Ransomware has certainly been in the news lately and Harbour IT has been receiving reports of an increased number of incidents related to infections with the ‘CryptoLocker’ Trojan and variants across Australian companies. This malware is highly destructive and hard to contain with infections typically resulting from user activity.
During 2015, the Australian Cyber Security Centre has reported:
• There has been a significant surge in the number of ransomware incidents with four times the number of respondents reporting in 2015 (72%) as compared to 2013 (17%).
• Ransomware is the threat of most concern amongst respondents (72%), followed by theft or breach of confidential information (70%) and Advanced Persistent Threats (66%).
It isn’t enough to have a solid plan to address the infection after the impact is felt. Proactively identifying and neutralizing the threat is key to success.
How is this Malware propagated?
In all incidents reported to Harbour IT thus far, the ‘CryptoLocker’ Trojan has been propagated via an email allegedly from a “trusted” 3rd Party (eg: Australia Post or UPS), or to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded (thereby giving the email greater legitimacy in users eyes).
As an example, the user is typically advised by email that an undelivered package is awaiting pickup and the user is asked to click on a link which prints a delivery tag. Upon clicking this link, the user’s profile or computer is infected.
However we are now receiving reports that the Ransomware “distributors” can embed malicious links in web pages, such as Instagram, Facebook and others.
Won’t my Antivirus program protect me?
While it seems that Antivirus vendors do not yet have a way to successfully detecting and/or removing trojans such as ‘Cryptolocker’ and its variants, reports are now coming in that anti-virus/anti-malware vendors are catching up.
Harbour IT is working closely with our vendor partners to ensure that their products can detecting all the variants of this malware, and will be distributing the signature sets as soon as they are released.
However with the nature of this type of malware, there are currently still no guarantees in regard to this type of malware.
In the meantime, it is critical that all users act in a secure manner, and follow the basic guidelines for email security.
The best prevention is education.
What can I do to minimize the risk of infection?
If you are a recipient of an unexpected email, similar to the examples outlined above, please follow the guidelines:
• DO NOT open files attached to emails, unless you are specifically expecting to receive the files. This is particularly important for emails coming from the Internet.
• DO NOT click on links in emails unless you can verify that the link goes where it says it does (hover your mouse on the link, and check the actual URL in the bottom corner of the email).
• IF you have received an email you were not expecting relating to parcel delivery, DELETE the email immediately.
It is also best practice to ensure that any data stored locally on your computer is backed up. Data saved on a shared network drive, will be backed up as per your company’s backup policy. In addition, make sure your AV definitions are up to date, server and desktop patching is current and you have the latest web filtering and email filtering in place.
What should I do if I suspect my data/computer has been infected?
Users should be instructed to log off their computer immediately, and have their account disabled. If working from a thin client, such a Wyse terminal, then users should be instructed to log out immediately. The incident should then be reported to the Harbour IT Service Desk or your IT Manager immediately.
How can Harbour IT help you?
The evolution of Malware into ransomware is a worrying trend, and certainly sends a clear signal to organisations to ensure their security model is current.
Harbour IT can assist your organisation respond to ransomware threats through proactive application of the “Prevent, Detect & Respond” security model with education, security reviews and response plans. Our data backup and replication capability provide piece of mind to ensure your business continuity, together with robust repeatable processes for recovering from Ransomware attacks.
Please do not hesitate to contact your Harbour IT Service Delivery Manager and/or Business Development Manager for more information, and to review your current exposures to determine the best solution for you.