IT consulting and tech support blog
Ransomware attacks appear to be getting worse
Published January 22, 2013
For those of you not familiar with exactly what Ransomware is/does, here’s the current Wikipedia definition:
“Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of Ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying.”
Over the past 6 months, New River Computing has been getting more and more phone calls from businesses who’ve been attacked by some form of Ransomware Virus. While desperately trying to find a solution, most of these businesses (many in other states, North Carolina, Atlanta Georgia, and even one business from Kalamazoo Michigan who called in yesterday) searched the web for answers and stumbled across an old blog post that we released on the subject back in April 2012: http://newrivercomputing.com/blog/computer-virus-outbreak-alerts/latest-ransomware-anti-child-porn-spam-protection/.
How would you react if you were attacked by Ransomware? Do you have a backup plan? Do you have a backup machine or server in place? What would you do if someone gained access to your computer or server, encrypted all your photos, business files, financial documents and other hard (if not impossible) to replace files and then demand a ransom for their return?
In a perfect world, all you would have to do is restore your machine from a recent backup. But, since this isn’t a perfect world, and a lot of people don’t keep recent backups. Some people don’t even back up at all. If you fall in to the “not in a perfect world” category, don’t panic just yet if you’ve been a victim of Ransomware. If you have recent backups, you can stop reading here and just go restore your machine using your most recent image. If not, well then, roll up your sleeves, keep reading and get ready for some work! This might not be easy…
Here’s a detailed list of steps and tools that I’ve put together based on the most up-to-date research from industry leading security companies on the subject of remediating Ransomware:
***Be warned: there’s no guarantee that any/all these methods will work. Every Ransomware attack situation is different and there are many different variants. These steps are meant to be used as a last resort before giving up and reformatting a machine. ***
Remove Ransomware with HitmanPro Kickstart
You can use HitmanPro Kickstart to bypass the Ransomware infection and access your computer to scan it for malware.
- We will need to create a HitmanPro Kickstart USB flash drive,so while you are using a “clean” (non-infected) computer, download HitmanPro.
- Insert your USB flash drive into your computer and follow the instructions from the below video:
- After you create the HitmanPro Kickstart USB flash drive, insert this USB drive into the infected machine and start your computer.
- Once the computer starts, repeatedly tap the F11 key (on some machines its F10 or F2), which should bring up the Boot Menu, from there you can select to boot from your USB. If your machine doesn’t support booting from USB, you can download the HMP ISO files here and burn a CD that you can boot from.
Next, you’ll need to perform a system scan with HitmanPro as see in the below video:
Kaspersky WindowsUnlocker to fight ransom malware
Kaspersky WindowsUnlocker utility is designed to disinfect registries of all Operating systems on your Computer.
Start Computer from Kaspersky Rescue Disk with Kaspersky WindowsUnlocker
1. First download the Kaspersky Rescue Disk with WindowsUnlocker ISO image from Kaspersky Lab Server to your Computer and burn it to CD/DVD.
2. After successful creation of Kaspersky Rescue disk 10, insert the disk into CD/DVD Rom drive and boot your machine from it.
3. A message appears on press any key to enter the menu, press any key – start up wizard loads with graphical user interface select English or other language.
4. Select graphic mode and press Enter, End User license agreement appears on screen agree it to by pressing C key on your keyboard.
Linux OS now starts and detects the devices and OS installed on your system.
Launching Kaspersky WindowsUnlocker
Once you’ve booted Rescue disk in graphic mode, click on Start button located at the left bottom corner and select Kaspersky WindowsUnlocker item.
More steps and information can be found here if needed.
Use the Dr.WEB search tool for unlock codes found here.
Using the Sophos Ransomware Decrypter Tool
Before You Begin:
- You will need at least one original file and an encrypted counterpart, they must be identical in file size and known to have been originally the exact same file.
- The tool should be ran as a user with Administrative rights.
- The requested un-encrypted file must be larger than 4KB.
When the tool has checked the provided encrypted and unencrypted file, the scan that follows should then be able to restore the discovered encrypted files in the specified scan location and below.
What To Do:
- Download the Sophos Ransomware Decrypter Tool:
http://downloads.sophos.com/misc/RansomDecrypter.zip - Extract the contents of the Zip file into a folder of your choice.
A file calledRansomDecrypter.exewill be extracted. - Launch the application
RansomDecrypter.exe, read and accept the End-User License Agreement. - Click Start Scan, this will prompt you to locate a copy of an un-encrypted file that is larger than 4KB. Once the file has been located and selected click Open.
Note: The file you choose must also have an encrypted counterpart for the scan to be able to run. - The next prompt will ask for a copy of the same file selected previously but in an encrypted state, this file will normally follow the format of
locked-<original filename>.<random 4 character extension>. Once located, click Open once again. - If successful, another prompt will appear, click OK.
- Select a location where you would like the tool to scan for encrypted files, if you are unsure where the files are, you should start with the C: drive under My Computer.
Note: The tool will intentionally skip locations where the malware does not encrypt files. - On completion a summary will appear stating how many files were scanned and how many were unlocked. A log file with the results is also created in the same location as the tool as
RansomDecrypter-1.0.0.3-YYYY-MM-DD_HH_MM.txt.
How did I get this Ransomware?
The Ransomware virus gets into systems through various security holes and vulnerabilities found when users visit infected websites or download infected files and emails. If you ignore Windows updates and 3rd party software updates for software such as Adobe, Flash and Java then you will be much more vulnerable to attack.
Ransomware appears to be a strong moneymaker for online criminals. So don’t expect it to go away any time soon. Be careful, keep your software patched and your Anti-Virus definitions up to date.
Have fun, be safe, and stay informed. Happy surfing!
Internet Explorer 8 Zero-Day Vulnerability
Published January 07, 2013
**ATTENTION**: If you are a current New River Computing client covered under our RMM Service Plan, you need not worry about this vulnerability. We have automatically deployed the fix to your computers.
Recently, there has been an Internet Explorer (zero-day) remote code execution vulnerability found being exploited in the wild which affects IE 8, as well as IE 6 & 7. Current exploitation is limited but it’s almost certain that a reliable exploit will soon find its way into at least one (if not all) of the many popular exploit kits being used by online criminals.
Microsoft Security Advisory (2794220 )
IE 9 & 10 are not vulnerable, so Windows 7 and 8 users are safe. However, users of the old (and almost obsolete) operating system Windows XP, need to take action since IE 9 & 10 are not supported. If you’re still using XP, it would be wise to install an additional browser such as Mozilla Firefox or Google Chrome. But, if that isn’t an option, Microsoft has a Fix it tool available.
For more details, head on over to Microsoft’s Security Research & Defense blog: Microsoft “Fix it” available for Internet Explorer 6, 7, and 8 . Hopefully this vulnerability will be patched tomorrow (January 8th) during Microsoft’s regularly scheduled update cycle.
Can you tell the difference between real vs. rogue security software?
Published January 07, 2013
Rogue security software, also known as fake antivirus software or “scareware”, has been one of the most popular methods used by online criminals in recent years to fool computer users into installing malware and/or divulge confidential information. Rogue AV software typically mimics the general look and feel of legitimate security software programs. Once installed on a person’s machine, it will claim to detect a large number of nonexistent threats while advising users to pay for the “full version” of the software to remove the threats.
Some versions unlawfully use looks, colors, trademarks and icons of well-known AV software companies (Symantec, AVG, Microsoft Security Essentials, Kaspersky and McAfee are just a few examples) to help sucker users into downloading, installing, and ultimately “purchasing” the bogus software. Part of the reason that rogue security programs continue to be successful is that they are very convincing. Microsoft reports that over 4,173,491 United States users were infected with some variant of Rogue AV during the 1st and 2nd quarter of 2012.
Do you think you could tell the difference between a real security program and a rogue security program if it popped up on your computer screen? If you are up for it, take the Microsoft Malware Protection Center’s “Real Vs. Rogue” challenge by clicking here.
Go ahead! It’s fun!
Microsoft also has a fantastic series of Security, privacy, and online safety how-to videos that that are perfect for educating computer users on common threats found on the Internet today.
Thanks to Tim Rains for originally sharing this information on the Microsoft TechNet blog.
Nationwide Insurance breach puts over 1 million customers at risk
Published December 18, 2012
Over 1 million customers are at risk of identity theft after online-criminals broke into servers belonging to Nationwide and Allied insurance companies. Victims include current policyholders and those who sought insurance quotes.
The breach took place Oct. 3 and was discovered the same day. Nationwide immediately contacted authorities, but waited to inform their customers directly. “Although we are not aware of any misuse of consumers’ information at this time, we have sent letters to notify those individuals whose personal information we believe was compromised, as well as certain additional individuals whose information was or may have been involved, but whom we do not believe had information compromised in the attack,” the company said in a recent statement.
“Personally identifiable information” includes names and Social Security numbers, driver’s license numbers and/or dates of birth. It also may include marital status, gender, occupations and the name and address of an employer. So far, Nationwide maintains the position that no other sensitive data – such as medical information or credit card numbers–have been compromised.
An outside security expert was brought in to analyze the data breach and determine who needed to be notified their personal information had been compromised. The Washington Postand other news outlets say the number of notifications is at 1.1 million.
The company is offering a years’ worth of free credit monitoring and up to $1 million in ID theft protection for victims.
Current/former customers and anyone else who has recently requested an insurance quote from either of the two insurers should carefully check bank and credit card statements for any unusual activity. As a former Nationwide customer (until recently), I know I will be keeping a lookout.
How cyber-criminals steal money from bank accounts.
Published December 17, 2012
Here’s a great info-graphic from the security researchers at F-Secure that explains how cyber-criminals steal money from bank accounts.
The original post can be found here.