As you’re probably already aware ransomware is making a resurgence recently (.mp3 and .locky). The main questions surrounding ransomware are pretty much the same questions that surround infections of any type.

What is ransomeware?

Ransomware is nothing new, although they are behaving in new ways. Older ransomware would just lock your computer, accuse you of some kind of crime, and demand payment in lieu of jail time (FBI and ICE viruses are a few), but were usually easily removed with the use of pre-boot scanners. Unfortunately ransomware has evolved into a completely different animal these days.

What does ransomware do?

Modern ransomware is a virus that, after infecting your computer, will go drive-by-drive and folder-by-folder in alphabetical order encrypting all your files. Once the encryption is complete you will typically be made aware of your infection by a new desktop background giving you instructions on how to transfer a large, untraceable sum of money to the author in exchange for the key to decrypt your files.

Where does ransomeware come from?

Locky comes cleverly disguised as a very official looking email from Microsoft with a .docx attachment. Opened, .docx files are able to run xml scripts on your computer. These scripts are typically benign and make it easier for Word to quickly open documents, but in this case it installs and runs the Locky virus in the background without you even noticing.

TeslaCrypt is even more difficult to avoid. Unlike Locky, which can typically be spotted ahead of time by a watchful eye, TeslaCrypt (and the new .mp3 variant) infects your computer through a web site you visit. HTML, XML, and other markup languages are the language of the internet and TeslaCrypt is making use of that by infecting web sites with a script that loads along with the web site.

What do I do if I think (or know) I’m infected with ransomware?

DISCONNECT FROM THE INTERNET AND SHUT DOWN YOUR COMPUTER IMMEDIATELY! This can’t be stressed enough.

Immediately disconnect from the internet. If you have an Ethernet connection, pull it. If you have a wireless connection, disable it. However you are connected, terminate the connection and hold the power button until your computer’s fans stop spinning and it’s lights shut off.

Once the computer is off call us ASAP so we can verify the damage didn’t spread to the server and, if it did, rectify it. Once we do we will give you instructions on how to get your computer to us and we will do our best to minimize your downtime.

Can anti-virus software prevent ransomware?

In short: yes. Unfortunately there is no such thing as a perfect anti-virus program. They are dependent on virus signatures (the telltale things that your AV program knows to look for so it can tell that an infection is imminent) that don’t get written until AFTER it pops up on the company’s radar AND they’ve had a chance to break the virus down and examine it.

Both Locky and TeslaCrypt 3.0 are very new viruses and present unique challenges to AV software. Screening for Locky is made difficult both by a lack of consistent identifiers in the email’s text portion and that the infection is written in a script that isn’t visible until the file is opened. Whereas many anti-spam providers will filter out zipped files for this reason, .docx is a heavily used file type that most businesses can’t do without. TeslaCrypt makes use of exploit kits that redirect site visitors (either randomly or consistently) enroute to their intended destination.

How can I prevent ransomware?

Fortunately there are some simple measures that can be taken to avoid initial infection by both of these viruses.

1) Don’t open or download attachments from unrequested sources. If you didn’t ask for it then you probably don’t want it. If you’re unsure if it’s safe to open just use Outlook’s built in preview pane to look at the file instead of double-clicking or downloading it.

2) Limit your browsing to work related sites and lock down your browser. Most browsers have a setting that prevents the storing of cookies. This won’t work for all of our clients, however, as cookies may be required to run some web-based programs.

3) Keep current on your updates. We’re all guilty of it at some point or another: you see the annoying little window pop up above your time and think “not right now, Adobe, Java, or Windows”. That’s exactly the thing that an exploit kit user thrives on. By not patching the holes in your security you leave yourself open and the longer you go without these updates the more vulnerable you become.

Following these simple steps will help prevent the majority of malware, but (as with anti-virus software) there is no perfect procedure that will prevent infection 100 percent of the time.

If you are the victim of ransomware or wish to install software to help prevent it, contact BKS Systems. We are Chicago's top IT consultant service and can help you today!