July 2015 IT Business Consulting Newsletter

Critical Malware Alert

By Tom K

If you get an email with a Resume attached... DON'T OPEN THE ATTACHMENT!!!

My last newsletter warned you all concerning your staff inviting Malware into your environments. Ironically, a vicious piece of malware just hit the streets, and it slid under one of my client's excellent Anti-Virus (AV) software via an invite (opening an attachment), causing lots of aggravation and some downtime. This malware could do the same to your environment.

In this month's quick but important newsletter I'll discuss this most ugly malware, show you what to look for, and throw in a few quick reminders about safe computing.


Ransom Malware

Ransom-ware has been around for a couple of years. Once your device is attacked, the malware encrypts all your files. You can't open them without a key. The scum that attacked you offers to sell you the key. Like any ransom, payment may or may not result in a satisfying conclusion.

This form of malware is often referred to as CryptoLocker or CryptoWall. The older versions were not very well designed, and the AV companies were able to develop keys to save the day. Not so with the current version. If you get attacked, it can be a nightmare to recover.

This malware is quick. It attacked the PC that opened the attachment (invited it in) and then hopped onto the main file server and started encrypting files in the corporate directories.

The malware causes a message to pop up when trying to open any file that was encrypted (locked), indicating that the file is corrupt or of a type non-recognized by the application (Word, Excel) that is trying to open it. The file cannot be opened... Period!


What to Look For

This malware is being distributed via emails being sent from random sources (probably using one or more bot-nets). The emails have an attachment called my_resume.zip, which contains an HTML file named my_resume.svg. More recent sightings have noted that the file names are being altered, using numbers, ie resume2584.html or 7462resume.html.


How to Protect Yourself and your Company

The most important factor is to always be aware. Email is a carrier. Choose what emails to open and which to just throw away. Don't open ANY attachment (or click on ANY link) without considering it. Does the email look legit? Do you know the sender? Check the attachment's extension. While the list of dangerous extensions is long, the most notable are probably .exe .com .pif .bat .scr .vbs .reg .zip and now .svg

If you get an attachment in an email that you were not specifically expecting (especially having any of these file extensions), immediately delete the email.

Be aware of what you are doing when visiting a web site. Any link you select could try to load malware onto your PC.

Don't download any software from the Internet unless you are purchasing commercial software from a reputable dealer. "Free" stuff like coupon trackers, games, screen savers, and helpful utilities are notorious as Malware delivery agents.

Have a Computer Use and Abuse policy in place that prohibits your employees from partaking in dangerous PC activities.

Have regular training sessions to help make your staff aware of the dangers that are waiting to pounce on the unaware.

Deploy centrally managed AV, Spam protection, and managed Windows Updates across your environment.

Have a solid Backup process that includes archival backups in place and test it regularly.

I actually covered most of this in my last newsletter, "Protect Your Company From Your Staff". If you haven't read it, I strongly suggest you do so.


What IF You Or Your Company Gets Attacked by a CryptoLocker

You can pay the Ransom and hope you get the key. The ransoms I've seen in my research run from $500 to $5000 to start, and the price goes up as the clock ticks. My research indicates that the potential of getting a valid key is hit or miss. I don't recommend this option unless you have no other.

The first real step is to eradicate the malware from your environment. I had very good results using various tools from Microsoft, MalwareBytes, and Vipre, to scan every server and PC/Laptop in the company. This will get rid of the malware, but it won't unlock the files. Without the key, there is no way to un-encrypt your files.

Hopefully, you have a good Backup solution in place. If you do, it's a simple (but very time consuming) process of locating and replacing all the encrypted files in your environment. The malware affects directories, so you will actually be finding and replacing directories.

I mentioned archival Backups earlier. This was important to us, as the nightly BU had kicked off before we began correcting the file system and the BU was backing up the encrypted files over the previously backed-up good files. We stopped the current BU and, where necessary, recovered good files from the previous night's BU.

If you do get attacked by Ransom-ware and you don't have a good backup solution in place, your only option is to pay the ransom and hope they send you the key.

If you are not 100% sure your company has all the processes in place to protect your Company, as well as those to recover from an infection or attack, PLEASE call me to discuss having them properly deployed. Missing any one of these could wreak havoc on your company. I've seen it happen, and it costs much, much more to remediate the damage than it does to build out proper protections.


If you have any questions or comments concerning this article, or would like assistance developing solutions and processes to protect your Company, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month in "Business Relations Risk Assessments", I'll discuss evaluating the operational and financial health of your important Business Partners, and the impact a breakdown in their services or their overall demise could have on your operations.