What is Ransomware?
Ransomware is a type of malware that prevents or limits users from accessing their system or data. This type of malware forces its victims to pay the ransom through certain online payment methods to grant access to their systems, or to get their data back. This can affect a single computer or spread network wide.
How does it infect its targets?
It can be downloaded through malicious or compromised websites, through a payload delivered by other malware or through an email attachment. There are two common ways this can happen; hyperlinks or attachments in bogus emails from supposedly reputable companies that install malware on your computer or direct you to a malicious or compromised website.
How can it be protected against?
The most vulnerable route into a network is through the users, so please educate them regarding safe Internet and email usage. These viruses are usually spread through emails. Users should report any suspicious emails and refrain from opening attachments, or clicking links in emails, unless they are certain they are authentic and are from someone they trust, while keeping in mind that the computer of even a trusted person may have been infected by a virus and be sending mail pretending to be them. So, if they are not expecting an attachment or link from someone, it’s safer to contact them for assurance before opening.
The latest variants (teslacrypt in particular) may not be picked up by anti-malware and anti-virus software, but please ensure that your virus definitions are up to date as all vendors will be urgently working on a resolution.
Keeping your web browser plugins such as Adobe Flash Player up to date is important; the most recent attacks have been using vulnerabilities that exist in older versions of Adobe Flash Player but are fixed in the current version. Keep privileged users/users with local administrator rights to a minimum - up to 90% of malware can be prevented if the user does not have local administrator rights. In addition, in Microsoft networks unauthorised executables are blocked from running by software restrictions policies, however local administrators and privileged users are exempt from this policy making them vulnerable. Ensure backups are up to date and verified; upon infection, backup restoration is the only guaranteed way to get your data back.
Determining the root cause
These issues are relatively straight forward to deal with - provided that you have backups. Ransomware works by working through the drives the user has mapped/local to encrypt the files. It then alerts the user (normally via a text file next to the encrypted documents such as “decryptme.txt” or similar) how to pay for the decryption instructions and keys.
The servers themselves are not usually infected - unless someone logged on to the server (console or RDP) and introduced the virus whilst logged on. It is highly likely that the Ransomware is resident on one or more computers on your network.
Detect and contain
First, check for the owner of the decryptme.txt (or similar) file via its properties - that’s your infected user. You can also search home folders for the file to ensure that only one user is infected.
Next, disable the user account to prevent further encryption. The encryption process takes time - if you have large data shares the user has access to, it may take several hours.
Finally, track down the infected machine. The created date of the decryptme.txt file gives the date and time of infection, so ask the user which machine they were on if you don’t have any method to track this. Disable the machine account if you cannot immediately get to it (via AD Users & Computers).
Resolve the issue
Start off by cleaning the computer via a rebuild - one option is to use your AV solution if it is up-to-date, but a rebuild is far better and our recommended approach. Then, reset the user profile - check home folders/redirected folders for any temporary Internet files, etc. and delete these.
Next, speak with the user to try and identify the file or email that started the infection. Has this file been stored anywhere it can be relaunched, or has the email been forwarded on? Depending on the variant it may have been a file on a USB stick, an attachment, or a website visited. Try to determine the initial cause and delete where appropriate. You can scan suspicious files and URLs using www.virustotal.com.
Finally, do your data restore - anything the user had access to will need to be checked (don’t forget local MIS server shares - if it’s a teacher then the MIS server will need to be checked as it likely has some report and document stores). Some variants change the files - renaming to be MP3 files for example. In this case, you can delete all the MP3 files modified from the infection date and then do your restore, ignoring any files that exist already (far quicker than restoring entire large volumes). You should also educate the user about how to avoid this in future.
Monitor the shares over the next couple of weeks to ensure that nothing else gets encrypted.
How can we help?
RM can help to protect your networks from infection, or help you to understand where some of these vulnerabilities lie and how to mitigate them.
RM Education’s advice following 12 May ransomware outbreak