As CEO of FraudWatch International Trent Youl mentioned in a previous blog article “What to expect in 2015”, ransomware is becoming a more popular tool of the trade for cyber-criminals.
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.
Here at FraudWatch International, we are not impervious to attacks from cyber criminals. In fact, just a week ago, one of our employee was targeted by a malicious email.
What form did the email take?
The employee was sent an email stating that a voice mail message had been received. They were provided with a link, which would allow them to download and extract the voice mail message, so that they could listen to it.
Luckily, the employee was suspicious as to why she would have received this email. The domain of the sender’s email address was legitimate, however, the username was not. She decided to forward it to our Malware team, for further investigation.
What did the Malware team find?
FraudWatch International’s Malware team analysed the email and found it to contain Crypto-Ransonware known as CryptoWall.
Tech Tip: Crypto-Ransomware is a type of ransomware that encrypts all personal files (i.e. not system files) on a PC, and potentially any external drives or mapped drives connected to the PC using 2048-bit RSA keys that would take millions of years to decrypt. CryptoWall is part of the Crowti family of ransomware.
Once the email link was clicked, a file was downloaded (the malware), disguised as a voice mail message. By double-clicking on the voice mail message (supposedly to listen to the recording), an executable file was launched, which then installed the malware and encrypted all personal files on the PC.
The following ransom notification files were also saved to every folder that contained a file that had been encrypted:
These files were automatically displayed every time a user logged in. They advised that the files had been encrypted, and provided information on how to pay for and download decrypter software.
It is important to note that there is no guarantee that paying a ransom will give you access to your files or restore your PC to its pre-infection state. We do not recommend paying the ransom.
How do you protect your PC?
Recovery of infected systems is virtually impossible without clean backups. Prevention is better than a cure with any malware, particularly crypto-ransomware.
The Federal Government’s Stay Smart Online website suggests the following preventative steps to take to avoid ransomware and other malware attacks:
- Use spam filters and be cautious when opening emails, especially if there are attachments.
- Make sure you are using a reputable, up-to-date security product.
- Make sure your operating system and applications are up to date and fully patched.
- Run a regular scan of your computer
- Set and use strong and unique passwords.
- Set passwords on all your hardware devices (modems and routers).
- Back up your data.
- Keep a backup copy of your data in a safe place, disconnected from your computer and the internet.
- Only visit reputable websites and online services.
Tech Tip: Cyber criminals are taking advantage of un-patched vulnerabilities in software to carry out their attacks. Most of the exploits used by Crowti target vulnerabilities found in browser plug-in applications such as Java and Flash. Regularly updating software can help reduce the risk of infection.
A recent report on CryptoWall estimates that more than 625,000 systems have been infected worldwide. Australia was reported as being in the top six most targeted countries.