Avoiding Malware
- Details
- Last Updated: Wednesday, 26 February 2025 14:43
Crypto Infections (AKA Ransomware)
There are many of these going around and more are appearing every day using different methods and approach of attack. Some 90% of SPAM emails contain them as attachments or phishing links, and even images on websites or platforms such as Facebook have sometimes unknowingly provided links to malware. If you become a victim to ransomware that does encryption correctly it is unlikely that the process can be reversed, leaving little other choice than to pay up. Although you might get lucky as some infections were poorly written allowing their decryption keys to be discovered and published freely on-line. Many of these are now available at No More Ransom.org along with similar advice as here. There are several simple steps you can take to prevent infection, and if the worst should happen, to be able to recover afterwards.
Mostly these types of malware deny access to files stored on your computer or device in some way, until you pay a ransom to the creators, usually within a limited period of time. One was cheeky enough to offer free decryption if you dob in two or more friends by supposedly forwarding infected links to them and that they pay up. Paying up is unfortunately not that easy, nor will it guarantee recovery of the files and you should only consider this as an absolute last resort. Paying only encourages the creators. As this is illegal extortion they do not want their identity to be discovered at any cost, so payments need to be anonymous by using an untraceable electronic currency such as bitcoin. Recovery usually costs $500 - $1000, depending on currency exchange rates, although large organizations are known to have paid many thousands. It is estimated that over 1 Billion dollars in ransom was paid in 2016 and in 2017 its going to be much greater.
Generally your files are encrypted by mixing them with a long random number which is unique to you and if you do open them they look like garbage. This number is encrypted using the public part of a public private key pair, where only the private part can decrypt and reveal the random number. This is what the creators retain and what they require you to pay for. This is somewhat like locking the keys to your house in your car along with your child and him/her requiring an ice-cream or reward before letting you back in and handing them over. In some cases a different public/private key pair are generated for each infection. Many victims ask if this system can be cracked and the answer is both a Yes and No. Yes, if a common key pair was used and the private part has been publicly revealed. Possibly by cracking, given enough time, but not really in that the key pairs are a combination of two very large prime numbers, and to determine one without knowing the other is likely to take many lifetimes using the fastest computers now available to factor one of the two primes out of millions.
The enormity of the problem goes something like this:-
The size of the primes is so large that just guessing them would be like wining a lotto game, where everyone in the world since the birth of Christ had a board in a game being drawn every minute. No one would have yet won first division and are not likely to for another 1000 years.
Obviously the best way to avoid becoming a victim is to prevent the infection in the first place. Unfortunately your antivirus may not help very much, as the received files are not actually a virus, or even recognised as dangerous, because the infecting programs themselves are only decoded or received when the file is opened by the user. The incoming file, may in itself, just be a harmless downloading agent, or even part of a picture, but you just don't know and nor does your antivirus (A.V) program. Each initially received file is different - somewhat like determining a thief from a repairman when your door bell rings, but without opening the door and checking credentials. However, once the malware is running on your PC, an A.V can detect many of them from they way they act. Some can lock unauthorised access to specific folders like "My documents" to protect their content, but much damage may have already been done by then. We have personally been able to examine server logs after an infection and noted that some 500 odd files were encrypted before the A.V stopped the process after about 30 seconds. The user then rebooted the machine as instructed by the A.V to remove the infection. On restart another 500 files were encrypted before the process was finally stopped. Often the A.V only recognises the infection by heuristics that determine the program's behavior is bad, or by noticing many files are being renamed with an extension used by ransomware.
How then does one protect oneself?
- Don't open the file in the first place.
As far as we know most infections come as a file or link in a phishing email that you must choose to open.
An infection might also be downloaded from a website by clicking on a bad link, or via security flaws in the computer operating system, or even a legitimately installed application. These methods, so far, are not commonly used by ransomware, although they could if a major weakness was discovered. Keeping software updated is the best prevention for this.
Social engineering in email is always used to make the recipient of the email think it is legitimate and sometimes look very credible. The email itself is not the problem and can be usually be safely viewed, although showing images and HTML formatting are more risky. Images in email are mostly links for download and showing them informs the server and originator that the email address is active along with other details. Frankly, its best to turn off auto display of images and HTML in your mail client and initially just view only plain text. Possible harmful attachments are usually removed by your ISP, such as .exe files, but the contents of many files cannot be checked, such as a picture, pdf, document, or zip. Remember that any included potential ransomware file never looks quite the same.
Never open any attachment until you are sure its genuine. Even if it's from someone you know and trust, their own email account may have been hacked. Contact them if unsure, particularly if the file was not expected. A genuine attachment should always be clearly disclosed and well documented in the body. Latest reports advise that the few emails are crafted to look genuine, such as a job application or inquiry, in order to establish some level of trust, so a later infected document will be opened without thought. - How to identify infected phishing emails.
Firstly, always turn off the Windows option "Hide extensions of known file types". This is one of the worst features that Microsoft has continued to promote as a default. You do this in "folder options->view" by unticking the checkbox of that name. This is one of the favorite methods malware uses to trick you. For example, with extension hiding on, a file called "program.exe" will display as "program". A file called "picture.jpg.exe" will display as "picture.jpg", but it is in fact a program that windows can run and you won't see this with hiding enabled. One click and you have started it. With ransomware, often nothing obvious happens other than lots of disk activity until all your files are encrypted. The same applies to the contents of zip files which are a favourite infection method. In all the infections we have seen, the zip file contained a Javascript or Windows script file (WSF). Windows will automatically run this script when the zip is opened and you are history. The Javascript decodes itself into the actual program, or downloads the program from a rogue website and runs it. Document and spreadsheet files with embedded macros should never be allowed to run. A new trick is to include such a file inside a safe looking pdf which then opens in Word or Excel which prompts you to enable macro support. Don't ever!
Read your emails very carefully and ask yourself the following:-
Is the email generally non specific or personally greet me by name?
(Genuine emails usually have a personal greeting and a correct promotional signature.)
Do I know the sender, person or company that sent it?
Is the language used grammatically correct and typically what one would expect from that sender?
Was I expecting this file?
Is any attachment and content clearly described?
An invoice or other number proves nothing, but "Invoice for P Blackburn's mower repair" might.
Have I dealt with them previously by other means, and do I trust them?
Still not sure then just delete it. - A more technical but worthwhile approach is to check the email headers. Various email clients have a hot-key or option somewhere to do this. Thunderbird uses the Control key + U. (Just Google the name of your email client and "view headers" to find out how.) Email headers show the entire path the email took to delivery, and the time of each entry starting from the originator at the bottom to the reply address at the top, like tracking a courier parcel. Learn how to read these and you will never regret it. Compare the header to that of another much older email from the same sender. Often this will reveal much; it originated from somewhere completely foreign, the names don't match the sender, or other oddity and therefore it's unlikely be genuine. The quoted sender might not be aware its been sent because his PC has become part of a bot-net, or they are also infected by malware and their address book has been harvested. Bot-nets use that persons email and details to craft valid looking phishing emails to their known contacts - you.
Google is your friend - Copy and paste the subject line or other details into Google search. The subject often looks genuine - "Please find your invoice XX12345". Handy tip:You can also do that with phone numbers - particularly useful for checking scams received from any source.
The following website link shows examples of subjects that included malware:-
http://www.thatsnonsense.com/10-emails-that-tried-to-trick-us-into-installing-ransomware/ - If you really must open a file that might be suspect, save it somewhere safe first and use an non-automatic program, such as a hex editor to view the contents. Anything with a .js, scr, dll or .exe extension is likely code, but many innocent looking document files can also contain deliberate errors to take advantage of unreported flaws in the applications that open them. Adobe flash and acrobat reader are particularly targeted. You might even use an old, but still working and non-networked computer specially for this purpose. It needs no hard drive and should boot from a read only device such as a CD/DVD and therefore has nothing on it to encrypt and always reboots up clean. Transfer the suspect file via USB to its memory and remove the USB before opening the suspect file.
- Before clicking on any link, check the real destination by holding the mouse pointer over it. This can show in the client's status bar or elsewhere in the window. This feature may need turning on in your browser or mail client - do it! The actual destination might be only an imitation of the real site, read it carefully checking for translations of characters, zeroes and 'O' etc. Paste or type it into Google search if unsure.
- Still not sure about the email - get a second opinion - it will still be there until deleted and removed from trash. Point it out to a colleague, consult a knowledgeable acquaintance, or check with your IT support. Often they will have seen it before and recognise it immediately.
- Most important of all - keep several backups of your data. Follow the 3,2,1 rule - 3 copies, 2 on separate local devices, and one off-site.
Yes I know it can be a pain, but time and time again, when a PC is infected or a hard drive has failed we hear "I don't have a backup, or I do but not updated for a year, month etc". There is no excuse for this. Often all that is needed is a simple copy of newer files by date, which if done regularly takes only a few seconds. Set a reminder in your calendar to do it each week or even daily. USB drives are excellent for this, but only insert a backup device in the machine to make the backup, and don't go anywhere near with an infected computer - its files could become immediately encrypted as well. If possible, switch the backup device to read only or get someone else to make a copy on another PC first.
Just copying your files to Google drive, Microsoft One drive or to Dropbox can be a life saver. Unfortunately, these are often able to be accessed and encrypted while connected to an infected machine as they were not designed for ransomware protection. However, many other automated cloud backup services exist, such as Carbonite. These do versioning, run in the background, and are basically set and forget. Paid versions of these are not too expensive - the cost of paying just one ransom could cover such a service for 10 years. Versioning retains older copies of changed files so the older unencrypted versions are still available. To simplify and speed the backup process, consider separating your files into aged groups to reduce the number of files needing frequent backup. Pictures are rarely edited and having copies archived on a storage device in dated folders means they don't need repeated backing up. The important thing is to keep frequent backups of files that change often using the 3,2,1 rule. - Do a security check - we recommend visits to Surveillance Self Defense and Gibson Research both very trustworthy sites with a mine of information and have security checking services. (Did you check the above links by mouse over?)
Many devices on your network can be vulnerable when not regularly, or ever, updated and could easily become part of a bot-net that distributes malware or participates in DDOS attacks. Can you really trust those WiFi connected fancy light bulbs, baby webcam monitor or door-bell?
In late 2016 almost half the sites in the USA were disabled for several hours by a combined attack from such infected IOT devices. Is it one you own?