Ransomware Update: TeslaCrypt, Locky and an Ounce Of Prevention
The rapid rise in infections worldwide this year is giving customer executives pause.
June 29, 2016
By Farokh Karani
As if customers didn’t have enough to worry about when it comes to securing their devices and data, new and seemingly more bulletproof threats are emerging to give even the most confident among us reason to take notice. So what’s all the fuss about?
The DOJ said in a letter to Congress that, since 2005, the Internet Crime Complaint Center has received close to 7,700 complaints regarding ransomware. The cost? About $57.6 million, including ransoms, costs of dealing with the attacks, and lost time and data. And that’s just what was reported. Plenty of organizations and individuals just pay the attackers.
New variants of the TeslaCrypt Trojan, known as v8 or v2.2.0, represent one of the most alarming findings in the most recent Quick Heal Technologies Threat Report. These variants, just like the original TeslaCrypt ransomware, make their way into the computer systems of unsuspecting users to hijack images, spreadsheets, PowerPoint presentations and other files. It begins encrypting these files, converting them into an unreadable form that can be viewed only with the aid of a private key. And the only way to get this key is for the victim to pay a ransom.
What’s the best prevention? Educate customer end users to never download attachments or click on suspicious links in emails received from unwanted or unexpected sources — even if the sources look familiar. Also, they shouldn’t respond to pop-up ads or alerts while visiting unfamiliar websites, and partners should be diligent about applying all necessary security updates and keeping automatic updates on.
Because TeslaCrypt targets data, the most crucial step is to perform regular backups, and not have the backup device continually directly connected to the end user’s PC or customer network. If you can access a backup device from a PC, so can the ransomware. Backup devices and/or tapes should ideally be kept offline when not being used. This can help partners restore data and eliminate the need to pay a ransom.
Because change is constant when it comes to security, suppliers are doing what they can about TeslaCrypt, while also looking intently at what may be just around the corner. Quick Heal’s research team has pinpointed Locky as one of the latest forms of ransomware to cause concern across global markets.
Like TeslaCrypt, Locky is a file-encrypting ransomware malware. After encrypting the files it finds in the PCs it infects, it then changes the extension of the encrypted files to .locky. The encrypted files can be decrypted only with a key available from the cyber thief, for a price.
Known to target Windows users, Locky uses spam email campaigns to spread and infect its victims. In one campaign, the email, which appeared to come from a popular organization, asks the user to download an invoice attachment (a Microsoft Word doc). The document contains text that looks incomprehensible or unreadable. And to make the text readable, the user needs to enable macros. If the user falls for this trick and enables the macros, a series of automatic processes is triggered, ultimately resulting in Locky being installed on the machine. Once inside the system, the ransomware begins encrypting whatever files it can find.
After Locky is done encrypting the files, it displays a message to the user on the desktop. The message announces what has happened, and reveals that decrypting the files is only possible through purchase of a private key, which could cost up to $400.
Deterrent Value
The rise of threats such as TeslaCrypt and Locky make it clear that nimble prevention is the only defense against a constantly changing offense. Here’s what you can do to help your clients thwart the onslaught of attacks:
As mentioned, back up important files regularly, and have the backup encrypted. This will make sure that the data is not misused by anyone.
Educate employees to not trust any email that asks them to download an attachment, a software, survey forms or anything that they were not expecting — no matter how professional, urgent or interesting the email may look or sound. If they think the email is genuine, have them verify it with the sender by phone.
Avoid equipping computers with an administrator account unless necessary. Being attacked by malware while logged in as an administrator can cause irreparable damage to a customer’s systems. Always set up employees to log in as standard users.
Keep Windows OSes and anti-virus/anti-malware programs/applications up-to-date with the latest security updates/patches. With most ransomware infections, the malware takes advantage of a lack of current updates and/or security vulnerabilities present in the user’s system.
The importance of educating customers about the many ways attacks can infiltrate a device or a network cannot be underestimated. One slip-up can bring an organization’s entire operation to a screeching halt. The bottom line is that business owners and IT professionals need to remain ever-vigilant and increasingly proactive with their security and employee education policies and the safeguards they use to protect the endpoints, the network and everything in between.
Farokh Karani is director, North American Sales & Channels, for Quick Heal Technologies, a leading global provider of IT security solutions. Quick Heal’s SEQRITE data security product line is specifically targeted at small to midsize enterprises and is sold in North America exclusively through channel partners.
Read more about:
AgentsAbout the Author
You May Also Like