10 April 2016

RansomWare 2,
Vampires and Zombies

by Leigh Lundin


 WARNING  Last week, we discussed a particularly vicious type of virus, one that poses a severe risk to your computer’s contents. It’s called RansomWare and it’s coming to a computer or cell phone near you. This week, we offer specific steps to protect yourself.

Zombies vs Vampires
To infest and infect, one of the givens of vampires is that they must be invited into one’s home. Dracula and his ilk may mesmerize or seduce, but only when a victim throws open the window can the creature waft in.

Viruses– and more typically a variant called Trojan horses– work the same way. A colleague hands the victim a flash drive, or she (or he) clicks a disguised download button or the attachment of an email. Voilà, she’s unknowingly invited the devil into her life.

Sometimes the effects are relatively minor– they may quietly turn the target into a zombie server, a computer that sends out spam, illicit files, and even malware without the owner’s knowledge. The truly bad infections can suck the lifeblood out of the system. Ransomware falls into this latter category.

Recently, Dale Andrews received an apparent email from Velma with an attachment. Strange… she rarely emails and I knew our secretary hadn’t emailed anything since the beginning of the year. Fortunately Dale didn’t open the attached payload. It may have been nothing more than a Nigerian scam letter… or it could have been considerably worse.

Pleadings

My colleague Thrush keeps enough computers to power Bulgaria, nearby Serbia and Romania. He thinks like a pro; he takes security very seriously.

His friend Mark phoned– he’d been hit with ransomeware. Arriving home in the evening, Mark had sat down at his computer, tired and less than alert. One of his emails raised the spectre of a lawsuit; it included attached court documents.

He downloaded them and… innocently unleashed the wolves. Whatever had been attached, they weren’t pleading papers. A screen popped up… his computer had been encrypted by ransomware, demanding a few hundred dollars to return his goods.

The man immediately detached his computer from his local network (LAN), one that included his backup mechanism and his wife’s computer, which fortunately contained their most critical files. His desktop was done for, but quick action saved their most important files.

Defense

The best protection against malware (malicious software) and ransomware in particular is to prepare your fortress now.

I. Backups

Back up, back up often. I previously mentioned it’s critical to back up to drives or discs that can be detached. The reason is that if your backup drive is on-line when malware strikes, you could lose your backup and everything on it.

A simple strategy used in the early days of computing is to make grandfather-father-son backups: You cycle through your discs (or tapes or other media) reusing your oldest backup each time. This includes one vulnerability in that you may back up defective or damaged files without realizing it. For that reason, archive a backup each month or so. Tuck it in a drawer or bank vault and exclude it from the recycling.

Consider using Blu-Ray discs with write-once technology. Those discs are not only less expensive than rewritable discs, they’re safer in that they cannot be later altered and their life span could last for decades.

The Macintosh includes a backup program called Time Machine. It can operate in manual mode, which is useful for detachable drives. It also offers a continuous mode in which changed files are backed up every hour to an attached drive, the cloud, or a NAS (network area storage) unit. Continuous backing up is great unless ransomware attacks the backup files.

A method of safe continuous backup is possible for desktop computers using these steps:
  1. Ensure files you want backed up are either in your public folder or outside your home folder altogether. In other words, make sure items to be backed up are visible beyond the confines of your user folder.
  2. W-D USB back-up drive
    W-D My Passport back-up USB drive
    Establish another user account called Backup. If set up properly, it should be able to see the files and folders you want backed up. Keep things pure. Do not use this account to surf, read email, or shop on-line.
  3. Attach a back-up drive, cloud storage, or NAS using a password. Only the Backup account should have the passwords readily available. Don’t access these drives from your main user account(s). (Western Digital external drives not only provide good back-up programs, they also allow the drive to be password protected.)
  4. Start the back-up program, providing its security services with passwords if needed. Don’t log off the Backup account when returning to the main user account.

While you’re working, the Backup account will quietly save your data. If you are attacked, malware won’t be able to get at the back-up drive. You need only consider this for continuous automatic back-up programs like Time Machine.

II. Modems, Routers, and Firewalls

The Backup account acts as a sort of firewall to seal off back-up drives from the rest of the machine. Chances are your router as well as your computer contain software firewalls. Because of the variety of manufacturers, I won’t attempt to address specifics other than to suggest learning how or seeking help in using them.

With the router, keep open ports to a minimum. Use long passwords for both your modem and your router. Be careful whom you let into your network. Some wireless routers allow ‘guests’ with imposed limitations. If both your router and your guest’s computer, tablet, or phone features a WPS button, you can permit guests to connect without giving out a password.

III. Computer Settings


Besides judicious sharing and firewall settings, a seemingly minor option offers major potential. By default, both Windows and the Mac don’t display common extensions (.doc, .rtf, .gif, .mp3, .exe, .app, etc.) An invisible extension might look a little prettier, but that extra piece of information might help you save your computer.

Say you get a breezy email purportedly from a friend containing an attachment called FamilyFotos.jpg. You start to open it but, if you’ve activated the showing of extensions, you’ll see the full name is FamilyFotos.jpg.app … uh oh!

Or, say you visit SexyBuns.com, download HunkyGuys.mp4 (yes, I’m talking about you, Jan Barrow Grape of 103 Rodekyl Lane, Armadillo, Tx 78657) and spot that the complete file name is hunkyguys.mp4.exe

These are big clues that those files are not friendly.

Show extensions by visiting Control Panels Files and Folder Options (Windows) or Finder Preferences (Mac) and checking the appropriate box. Now you can have more confidence that LegalPapers.pdf is truly what it claims.

MacOS Finder prefs
MacOS X show extensions
Use extra caution with .doc and .docx files. Unknown files may contain malicious macros and may even suggest you turn macro support on if it’s not. More recent variants reportedly can leap the divide from MS Word to infecting the rest of your computer.

If you wish to peek at unknown Word files, use WordPad (Windows) or TextEdit (Macintosh) or equivalent text processors that ignore embedded macros. Whenever possible, use .rtf instead of .doc as a far safer alternative.

Windows File and Folder Options
Windows hide extensions
Email filtering not only keeps annoying mail out of your in-box, but it can also provide a line of defense against malware. Even if you blacklist/whitelist, keep in mind that bad guys may have hijacked a friend’s contacts list and try to spoof their address relying upon your trust.

IV. Too Helpful

Be wary of too-helpful emails and pop-up windows that offer updates to Flash, Silver Light, or Java, and especially shortcut links to your banking web site. If you receive an email supposedly from PayPal, your financial institution, HealthVault, IRS, Social Security, or other site containing personal and financial information, don’t click on any embedded links. Instead, type in the URL address yourself to be assured you’re not accessing a ‘spoof’ site trying to trick personal information from you.

virus infection irony
Consider the irony
Notices urging upgrades– usually employing pop-up menus– can serve as fronts for malware. Don’t fall for the false convenience. Be cautious of notices your computers has been infected with a virus. If your browser screen locks up, get help. Don't call the toll-free number on the screen.

Such notices may try to trick you into installing nasty stuff. If you think you might need a newer Flash player or Java component, then hie directly to their web sites and check for download versions.

V. AntiVirus Protection

Obtain a good anti-malware suite, either free (like AVG) or from Kaspersky Lab, Symantec/Norton, BitDefender, Malwarebytes, or WinPatrol. They each take different approaches. BitDefender’s defense works as a sort of vaccine. The free Panda Ransomware Decrypt Tool tries to restore deliberately damaged files.

If at all possible, remove the wounded drive from its computer, or create and boot from an external drive to work on the damaged device. It’s possible the infection has altered the boot sectors of your hard drive. If you’re able to decrypt your damaged files, move them to a safe place and totally reformat the damaged drive.

The Myth of Customer Service

One of the internet ‘memes’ floating around the web speaks of ransomware ‘customer service’. This irresponsible wording is tantamount to insisting a rapist gives good customer service if he doesn’t kill the victim. Even professional developers who should know better use this expression, an indication of naïveté rather than an expert opinion. A paid criminal that restores files only 50-60% of the time does not exhibit good customer service.

More on that next week. In the meantime, avoid zombies, vampires, and malware.

15 comments:

Louis A. Willis said...

Leigh,
Thanks for the information. I'll keep the article in my reference folder in case I need it. A friend of mine mistakenly clicked on a button she thought would open an account at an online store. Instead, she got a message supposedly from Microsoft that her computer was infected. She has a Mac. She didn't click the "ok" button. She called the number shown on the screen. She became suspicious when the guy on the phone told her he'd fix the problem for a fee. She called me and I told her don't click on anything. Her son who studied computer science fixed the problem. She is now wary of clicking any button when she is online.

John Floyd said...

Great information, Leigh. Even those of us who have been around computers a long time need reminders about this kind of thing.

Many thanks.

Leigh Lundin said...

Hi Louis! Good to see you again. I’m glad the lady grew suspicious and got help. Having one of those nasty exploits take over your browser is scary, but if I can get JavaScript turned off, then I can close the page and return things to normal. However, there’s a really nasty browser exploit that up a long thin window with an 800 number. The only way I’ve found to kill it is to once or twice use ‘Force Quit’ (Apple menu) to shut down Safari and then using finger dexterity, reload it and close the page(s) as fast as they come up. A bit tricky, but it works. Thanks for saying hello, Louis!

Thanks, John. That’s true. It’s easy to become complacent and after Mark’s ordeal, I realized I needed to take more precautions. We Mac users aren’t immune; we’re just a slightly smaller target.

Vicki Kennedy said...

Thanks, for the info, Leigh. You've tried to help me several times in the past and I appreciate it. I'm afraid I'm kind of a slow learner on some of this stuff.

Vicki Kennedy said...

Leigh, Would you please send me the direct link to your column today and I'll post it on FB? My main email won't let me email anyone again. I'd use my back up, but you don't always get them. Thanks!

Magnus said...

Nice piece. Good balance between understandability and detail. This is a serious and growing threat. Glad you're helping out.

Leigh Lundin said...

You're welcome, Vicki, and thank you for posting the link. I've emailed it to you.

Thanks, Magnus. I debated adding more about routers and firewalls, but that topic is non-trivial for experts. My goal there was awareness. BTW, interesting link.

Jan Grape said...

I appreciate your article. However, most of it is Greek to me. Altho I've used computers since 1985 and first was a K-Pro. I don't understand much more than how to turn computer on and off. I've mainly just used word processing, emails and such. I'm pretty good about not opening emails. And don't download except from known sites like Amazon. I only have a laptop and a tablet and a cell phone. I bought an external drive years ago to back up things but don't think I ever got it to work right. I do have AVG and hope it protects me.

A Broad Abroad said...

[Trumpet fanfare] I am proud to announce that my laptop data was backed up to an external harddrive this every evening! Thank you for scaring me spitless.

When visiting sites purporting to be those of anti-virus companies [like the ones you listed], my concern is that I have an actual site and not a baddie site disguised to look similar to the real thing.

Leigh Lundin said...

Jan, you were the intended market when Steve Jobs spoke of creating an ‘appliance’, a useful device people could simply plug in and use. Then bad guys had to rush in and spoil things. “Always something,” as Gilda Radner used to say. AVG should help. As for the external drive, attach it, drag your folder(s) onto it, shut you computer down and detach it. You’ve got your first backup. And thanks for letting me use your name in the article, Jan.

ABA! I’m so glad you’ve got a backup. I know you have books and materials you don’t dare lose.

You pose a good question, especially since ‘phishing’ scams depend up on fooling users with seemingly good web sites. It I get time, I’ll add in links, but another way might be to visit Wikipedia. The quality of its articles might sometimes be questionable, but the links at the bottom of pages on Kapersky, Symantec, etc, should be valid… unless someone deliberately twisted them to their own nefarious purpose.

Paul D. Marks said...

Thanks for all the great advice, Leigh!

Leigh Lundin said...

You're welcome, Paul!

Jeff Baker said...

I get one of those e-mails from a "friend" with an attachment every now and then. The most recent I deleted because it was suspiciously unlike the guy to send anything without at least three paragraphs of reminiscing before he got down to business!

Leigh Lundin said...

Good instincts, Jeff! Sad we have to be so suspicious.

M. Johnston said...

Thanks, Leigh, for a super important post. I got to it from my Guppy gmail (wanted to read fellow Guppy Agatha-nominated excerpts). I would like to post a referral to the blog on my blog site as well (www.lyricalpens.com) and wonder if you'd send me the direct link.

Thanks again for sharing the info. Marilyn Johnston (writing as cj petterson)