The editor of Dark Reading Tim Wilson recently raised an provocative question in a comment he placed on the blog of Sara Peters, named “CryptoWall More Pervasive, Less Profitable than CryptoLocker”. Mr. Wilson provoked the security experts to share their advice on what the users should do when they face ransomware infections of the type CryptoLocker and CryptoWall. Should the users consider covering the ransom asked for? Are there implications for their data if users contact law enforcement? Can an enterprise set a policy on the malware? Is everything decided on an individual case?
The ransomware infections are attacks by cyber criminals, that is why the PC users should learn their technological limitations before the infection has reached them. When in enterprises, the security experts should educate themselves and then professionally present information to the users about the ransomware current state. They should also consider certain steps in order to prevent and them remediate the infections. However, people should know that they are on their own when it comes to ransomware problems.
In case the user calls the law enforcement, this will most likely not recover their files. Experts say that if the encrypted files cannot be recovered through a previous back-up or if they are extremely important for the business operation or for the livelihood of the individual, then paying the ransom is the best that the user can do.
The cyber criminals are utilizing file encryption tactics and they are not obliged to decrypt the files once the ransom is paid. The professionals claim that some ransomware does not come with an infrastructure suitable to store and then provide the decryption key to be used on the infected files of the user once he pays the ransom.
ZeroLocker is among the ransomware infections that raise the question about the possibility of decryption. When ZeroLocker encrypts the files of the user, the information along with the encryption key are sent through a GET request to a pre-determined server. This later results in a 404 on the server and this could mean that the server does not store the key. In other words, even if the ransom is paid there is no guarantee that the files will be restored. They might be restored and they might be not, thee outcome is uncertain.
CryptoLocker and CryptoWall
CryptoLocker crimeware current strain allow for FireEye/Fox-IT and Decrypt CryptoLocker tools to recover the encrypted files without paying the ransom. These tools however might not be applicable with future strains of CryptoLocker or with decryption of files that are affected by ZeroLocker, CryptoWall or CryptorBit.
If the files of the user could not be recovered from a backup and the user has the new Microsoft Windows Desktop operating system (Microsoft Vista and more recent), then the user might be able to leverage the restore functionality of Microsoft Windows’ Systems in order to restore the files that have been encrypted. The experts suggest for the users to try Shadow Explorer and the Windows Previous Version functionality, which might help them recover their files. A good guide to be used is the Bleeping Computer CryptoLocker guide which is available at the Bleeping Computer website.
Stay Prepared, Be Ready
PC users can take certain steps in order to prepare themselves for the ransomware attacks. The organizations should reinforce policies concerning the testing of data restoration and the data backups frequency. They should also pay attention to the user education. Al that will help the users fight the future cyber criminals’ attacks. This policy should be applied to all devices available including servers and workstations, laptops and IoP systems, as well as devices owned by the employees.
The home users should be very careful too as a great part of the ransomware comes as email attachment or is downloaded after executing an initial email attachment. In case the individual user is skeptical about an email that is not expected ad contains a DOC, PDF, or PPT file, they should be extremely careful and do not open the file. The best policy here is to delete the email. If the email has been important and not containing malware, it can be sent again.
Ransomware can be delivered with different methods including native email attachments, automated bots, downloaders with extra malicious malware, etc. The delivery mechanisms are always changing and thus the organizations have to use a predictive approach in order to protect themselves against ransomware. In order for this to be done, the organizations should use predictive intelligence concept.