Recently, we have seen an Internet fraud/threat becoming more and more widespread. The fraud/threat tries to trick people into opening malicious e-mail attachments by mentioning personal and/or relevant information in the e-mail (such as actual phone numbers, various service user IDs, real postal addresses, etc.).
If the recipient, or the software the recipient uses to read e-mail, opens the attachment, the attached malicious code is executed and all documents, spreadsheets, drawings, presentation files, etc. are encrypted, and the user is prompted to pay a ransom to obtain the decryption key.
Unfortunately, there is no way to recover the files because the criminals are using state-of-the-art encryption algorithms. Please also note that paying the ransom will only encourage the criminals.
The most important protective action against mail-attached malicious programs is not opening an attachment unless you are certain that it is not executable.
Extensions of MS Windows executable files include EXE, COM, JS, JSE, JAR, MSI, PIF, WS, WSF, SCR, SCF, REG, HTA, CPL, MSC, BAT, CMD, VB and VBS. (Please note that this is not an exhaustive list.)
Before opening an attachment, make sure that the file(s) do(es) not have one of the above extensions. Please also note that MS Windows operating systems usually hide file extensions and display a file’s name as “openme.doc” rather than its real name “openme.doc.exe”.
A few precautions:
1. Never open unexpected attachments. If you are not sure, contact the apparent sender to ask whether the e-mail is legitimate.
2. Windows users: Uncheck the “hide extensions” option for your Explorer. Please refer to the Microsoft support site for the procedure pertinent to your OS version (Google keywords are “microsoft.com: Windows explorer disable hide extensions”).
3. Never open an attachment by double-clicking it. Always save it to a directory and try to examine the contents.
4. Use Mozilla Firefox or Chrome to browse the web and make sure that one of these is your default browser.
5. Use Mozilla Thunderbird as your e-mail client software.
This ransomware has also once again proven the importance of backing up data files frequently.
A few suggestions:
1. Use USB memory sticks, external USB disks or similar external storage
devices to copy your important files. Use at least two such devices interchangeably.
2. Never overwrite existing backup files/directories while making backup copies onto an external device.
3. Every time you want to make a backup, create a new directory that is named with the date of backup (e.g., 2015-03-23) and copy the files into that directory. If space is needed on the external device, remove the oldest directory and then start the new backup.
4. Never leave the external storage device connected to your computer. When the backup process is complete, unmount the device (safe removal) and disconnect it from the USB interface.
5. If you are an MS-Windows user, make sure that the actual files, rather than their shortcuts, are copied onto the external device. The most reliable way to confirm this is checking the size of the copied files or trying to open a few of the backed-up files on a different computer.
6. You can use cloud storage services (like DropBox, GoogleDrive, etc.) to store your backup files. If you do so, never use the client applications that make your cloud storage appear as a drive on your computer. Use the cloud storage service only, and only through their web interface. If you have installed the client cloud software that makes your cloud storage appear as a disk drive on your computer, the ransomware will encrypt your files on the cloud as well. If you are a cloud storage user and have the service’s client software installed, we strongly recommend that you uninstall it now.