Due to Encryption Virus ramping up again with increased
ransom for file release ($5000.00 US) I have been looking a ways to prevent
total loss of data for users.
First to explain how the virus works and how data on the
computer is not recoverable so the only option is to pay ransom or have backups
that have encrypted username / password to separate of any usernames /
passwords that could be stored on the computer.
One of the comments from the Web
1. Cryptolocker
works so well because it makes perfect use of a technology we already have:
encryption with perfect forward secrecy. Here's how Cryptolocker works in a single
sentence. Unlike previous ransomware, Cryptolocker generates a
unique crypto-key (password), uses the date and time to connect to a constantly
changing set of Web sites to store that unique key, encrypts your files with
the crypto-key, tells the Web site when it is done with its encryption, and
deletes your computer's local copy of the crypto-key.
3. No anti-virus software will ever prevent you from
installing software. They may warn you, but will never
completely stop you.
The real way to beat this attack is an incrementally
cycling backup which not only backs up files, but also makes version-specific
backups of those files on a regular basis.
ALSO
Since Cryptolocker uses the date and time of infection to
store the crypto-key, business who use OpenDNS' Umbrella service are virtually
immune to Cryptolocker because it won't begin encrypting your files until it
has successfully stored the crypto-key on a randomly generated Web site.
They're out to make money, not destroy data. Since DNS is the way a
computer resolves a Web site, when a new crypto-key site is created, OpenDNS is the service used to resolve that
domain name. For example, google.com gets looked up by DNS to tell your browser
Google's IP address. The same is true for Cryptolocker.
So what's the difference you ask? With Open DNS's Umbrella
service for businesses, all the Web sites looked up by your business are looked
up through OpenDNS which logs them and can very quickly prevent connections to
bad, Cryptolocker sites.
They also mention that Cryptolocker affects mostly
English-speaking countries, with all of the currently seen distribution e-mails
(with Cryptolocker attached) are written in English.
In addition, 79 percent of the infections were
located in the U.S. alone. Again, the latest news from the U.K. might
change that number but it does support the English-speaking targets statistic.
Finally, they make note that distribution
of Cryptolocker by other malware as well, such as ZBot, a widely
used and spammed banker trojan. Their data is very interesting and
well worth the read.
As a countermeasure, they of course reference backups but
also recommend using Windows
System Restore and even Skydrive for
Windows 8.1.
So, if you are wondering when you are going to STOP
hearing about Cryptolocker, the answer is probably not for a very long time.
As I mention in the soon-to-be-published Malwarebytes 2013 Threat Report,
Cryptolocker is only the beginning of this style of ransomware.
As we have seen a great reduction in the “FBI” style
Ransomware, this new method, which made a huge blow to the security
community, will most likely become the new standard for 2014.
So, while you might not be hearing about new Cryptolocker
infections six months from now, you will most certainly be hearing about
malware that was developed with Cryptolocker in mind.
At the end of the day, users are going to have to be more
proactive and take the security of their own documents and images much more
seriously.
Backups, updates and protection for your operating system
is a requirement and will continue to be so as we move into the next year.
================================
================================
The Managed Online Backup offered by RLE Computers stores each revision of
the files for 28 days. This means that for each backup that takes place, we
will store a copy of each for 28 days allowing you pick and choose from which
date the files restored. The reason this works so effectively is due to the fact that the backup cannot be deleted from the users computer it can only be deleted by us, therefore removing the backup from the users computer only stops the encrypted virus from being stored offsite.
An example scenario would be if you had been backing up since the 13th of May and the machine were to become infected on the 23rd of May and discovered this on the 24th after a backup had taken place, you can then choose a date from the 13th-23rd to restore the backup from, selecting a time before the device became infected to restore a copy of the files that are not encrypted.
An example scenario would be if you had been backing up since the 13th of May and the machine were to become infected on the 23rd of May and discovered this on the 24th after a backup had taken place, you can then choose a date from the 13th-23rd to restore the backup from, selecting a time before the device became infected to restore a copy of the files that are not encrypted.
No comments:
Post a Comment