Directly targeting users' data for the purpose of stealing large amounts of money, one of the most dangerous forms malware, Ransomware site presents major challenges for producers antivirus, forced to resort to aggressive methodological procedures to ensure that users are not affected. Unfortunately, no matter how good the antivirus program used, the recovery of all the files compromised behind infection with ransomware It is not guaranteed at all, the prevention being maintained the only truly effective protection.
A type of malware capable of deleting the collection of photos and documents from the memory of the device, leaving behind encrypted versions that can only be opened through an access key, the ransomware represents the digital variant of the robberies with hostages.
If the first forms of ransomware resorted to relatively rudimentary methods, encrypting users' files using unique encryption keys, relatively easy to recover for antivirus producers, who provided utilities for disinfection, capable of fully recovering the blocked files, not the same thing can be said about the more sophisticated variants (eg. Cryptowall), which generates unique encryption keys for each infected device, which I send further to a collection server in possession of the attackers. Most of the times, the encrypted files in this way can no longer be recovered, the damage brought to the affected users and companies being considerable.
Depending on the version, this form of malware can be spread exploiting vulnerabilities of web browser, activated when visiting a compromised website, or by installing an extension or plugin component proposed to visit a website. Another less known way of automatically executing viruses on victims' computers and encryption of their content is attaching infected files to convincing email messages, sometimes even personalized for the chosen target. This is the preferred method of Cryptowall, an advanced version of Cryptocker, which encrypts the documents in the infected computers and then asks for money from the user, in exchange for the decryption key. The infected file, attached to the email message, uses Extensia .chm, associated HTML format Compiled, an apparently harmless file, normally used to deliver user manuals and software applications. In fact, these files are interactive and run a number of technologies that include JavaScript, having the possibility to redirect the user to an external address. After the simple opening of .chm file, it performs various actions independently, the final objective being the production of an infection.
Relatively new, Trojan.DownLoad3.35539 (variant CTB-Locker) is spread through email messages, as an attachment in ZIP archive, containing a file with extension .scr. If the file is open, the infected program extracts on hard disk un document RTF which he displays on the display. Meanwhile, in the background, the encryption program on a server under the control of the attackers is downloaded. Once decomposed and activated, it goes on scanning the storage devices in search of the user's personal documents, which they seize, replacing the original with encrypted versions. After the mission has been fulfilled, the user is announced by a message that he must pay for the redemption of personal data.
How do you prevent infection with cryptowall and other similar ransomware?
Following the indications of experts Bitdefender, ordinary users and system administrators can greatly reduce the risk of infection, as well as the damages caused by it, taking into account some basic rules:
- It uses a computer security solution constantly updated and capable of active scan.
- schedules back-up-ul files on one or more external hard drives that do not remain permanently connected to the PC or in the local network or using a service of Cloud storage.
- Avoid visiting unknown sites, does not access links or files included as an attachment to email with insecure origin and does not provide personal information on public chats or forums. Sometimes, it is possible that messages with infected attachments will be received from known addresses, if the PC at the other end was compromised, or the email address was added abusively to the sender field.
- Implements/activates a solution for blocking the ads, as well as Antispam filter.
- Use a web browser with virtualizares support or completely deactivates the content playback holder Flash.
- Employers should train their employees regarding the identification of social engineering attempts and phishing, using email messages.
"%username%\\Appdata\\Roaming\\*.exe"
"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\\.*exe"
C:\\<random>\\<random>*.exe
"%temp%\\*.exe"
"%userprofile%\\Start Menu\\Programs\\Startup\\*.exe"
"%userprofile%\\*.exe"
"%username%\\Appdata\\*.exe"
"%username%\\Appdata\\Local\\*.exe"
"%username%\\Application Data\\*.exe"
"%username%\\Application Data\\Microsoft\\*.exe"
"%username%\\Local Settings\\Application Data\\*.exe"At the same time, system administrators must strengthen group policies to block the execution of the virus from specific locations. This can be done on Windows Professional or Windows Server Edition. option Software Restriction Policies can be met in the editor Local Security Policy. After accessing the button New Software Restriction Policies from below Additional Rules, the following will be used Path Rules with security level “Dissallowed”:
The use of these mechanisms should limit or block Cryptowall, but for more protection, Bitdefender proposes us Cryptowall Immunizer. Acting as an additional protective mechanism, which works in parallel with Antivirus solution Permanently activated, the utility allows users to immunize their computers and block any attempt by File encryption, before it takes place.
