We have seen an Internet fraud/threat referred to as “ransomware” become more and more widespread recently. The fraud/threat tries to make people open malicious e-mail attachments by deceiving the recipients with a replica of an invoice or bank statement, and by including correct personal information such as a phone number and/or an account number in the e-mail.
The e-mail usually mentions a higher than normal phone bill or bank transaction. If the recipient panics upon seeing this figure and opens the attachment to see the details, the ransomware encrypts files on the disks attached to the computer and asks for a ransom to provide the decryption key that can be used to restore the files.
Usually all documents, spreadsheets, drawings, presentation files, etc. are encrypted, and there is usually no way to restore the files without the decryption key.
Having anti-virus software installed on your computer is not guaranteed protection against this threat.
If the victim is using cloud storage, such as DropBox or Google Drive, and the remote storage area is mounted as a disk drive (e.g., drive E:) for easy access, files on that drive (i.e., stored in the cloud) will also be encrypted. In this case, having backups on a cloud storage service will not help.
The most important protective action against mail-attached malicious programs is not opening attachments unless you are certain that the attachment is not an executable program.
MS Windows executable files have extensions that include: EXE, COM, JS, JSE, JAR, MSI, PIF, WS, WSF, SCR, SCF, REG, HTA, CPL, MSC, BAT, CMD, VB, VBS. (This is not an exhaustive list.)
Before opening an attachment, make sure that the file(s) do(es) not have one of the above extensions. Please also note that MS Windows operating systems usually hide file extensions and display a file’s name as “invoice.doc” rather than its real name, “invoice.doc.exe”.
To list a few precautions:
1. Never open unexpected attachments; if unsure, please contact the apparent sender to ask whether the e-mail and attachment are real.
2. Windows users: Uncheck the “hide extensions” option for your Explorer. Please refer to the Microsoft support site for the procedure pertinent to your OS version. Google keywords are “microsoft.com: windows explorer disable hide extensions”.
3. Never open an attachment by double clicking it. Always save attachments to a directory and try to examine the contents.
4. Use Mozilla Firefox or Chrome to browse the web, and make sure that one of these is your default browser.
5. Use Mozilla Thunderbird as your e-mail client software.
6. If you are using a cloud storage service, do not install the software that enables you to access this remote storage as if it were a local disk drive. Use the service’s web interface to send and retrieve files to and from the cloud.
The increased incidence of ransomware has once again proved the importance of backing up data files. We want to remind our users to make frequent backups of their important files.
A few suggestions:
1. Use USB memory sticks or external USB disks (or similar devices) to copy your important files.
2. Never overwrite existing backup files/directories while making backup copies on an external device.
3. Every time you want to make a backup, create a new directory, named with the date of backup (e.g., 2015-03-23) and copy the files into that directory. If space is needed on the external device, remove the oldest directory and then start the new backup. An easier technique is to use two devices for making backups, labeling them “Odd days” and “Even days,” and using the one corresponding to the calendar day.
4. NEVER LEAVE THE EXTERNAL STORAGE DEVICE (USB MEMORY, EXTERNAL DISK, ETC.) CONNECTED TO YOUR COMPUTER. When the backup process is complete, unmount the device (via the “safe removal” procedure) and disconnect it from the USB interface.
5. If you are a MS Windows user, make sure that the actual files, rather than their shortcuts, are copied onto the external device. The most reliable way to confirm this is by checking the size of the copied files and trying to open a few of the backed-up files on a different computer.
6. You can use cloud storage services (DropBox, GoogleDrive, etc.) to store your backup files. If you do so, NEVER USE THE CLIENT APPLICATIONS THAT MAKE YOUR CLOUD STORAGE APPEAR AS A DRIVE ON YOUR COMPUTER. USE THE CLOUD STORAGE SERVICE ONLY, and use it ONLY THROUGH THEIR WEB INTERFACE. If you have installed the client software that makes your cloud storage appear as a disk drive on your computer, the ransomware will encrypt those of your files stored in the cloud as well. If you are a cloud storage user and have the service’s client software installed, we strongly recommend that you uninstall it NOW.
If you do not have backups of valuable files stored on your computer, back them up today, immediately—tomorrow could be too late!
(Please note that backing up to a second hard disk or to a backup directory will NOT secure your files.)