What Are Crypto Locking Viruses And How Do You Avoid Their Wrath?

We have seen several businesses around us that have been hacked in the past few months, with the worst being crypto locking virus attacks that make entire computers unusable and held to ransom. 

Crypto Locking Viruses

What are Crypto Locking Viruses? 

Crypto Locking Viruses, aka ransomware, are a type of malicious virus that once triggered will go through a computer/server's file system and encrypt all of the documents that the virus can find. The virus will leave a readable file that will give instructions on how the files can be decrypted, this is generally a transfer of bitcoins to the encrypter's account. By encrypting files that are integral to your business's day-to-day operations, these crypto viruses may immediately stop your business from functioning. Your business is then either forced to pay the ransom to unlock files on your infected computers (which may not even work after payment is made), or hopefully you can restore your files from back ups (presuming your back ups aren't infected and are up to date). Either way you may pay a heavy cost, either in time, money, or both.

Here’s some significant information about Crypto Locking Viruses:

• On average most ERP companies will have a least one customer hit a month and are sometimes hit themselves.

• Most recent versions of crypto virus are triggered from an email attachment, but they don't go off immediately, the more complex ones, spend time infecting other machines as they connect to the network and then trigger on a set time, date combination, usually based on the number of seconds since the time date the server was infected.

NOTE: A lot of IT networking companies will tell their customer: "Don't pay the ransom we will restore backups", most restores won't work, they either restore the original time bomb, or they miss something and end up costing a fortune.

• Most crypto viruses connect to an originating host server (or a server with an external address) to get the encryption key, this allows the perpetrator to be able to unlock the encryption.

NOTE: There may still be a few older viruses floating about that set their own encryption key when the encryption is triggered, it then uploads the key to the relevant machine, however there is a potential problem that the decrypting host was identified a long time ago and access to it was blocked. So, decryption is not possible under any circumstances.

• There has always been a myth that these viruses are developed for specific operating systems or databases. This is no longer the case, as now all operating systems are vulnerable and can be affected by crypto locking viruses. 

For all of the above reasons, it is essential to identify which type of crypto locking virus you are dealing with before you start trying to undo the damage that it has caused. 

How to avoid and recover from Crypto Locking Virus Attacks?

There are a few important things you can do for your company's security: 

AVOID clicking links/attachments in emails from unknown sources. Look at the From and Sender email addresses before clicking on any links/attachments. If in doubt, delete the email. Phishing attacks work by you navigating to a website that pretends to be a legit company and then getting you to download files/viruses or handover sensitive information.

AVOID downloading and installing files from unknown, unreliable sources on the internet.

AVOID leaving your computer logged into services you are not actively using, such as, Web Email, Facebook, Gmail, Outlook, Dropbox, One drive etc. If you are not using it, simply log out. If your computer becomes comprised then any open sessions with such software now becomes a target, and all your data in these systems are at risk.

CLOSE RDP sessions, TeamViewer, VPNs when you are not using them. If your computer becomes compromised, hackers could use these connections to infect/control other machines.

AVOID running your operating system as a user with administrator or elevated privileges. Most of the time you don't need to be running as an admin user, switch to an elevated user only when you need to install programs and perform special tasks.

AVOID saving your customer/clients credentials on your computer in plain-text. This should all be saved in a system that is encrypted and secured, or in which is also secured. If your computer becomes infected, any plaintext passwords can be used by hackers to infect other computers.

• If you think your computer has become INFECTED then pull the network cable out immediately and turn off the machine, especially if you are using your office Wi-Fi. 

• If you think Multiple Computers in your office network have become compromised, inform your IT department immediately in order to isolate those computers from the rest of the databases. 

• Keep your operating system UP TO DATE, keep your software up to date, only use the software you can keep up to date. Every software has vulnerabilities, while newer versions generally close the holes when found, leaving the old software running with elevated privileges can be the easiest way for hackers to infiltrate.

UPDATE your passwords regularly. Avoid using simple passwords and using the same passwords across many services. Avoid using passwords in an obvious sequence, e.g. password 1, password 2. Use 2 or more random words in a password to make it easy to remember but difficult to crack.

AVOID passing passwords in email or over insecure mediums. Use, or other services running over HTTPS.

USE Linux, if possible. Due to fewer vulnerabilities and being majority open source many people in the community are able to find, fix and alert the userbase of any vulnerabilities. It doesn't get viruses like Windows or other operating systems do.

Importance of Backups

One side note to these attacks is: that many companies suddenly find that their backups have not been working or have been incomplete for quite some time. 

Backups should be verified daily, and random test restores should be carried out on at least a monthly basis. 

A test restore does not need to overwrite all of the current data but restore your main applications (e.g. your accounting system and data) to a different area and then run a check on the number of files and file sizes backed up, if you run the test using the lastest backup, the backup and live data sets should be nearly identical.

It only takes one vulnerability to destroy a business. Attacks are happening everywhere, so be careful, mindful and smart about it. If you have any questions regarding Crypto Locking Viruses, please feel free to post it on TOTECS Forum