Ransomware attacks Mac and PCs

Use cWatch Website Protection available in the shop nowRansomware is one of the most profitable illegal software on the internet. It affects many thousands of people every year and has done so for around 5 years now, since the first ransomware attacks which were well crafted pieces of software that had been really well written so that there is no hope at all of getting your files back without the key, unless you have a secure backup. No one is safe, even Mac users are under attack.

Firstly, what is ransomware and what does it do, how do you get rid of it and get your data back.

Then we will look at how to prevent and recover from an attack.

What is ransomware and what does it do?

Well it is software that you get in any of the normal virus/malware routes via email, download or visiting a website with malicious intent or malicious adverts, even good websites can fall foul to giving you viruses though delivering adverts from third parties that are infected. When you get ransomware on your computer (PC or Mac) it will quietly sit in the back ground and after making contact back “home” it will start to encrypt any important documents it can find. What it calls important documents is up to the maker of the ransomware but generally includes all your Word, Excel, and PowerPoint, database, email, pictures and music files. Some are clever enough to start with the files you use least and then work up to the ones you use more often in order to get more files encrypted before being discovered, others just work on a first come first served basis. Many these days will then also see what other computers are on your network and try to infect them also. This creates further problems down the line as you will see later. Depending on the actual ransomware you have, you may not notice anything is wrong until you try to open a file and it says you can’t because it is corrupt. The ransomware will finish encrypting everything and then pop up a message to politely inform you that “You’ve been got” and give you instructions on how to get your files back with a countdown timer. Others will do this on completion but also if you look in the folder with your file you will see a text files with every encrypted file that tells you basically the same thing and how you can pay to stop and reverse the process. Because the files are encrypted with the best encryption known to man they are impossible to crack without the key. Banning such encryption would not solve the problem because at the end of the day encryption is just maths and you can’t undo what has been learned in maths. All that would happen is the bad guys would continue to use it and it would make it easier for the bad guys to get you stuff if you don’t use encryption yourself.

Now they have the keys to your files and you need to pay for the key to get your files back. Many companies and individuals have paid making this a very profitable scheme and it has made way for thousands of copycat ransomware, some not written as well as the original but just as effective if you don’t know what you’re doing and can’t afford thousands of Pounds to get an expert in to resolve it for you. Although I have not seen any yet, it is possible that you may get charged with supporting terrorism or organised crime if you pay the fees as that is what you are actually doing, these viruses are not done by kids trying to prove themselves they are done by organised crime syndicates and terrorist groups, so as far as I am concerned paying the “fee” is not an option.

How do get rid of it and get your data back?

To get rid of the virus itself is usually not too difficult. At the end of the day, if you aren’t going to pay then they aren’t bothered if you remove it, so many will go without too much of a fight. However if you remove it, you also remove the chance to get your data back as there is generally no way to get it back after you remove the virus itself. If you decide to pay the ransom, then there is a 20% chance it will not be able to give your data back anyway and you will also have to pay the ransom for each device infected, why? Because as we said earlier the virus will look over the network and try to infect any devices it can and starts to do the same thing from each new device infected. It will also infect all your data stored on any shared folder or drive and by default on older PCs you will be sharing your entire drive over the network, even if it is hidden. Severs typically will be encrypted by the virus as they are generally open to all users. That means that each instance of the virus will encrypt the files. To recover them you must unencrypt each file in the reverse order to which it was encrypted; so if you have 5 pcs infected and they encrypt a file in the order of PC1, then PC2, then PC3, then PC4 and then PC5, you must unencrypt them in the order of PC5, then PC4, then PC3, then PC2 and then PC1. Needless to say that you do not know (and neither do they) which PC encrypted which files first, yet alone in other order and they may not be sequential, so if a file was in use at the time PC2 was looking at it then it will move on to the next file and be the first one to encrypt that file and then go back later to infect the other file and be the last one to encrypt that particular file, there is no way for anyone to know. There is of course the fact that some are not written as well and the recovery process, which is after you have paid, is not the focus of their attention; and as there is no refunds if you’re not happy, they don’t care if it works or not.

The best way to guarantee getting your files back is good disaster recovery planning, and this is a disaster. Most victims (around 80%) lose at least 2 days to this type of attack with 20% losing around 5 days or more. Getting the right backup plan is place is the key. Online backup only solutions are great but do typically suffer from time issues. To download from Carbonite or Mozy or any other online backup can take as long as 12 hours per 50GB of data to recover. File sharing programs, such as box or drop box, one drive, iCloud, etc. are even worse as in most cases these will also be encrypted with no way to get them back, although some do offer recovery for a price and it is a telephone call away and a day or twos work.

The only solution that we are aware of that actually does work is our ShareSync app, which comes as a standalone product or as part of other cloud services such as cloud email. This will give you the best of both worlds with easy access and sharing of files with anyone you choose and a backup copy made each time a file is changed. This means that you can just revert a file or files or everything back to a previous state, i.e. before the ransomware attack, and carry on. Backup, sharing and disaster recovery taken care of.

It can take the place of your Drop Box or similar program and your tape or online backup so saving you money.

We do recommend though that you still keep at least three copies of any files that are critical. The working version and two backups on different media. There are different reasons for these which we will cover in another story.

In March 2016 CNBC reported on a story about ransomware in Macs (see their story here) and that story also showed that ransomware for macs has been around since at least 2014.

The best advice we can give you, is “Don’t get infected in the first place, but make sure your disaster recovery plans include this type of disaster. Test it to make sure it works”

We can certainly help any size business or individual to plan for this and other types of disaster, so use our new chat, call or submit a support ticket here.

Whatever you do, make sure you are protected against this type of attack. Virus and Malware checkers are good, but they are reactive, not proactive (that would be nice but it is impossible). They can only find a new virus or any sort after it has been discovered, which means that there is at least, usually more, when they can attack and no one will know they are there. Also many virus makers know how to get round the antivirus programs so that is another thing the antivirus makers are constantly trying to combat.

Stay safe,

CritchCorp Computers Ltd

Get protection fro your website

Update to the new Ransomware

For the original post see: https://www.cc-computers.com/ransomware-takes-hold/

In the original post I talked about the new ransomware that it taking hold all over the world. It has even hit a police station in America that had to pay the “fee” to get back their data.

The latest version of this virus now takes advantage of all the help that has been available on line to “improve their product”. Now if you thought that you could get your data back through shadow copies (Also known as previous versions), think again. The virus now encrypts those too.

Here is what it does now, which is the same as before but better.

Currently the infection vector is through email as an attachment; usually a zip file or pdf that is actually an exe file but as most people have the “Hide extension of known file types” ticked on you would not normally see it. You will see filename.pdf when the actual filename is filename.pdf.exe. I expect that this will change or be improved on as well with links in email and other file types, etc.

When you open this file it infects your computer and immediately contacts a server from a list of around 1000 possible domain names generated through an algorithm. When it finds a live server it exchanges details with it and starts the encryption process. At this point it doesn’t let you know that you have been infected and is not picked up by most antivirus software. The first version would finish its work without interruption of antivirus software.

It encrypts all user content that it can find on your PC, mapped network drives and any shares that it can find on the network and file sharing programs data such as box.net and drop box. It also encrypts any shadow copies and backups that it can get to. When it has finished its work it pops up a message to tell you what it has done, it even gives you a list of the files that it has encrypted so that you can verify that they are your files. It then gives you a countdown timer starting around 72 hours. You have this amount of time to pay the fee and get your files back. Now where the old version used to just delete the key if you didn’t pay up in time the new version will give you a discount for paying within the time frame. Currently it is 1/2 bit coin (which is now about £500). If you fail to pay in time then it goes up to 10 bit coin (About £5000). This “service” is available for an extended amount of time.

In short get yourself protected and keep offline backups and redundant copies.

CritchCorp Computers Ltd.


New ransomware takes hold

New ransomware has been taking hold of businesses and households around the world. Be very careful with the email attachments that you open, although this is probably only the first wave; they will find other ways to get to you.

What’s new about this virus then? This virus; actually it is a malware strain named ransomware, named that for a very good reason, is an example of modern encryption done right. They have created a perfect system that can encrypt your data using public key technology that cannot be cracked!!

How does it work? Well, at the moment you get an email about something that is relevant to you (that’s how they trick you in to opening the attachment, or clicking the link). Once the software is running, it quickly establishes a connection to its command and control server, where it generates a random encryption key specifically for your system. This type of encryption is particularly cleaver as the key that encrypts it cannot be used to decrypt it without the other part that is held on the command and control server (it never gets sent to your computer, so there is no record of it for you to find). it then searches your computer and network, any backup drives you have access to, in fact, any resource that contains user created or user data and encrypts them all! Any evidence of the key locally is then destroyed and a page pops up to inform the user that they have been robbed! It can show you a list of the files you once had so that you can verify the threat is real and then gives you the ultimatum of pay $300 or 300 of your local currency or lose your data, you have 72 hours to make your mind up. After 72 hours have passed the only key that could decrypt your data, which is on the command and control server, is deleted, permanently!

If you do not have any backups of your data and you need it, then you have no choice but to pay up, and thousands of people and businesses have done so. They have also been very cleaver with the payment method as they cannot be tracked through the payment either. When law enforcement find the servers and take them offline, the only people hurt are the people who now cannot get their data back. The ad guys have their command and control servers moving around and are not needed for the payment loop; they just create and hold the keys to your data.

The other point on this is that they seems to have written the encryption part exceptionally well, not so good is the decryption side of the program with reports that not all and in some cases none of the data is returned and there is nothing you can do to get it back.

Be careful and watch this space as it will only get worse!!

Mac Virus infects more than half a million Macs

As most of you already know, Macs are not impervious to virus’s. The latest one which is spreading like wild fire is the one know as FlashBack or FlashFake. It is very cleaver, for a virus, employing tactics already tried and tested by other virus manufactures like conficker. This virus has to date infected more that 600,000 Macs (around 1%) and is spreading.

To get this virus, all you have to do is visit a site that has the malicious code (usually they do not yet know about it either) and the virus will try to install it self, asking permission from the user saying that it is a falsh update that is required. Even if the user does not provide the password the virus can still infect the Mac and after looking around for several different programs it will settle down and phone home for instructions.

To find out if you are infected you can use the list provided by Kaspersky Labs. Go to . All you need to do is enter your UUID (a unique identifier of your Mac, they provide instructions on how to find it). If you are infected then contact us or download the tool provided and run it. This will remove it for you. You then need to ensure that you have antivirus software on your system even though this is a problem in Java, which was fixed in all other formats except for the Mac version because Apple likes to look after it themselves rather than let Oracle (the manufacturer of Java) do it. This has now changed from version 10.7 which requires any user that actually needs Java to download it themselves.

Once you are clean, ensure you run the updates for your Mac by clicking the Apple icon in the top left corner and then upate software. Apple have produced a fix for this bug so get it on as soon as possible.

Anyone who is unsure should email us to book an appointment so that we can come out and check your system for you and advise on the best ways to stay protected. support AT cc-computers.com