RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

Ransomware vulnerability
Published Date : 10 Mar 2016   Last Updated : 21 Sep 2020   Content Ref: NWS5073225  




What is Ransomware?
Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. This could affect a single computer or spread network wide.

How does it infect its targets?

It can be downloaded through malicious or compromised websites, through a payload delivered by other malware or through an attachment to an email.

More information can be found in this BBC News article: http://www.bbc.co.uk/news/technology-38519649


How can it be protected against?

The latest variants (teslacrypt in particular) may not be picked up by anti-malware and anti-virus software, however please ensure that your virus definitions are up to date as all vendors will be urgently working on a resolution.

Keeping your plugins such as Adobe Flash Player up to date is also important; the most recent attacks have been using vulnerabilities that exist in older versions of Adobe Flash Player but are fixed in the current version.

Keep privileged users/users with local administrator rights to a minimum - up to 90% of malware can be prevented if the user does not have local administrator rights. In addition, in CC4 unauthorised executables are blocked from running by software restrictions policies, however local administrators and privileged users are exempt from this policy making them vulnerable.

Ensure that your backups are up to date and verified; upon infection restoration of a backup is the only guaranteed method of getting your data back.

The most vulnerable route into a network is through the users so please educate them regarding safe Internet and email usage. These viruses are usually spread through emails. Users should report any suspicious emails and refrain from opening attachments, or clicking links in emails, unless they are certain they are authentic and are from someone they trust, while keeping in mind that the computer of even a trusted person may have been infected by a virus and be sending mail pretending to be them. So, if they are not expecting an attachment or link from someone, it is safer to contact them for assurance before opening or clicking.


Detecting the root cause of Ransomware

These issues are relatively straight forward to deal with - provided that you have backups.

Ransomware works by working through the drives the user has mapped/local to encrypt the files. It then alerts the user (normally via a text file next to the encrypted documents such as "decryptme.txt" or similar) how to pay for the decryption instructions and keys.

The servers themselves are not usually infected - unless someone logged on to the server (console or RDP) and introduced the virus whilst logged on. It is highly likely that the Ransomware is resident on one or more computers on your network.


Detect and contain
  1. Check for the owner of the decryptme.txt (or similar) file via its properties - that's your infected user. You can also search home folders for the decryptme.txt (or similar file) to ensure that only one of your users is infected.
  2. Disable the user account to prevent further encryption. The encryption process takes time - if you have large data shares the user has access to, it may be several hours for it to work through all the files.
  3. Now track the infected machine down. The created date of the decryptme.txt file gives the date and time of infection, so ask the user which machine they were on if you don't have any method to track this. Disable the machine account if you cannot immediately get to it (via AD Users & Computers). (This will prevent other users logging on to the machine and possibly (variant dependent) kicking off more encryption.)

Resolve the issue
  1. Clean the computer - via a rebuild (one option is to use your AV solution if it is up to date, but a rebuild is far better and our recommended approach).
  2. Reset the user profile - check home folders/redirected folders for any temporary Internet files, etc. and delete these.
  3. Speak with the user to try and identify the file or email that started the infection. Has this file been stored anywhere where it can be relaunched - or has the email been forwarded on to anyone? Depending on the variant it may have been a file on a USB stick, or an attachment, or even a website visited. Try to determine the initial cause and delete where appropriate. You can scan suspicious files and URLs using https://www.virustotal.com.
  4. Do your restore - anything the user had access to will need to be checked (don't forget local MIS server shares - if it's a teacher then the MIS server will need to be checked as it likely has some report and document stores).

Some variants change the files - renaming to be MP3 files for example. In this case you can delete all the MP3 files modified from the infection date and then do your restore, ignoring any files that exist already (far quicker than restoring entire large volumes).


Monitor
Monitor the shares over the next couple of weeks to ensure nothing else gets encrypted.

How can we help?
If you have questions about your anti-virus package, your backup strategy, or you fear you may have been infected with Ransomware, please contact your support provider.


FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: virus, email virus, spam, e-mail,


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page