I recently received a call from someone who had gotten my name from the Find a ProAdvisor website who wanted to inquire if I had a way to recover their working QuickBooks Company file since it had been 'encrypted' by Ransomware. I referred them to their Anti-virus software company's support hotline, but that got me to thinking about the need for all of our readers to be aware of the threats of Ransomware and Scareware.
A Major Threat - Ransomware
Ransomware is the term for any malicious software that demands a ransom be paid by the computer’s user. It is based on the premise that you are willing to ‘pay a ransom’ in order to undo the damage the ransomware has done (or may do) to your computer and/or your data. For instance, it might have encrypted your documents, or other files, and demanded that you pay a ransom to unlock access to them. This type of ransomware is known as a filecoder. The most notorious filecoder is Cryptolocker (as shown in figure 1). Unfortunately there is more and more file-encrypting malware making its way across the internet all the time, with a steady rise over the last year as reported by every major anti-virus manufacturer and lab.
The typical method of infection occurs when you open an unsolicited email attachment or click on a link claiming to come from your bank, a credit-card company, a major corporation or even a freight/delivery company. There have also been Cryptolocker versions which have been distributed via peer-to-peer files-sharing networks, posing as activation keys for popular software like Adobe or Microsoft Office.
If your computer becomes infected, Cryptolocker hunts for a variety of file types to encrypt including your QuickBooks Company files, and once it has limited your ability to access those files it will display a message (like the one referenced above) demanding you electronically transfer funds to have your files decrypted.
Scareware - Another Major Threat
Scareware is software that tries to scare you into taking a particular action. In many cases scareware (like that shown in figure 2) pretends to be an anti-virus product that displays a warning of security issues on your computer in an attempt to trick you into paying the scammers or downloading other dangerous code. In some cases the fake anti-virus software even displays the name of a genuine anti-virus firms’ software, in an attempt to increase the number of people who are fooled into making the wrong decision.
Like ransomware, scareware can affect any operating system. Some instances of fake anti-virus scareware have had more impressive user interfaces than the legitimate products they are imitating. Recently some scareware also is ransomware; if it is unsuccessful in convincing you to making an unwise purchase it resorts to ransomware tactics to demand money for a more obvious menace it then reveals.
In most situations file-encrypting ransomware is harder to recover from than other forms of ransomware. However, if you have a backup that wasn’t impacted by the attack it shouldn’t be too difficult to be up and running again quickly.
The Results of Getting Infected.
In the case of many ransomware attacks there is a deadline for payment, if you don’t pay up in the time allowed you could permanently lose access to your files. But file-encryption isn’t the only malicious act that ransomware may produce; there is also lockscreen ransomware which locks your computer, preventing you from doing anything until the ransom has been paid.
If you don’t have a verified backup from which you can restore your sensitive data or company files you might very well think it is worth spending a few hundred dollars to regain access to your data. Generally paying the ransom will restore access your data because it makes good business sense to the criminals to do so. If word got around that the attackers didn’t keep their side of the bargain, nobody would ever pay the ransom. However, paying the ransom doesn’t mean that you’re safe; the criminals may leave malware on your computer since they know that you are the kind of person who is prepared to pay to regain access to your computer or data, so they leave in place the underlying malware by which to target you again in the future.
In most cases good security software should be able to remove ransomware from your computer, but that isn’t the end of your problems. If the ransomware which infected your computer was a filecoder your files are probably still encrypted. Some security software might be able to decrypt your data if a simple filecoder was used, but files hit by Cryptolocker are nearly impossible to decrypt without the right key.
Clearly prevention is the best medicine to preclude malware infections of this type. If your antivirus software and internet security isn't current, you need to update immediately. You should NEVER go a minute without anti-virus/anti-malware protection in place. You should only turn off anti-virust/anti-malware protection when absolutely essential, and only after you have 'disconnected' your computers from either the internet or your network, and even then you should avoid accessing files not already 'scanned' by your protection in advance of it being turned off. Do not plug-in a USB (flash drive) or other media while your anti-virus/anti-malware protection is turned off. Always turn your protection back on before rebooting your computer.
There are countless other 'safety precautions' that you should follow, and I suggest that you visit the website (support, technical information or community/blog groups) of your chosen Anti-virus provider for additional details or suggestions regarding malware protection. Best of luck, and 'safe computing.'
Sources:
ESET White Paper – Why Last Year’s Security Strategy Can’t Protect You from Today’s Threats
McAfee Threat Center – Cryptolocker Threat Analysis
Norton Security Response Threats – Trojan.Cryptolocker
Trend Micro White Paper – Ransomware Raises the Stakes with CryptoLocker