Ransomware Virus, how to remove?

Ransomware

At Sound Networks we have seen a recent rise in Ransomware attacks. Not only have we noticed this, but other providers have told us they are seeing the same too.

Ransomware is a type of Virus that will encrypt your files rendering them un-openable and consequently useless to you. The first thing most people know about it is when they cannot open a file and a box pops up politely asking them for payment details or bitcoins in return for providing the encryption key to unlock the file. Of course, we do not pay ransoms, (you also cannot confirm the sum asked for will in fact be that charged) so, “Is there really a way to remove ransomware viruses?” … the right question is “What’s the best way to prevent ransomware file loss?”

Backup, backup, backup…The old mantra still runs true. If you have a backup, you can simply delete the encrypted files and replace them with those from the backup. Otherwise, your options are to take your chances and pay the ransom – or lose your files. Some encrypted files have the file extension of .zepto which appears to be a new strain of what was previously naming files with the .locky extension. The filename itself called also be scrambled too.

The virus is commonly delivered as an email attachment which is currently managing to fool most Anti-Virus software in to seeming benign. Notable file type attachments are .zip and .docm. Once the attachment is opened it silently encrypts files and spreads like wildfire across corporate networks by seeking out mapped drives and encrypting those too. Once its work is done it removes itself, making tracing the offending machine on the network virtually impossible.

In summary – go careful out there. Keep an eye on your backups and if you have your own on-site mail server, look in to tightening up your Anti-Spam and Malware Filtering settings, it could save you a lot of bother.

 

Paul Cox

IT Director – Sound Networks

 

Prison Locker / Power Locker Ransomware, an upcoming malware threat in 2014

cryptolocker

 

A new strain of ransomware has hit the market after the developer posted an advertising thread on an online forum indicating a price point for the software. Being his first major programming project for windows is a worrying theme within the thread. Is developing this form of software that easy that people can jump on board and produce ransomwear to make money. I find that worrying.

 

The project called Prison Locker which was later renamed Power Locker has been written in the programming language C/C++ and is set to be a more advanced version of the Crypto Locker ransom ware terrorising people during 2013. This new strain has customisable features and a user interface for its customers promising a better experience and higher rewards.

The Ransomware is using Blowfish encryption to encrypt all available files on the target hard disk and shared drives except important files required to keep the machine running i.e.: .exe, .dll, .sys, other system files. During encryption it will generate unique Blowfish key for each file and then encrypts the keys further with RSA-2048 encryption and will send victim’s system information back to the command centre administration console.

 

To have your files decrypted will cost you a figure set by the purchaser of the malware, with such strong encryption it looks like paying up seems to be the only way to recover your data.

 

So the only real way to protect yourself is to educate your staff members, yourself and also ensure you have a decent backup system. When taking backups ensure that they are taken off site or to a medium such as tape drive which are not connected to the network after backups are completed.

 

Power Locker does scan for external / remote drives so be warned.

 

Daniel Brown

Software Developer