Sunday, December 17, 2017

Ransomware hits close to home

Ransomware hits close to home

The county government got infected with ransomware. It can happen in the best of families; it’s just a matter of time before someone gets bit. If you haven’t paid attention because you didn’t know anyone who got it, here’s a quick primer:

What is ransomware?
It’s malware that holds your data hostage unless you pay the perpetrators for the instructions to retrieve it.

I’ve got the best antivirus money can buy. How did I get it?
Usually it is delivered as an attachment or link in a phishing email or web ad. If you click on it, it may request a helper or update to an app like Flash or JAVA. Click again and instead of the helper, it installs the worst class of malware a user will typically encounter.

You were suckered into installing it and you gave it permission to bypass the antivirus.

Then what happens?
It contacts Central Control which gives it a unique identity for you. Then it starts to encrypt all the content accessible to you. That’s all your media, pictures, documents, spreadsheets, emails, financial records, and more. When you look at a file listing; all the files are still there with the correct name, extension, and date. But when you try to open them, they show as “corrupted.” But if you create a new document, all your programs still work.

If you’re on a network at home or at work it will encrypt files shared from other computers too. Not only do you lose everything you’ve done, but your family or coworkers do too. Some versions may also install themselves on other computers or infect attached portable media to share the pain.
Not to worry, though. Every folder contains a text document telling you that your data are safe, it’s just been encrypted. Just send a certain amount of Bitcoin and they’ll give you complete instructions and the key to unlock all your data. Oh, and send the money by this fast-approaching deadline.

Surely I can find a fix online.
Sorry. Killing your data is one thing the programmers did right. It’s as lost as the $100 bill that blew out the window at 60 MPH.

So what do I do?
First of all … If you are aware that you made a mistake hitting the link and something is happening to your files; turn off your computer! Don’t wait for a shut-down, pull the plug! Also, shut down any other computers on your network in case they also got infected.

Now check your other computers. First, turn off your router so they are not connected to each other or the internet. Turn one computer on and check any folder you had network access to for evidence that its files are corrupted. Then do that for each of the other computers on your network. If they all appear clean, you can probably restart your network and the other computers. Do not restart your computer. Disconnect it from the network by pulling the network cable or changing the master password on your WiFi before you do anything else.

What about my computer?
Your concern is your data. Once infected with destructive or particularly malicious malware, the computer can never be trusted again until the disc is wiped and Windows is reinstalled from scratch.
Many computers have a feature accessed from the manufacturer’s boot options screen or a special button at start-up to return to the factory-original operating system installation. If you’re running Windows 10, you can download the Windows Media Creation Tool to portable media for a clean install.

You’ll have to reinstall your applications from their original install media and with their original activation keys.

Then just restore your data from your recent good backup. If your backup is a continuous update, it may include some corrupted files and the original source of the malware. For those files, you will have to restore from a previous backup.
Read more about backups at https://fromthehelpdesk.blogspot.nl/2017/12/about-backups.html.

Err…; I made a Windows backup when I bought the computer.
At this point you may want to call in professional help. Remember, there is a clock ticking before it’s too late to give in and pay up to the “kidnappers.”

If you shut down your computer before the encryption process got too far along, you may be able to live with the partial loss. But you want to determine if you lost any critical files. And to do that, you need to check the files without starting Windows.

Start your computer from a Linux Live DVD (or flash drive) which should be able to read the files off the Windows drive. If you’re only concerned with standard Office files (such as Word or Excel docx or xlsx), pdfs, pictures and media; the live DVD may be able to display a preview of the standard format. Otherwise, you will have to copy the data to a portable drive to another computer to test whether or not it is corrupted.

If you don’t have the software to check out your files handy on another computer, there may be cloud services that can read your files well enough to ensure they are intact. This might be the case if you use programs like Photoshop, Quicken, or even Microsoft Word. Start with the publisher’s website or OneDrive.com for Microsoft Office. Failing that, Google has apps for many file types and viewers for even more.

When everything else fails.
You don’t have a backup. You copied the critical files and they’re gibberish. And, they’re critical enough that you’re willing to pull out your checkbook.

Except you can’t write the hackers a check. Most likely they will demand payment in bitcoin. Bitcoin is an invented “currency” that allows the recipient to be totally anonymous and untraceable. It also has no fixed value. During 2017 (so far) the price to acquire one bitcoin has gone from less than $900 to more than $16,000. That’s over an 18,000% increase. Don’t worry; the cost to get your data back has typically been under $1,000 unless you are a high-profile individual, big company, or government.

There’s still a chance you’ll pay up and get a “dead baby” back. Most hackers absolutely want everything to work properly or they would lose credibility and no one would bother paying them. Unfortunately, the effort to distribute the malware such that it works as intended often exceeds the skill of the criminal who sees it as a get-rich-quick scheme and you still won't get your data back after paying.

Pages