Ransomware roulette

Ransomware is back. It probably never went away, but a new wave is out there, seducing people with socially engineered emails.

The latest attack pretends to be from the Office of State Revenue with a reminder about an unpaid parking or speeding fine. There’s sure to be someone in the building who feels that pain and could be tempted to drink from the poisoned chalice.

One of Rabid’s customers had a staff member in just such a predicament, waiting for his appeal against a speeding fine. Lo and behold, there was the message he was waiting for, safely parked in the spam folder (there’s a clue that it was probably a fake). Nevertheless he dug the email out to see if his appeal had succeeded.

Windows Defender sprang to attention and suggested this was not a good thing to be doing. 

But no – he wanted to know if he had to pay the fine. By this stage Defender was literally screaming about imminent death and destruction from a serious threat. 

Shut up. SHOW ME MY EMAIL! Kaboom.

(Does this staff member also play Russian roulette with all six chambers loaded?) 

Up came the message requesting a modest ransom to be sent to whichever criminal elite needed to pay for the next round of Martinis at their Bahamas poolside resort. Needless to say, by the time he finally realised what was happening, all his files had been encrypted, along with lots of files his PC had access to on the network. The only reason the entire network wasn’t encrypted was that an IT-savvy co-worker noticed what was going on and yanked the PC’s power cord out.

It seems it takes real time to encrypt a file, so the program was stopped before completing its task. Fortunately his PC wasn’t a stellar encryption processing platform, reducing the ensuing damage to what it could achieve in a small window of opportunity. That meant it hadn’t dug its claws into the backup files, also located on the network. Recovery was possible for most files without paying the ransom. Offline backup is suddenly sounding very appealing.

The original gang of cryptographers was certainly evil, but there was some honour among that bunch of thieves. If you paid the ransom, you got your files back. The latest tribe isn’t quite so ‘honest’. They take your money and may – or may not – send you the key to unlock your files. A bit like a kidnapping gang that collects the ransom and still shoots the hostages.

There’s no cure for this attack, but you can stop the program from running when it get into your network. This involves a serious amount of fiddling with the Group Policy and Registry editors. However, the folks at US-based Foolish IT have bundled all the editing into a script, called Cryptoprevent, which is available on their website foolishit.com. Unlike many of Rabid’s recommendations, this one is deadly serious, despite the odd sounding name of the company and its website. You probably want to get over there right now.

Gotta go! Martinis to pay for!