New ransomware hitting businesses hardPosted: Updated:
I've heard rumors that there are viruses that can take over your computer and demand a ransom to allow you back in. Can this really happen? -- Kris
This form of exploitation does exist and has actually been around since the early days of personal computing. The first known instance of what is called "ransomware" actually goes back to the late 80s and variations of the scam have been evolving ever since.
If you or anyone you know is ever hit with any type of ransomware, under no circumstances should you pay the ransom.
Today, one of the most common instances appears as a warning from the FBI accusing you of illegally downloading copyrighted material or child pornography and demanding that you pay a fine to avoid prosecution.
The malicious program pops up a message that says that you have been blocked from using the computer until you pay the fine via a MoneyPak card or other obscure payment systems in hopes that they can scare you into paying quickly.
The FBI/Police version of the exploit started hitting computers worldwide last year and has been playing a cat- and-mouse game with the security world ever since.
There are a lot of places on the Internet that have manual removal instructions for tech-savvy users that the ransomware authors are also seeing. As removal instructions are posted, the malware authors modify the virus code to render the instructions useless and the game goes on.
For instance, most of the previous versions would allow you to boot to "Safe Mode" so you could remove the malicious code, but now it blocks access to Safe Mode altogether.
Anyone that gets hit by this scam needs to have a full security check done on their computer, because this is a clear indication that they haven't been keeping up.
Simply removing the code and not plugging the holes that allowed it to happen will likely mean being right back in the same place in the near future.
Most users are being hit because they haven't kept their operating systems and antivirus software up to date, which allows them to get hit just by visiting a rigged website (aka drive-by download).
A much more serious version of this exploit is hitting businesses via a common remote access tool built into Windows-based servers known as RDP (Remote Desktop Protocol).
Ransomware hackers are scanning the Internet (kind of like in the movie "War Games") looking for RDP connections that are using default port settings with easy-to-break passwords.
Once they break the password, they can access the entire corporate network (even attached backup drives) and run a script that will seek out common business files and encrypt them, which locks the owners out.
They then display a demand page with a timer stating that you have one week to pay the $3,000 ransom or it goes up by $1,000. Each week that you wait, the ransom goes up by $1,000.
Data recovery from this attack is nearly impossible, so you can only recover data if you have an off-site backup that wasn't attacked.
Here's what we are doing for our business customers:
- Set accounts to lock for 3 minutes after 3 failed attempts
- Make sure all remote users have very secure passwords (15 characters or more)
- Change the default port for RDP access
- Make sure you have a daily off-site backup procedure
- Make sure you have the latest RDP patches from Microsoft
To avoid this current exploit altogether, businesses can turn off RDP and use an alternate remote access solution such as LogMeIn (http://logmein.com) or GoToMyPC (http://www.gotomypc.com).
Ken Colburn, President
Data Doctors Computer Services - www.datadoctors.com
Data Doctors Data Recovery Labs - www.datadoctors.com/recovery
Data Doctors Franchise Systems, Inc.- www.datadoctorsfranchising.com
Host of the award-winning Data Doctors Radio Program (www.datadoctors.com/radio)
Follow me on Twitter at www.twitter.com/TheDataDoc
Real-time updates & threat warnings via our Facebook Fan Page: www.facebook.com/DataDoctors