ransomware, security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s