The WannaCry ransonware infected over 250,000 computers, Petya is just getting started. Protect yourself now.
A new ransomware attack has started spreading recently (see my previous post for a description of ransomware and tips to protect yourself). This new software known as Petya or GoldenEye is similar to the WannaCry ransomware that hit about a month ago but security researchers say this one appears to be more sophisticated. Most importantly it does not have the “kill switch” that was used to stop WannaCry.
Petya spreads in multiple ways. It uses the same EternalBlue vulnerability used by WannaCry but it also appears to be spread through Microsoft Word documents with malicious macros embedded.
If you haven’t already patched your systems you need to now. Microsoft has made patches available for Windows XP so even if you have an old system you should be able to get patches.
Lastly, never open any email attachments from suspicious emails; emails from people you don’t know, emails that don’t match what people you know normally send you, or emails you aren’t expecting. For attachments that you believe are legitimate I suggest saving the attachment to local file and scanning it with your anti-virus software before opening.
Here’s how to do that:
- In your email client or web browser select the email message with the attachment
- Right click on the attachment and select Save As from the context menu that opens
- Save the file where ever you like
- Open Windows Explorer and navigate to the file you saved
- Right clock on the file and select Scan from the context menu that opens
The aptly named WannaCry malware caused havoc around the world; here are tips to protect yourself from being the next victim.
Ransonware has been in the news recently with the global attack of the WannaCry malware program that started on Friday May 12th.
You might be asking what is ransomware?
Ransomware is a specific type of malicious software (malware) that prevents you from using your computer or accessing your files until you may a fee to the person or group that released the malware. Most often this is accomplished by encrypting your files with strong encryption (in other words, not something you can break). You are typically given a limited amount of time to make the payment or the decryption keys will be deleted and lost forever. Most often the payment must be in Bitcoins – a digital currency that is easy to exchange but difficult or impossible to track.
WannaCry was not the first example of ransonware but it has been one of the largest. Estimates are over 230,000 computers in 150 countries were infected.
I’ll talk about how to protect yourself from ransomware but first I want to comment on what you should do if you find your system has been infected and someone is demanding payment from you to get your data back.
- The first step is to realize you are dealing with criminals; just like in typical ransom cases these are people who are not bothered by breaking the law, will not be swayed by emotional pleas, and in general don’t know or care about you – they just want money.
- Don’t pay the ransom, you have no way of knowing if the CRIMINAL on the other end will make good on their promise to give you back your data. They may raise the price or they may simply take your money and leave you with nothing. Remember, if you pay them you are trusting in the code of ethics of a CRIMINAL.
- Prevent the spread of the malware to other systems – by removing it from the network. If it is using a wired connect simply remove the wire, if it is wireless you will need to change your wireless router configuration to block it. If you are not sure how to do this call a friend. As a last resort you can turn the system off but that may cause other problems
- Go to another, uninfected computer and start looking for solutions. Sometimes computer security experts find flaws in the malware that allows you to recover some or all your data.
- The last step is the hardest, accept the fact that you may lose your data – permanently.
OK, so that last one doesn’t sound like fun so what can you do to protect yourself? Here is my list of recommendations – in order of importance.
- Only run legitimate copies of the software you use. Pirated copied of software – aside from being illegal – often can’t be patched, may contain viruses, or may contain flaws that allow other malware into your system. This is not limited to just the Windows operating system but all the other software you run – games, financial software, photo software, etc.
- Keep your software up to date with patches. At least monthly you should check for patches (or updates) that the software vendor has released to correct flaws. Again, this is not just for your operating system but all software. Most software will do this automatically now.
- Run only current, supported operating systems, browsers, and other software. If you just can’t your Windows XP system go, at least take it off the network.
- Run a supported version of Anti-Virus software. There are many different A/V products available. I’m not going to recommend one over another; the important thing is that you run one and you keep it up to date.
- Be aware of phishing attempts. Often the malware gets into your system when you click on a link in an email message that takes you to the malware site. NEVER click a link without verifying where the link actually takes you.
- Configure your browser to prevent scripts from running automatically. This will protect you if you fall for a phishing attempt (it happens; don’t feel bad – see my post on phishing for tips to avoid it in the future).
- Stay away from questionable web sites. There are plenty of dangerous sites out there. If you are visiting a computer hacking website it is likely your system will be attacked. If you visit pirated software sites it is likely your system will be attacked. Some adult sites also contain malware. It is best to just avoid all these.
- Run frequent OFFLINE backups. What do I mean by offline? If you are syncing all your files to a cloud provider (Dropbox, OneDrive, etc.) and your files are infected or encrypted that infection or encryption will replicate to your cloud provider. That is not offline and will not help in this case. You need a backup that will not be impacted by changes on your system – for example an external drive that you remove after the backup or a cloud backup that allows you to recover your files as of a given date (also known as versioning or version control).
- Lastly, if your computer suddenly starts acting strangely (windows opening or closing, very slow, error messages) turn it off. This may be the first sign of malware. Only you can determine is not normal for your system so you will need to use your own judgement with this one. Depending on how strange it is acting you may want to pull the plug rather than do a proper shutdown. Doing this can limit the damage the virus can do. If you do this contact an IT friend and explain what happened. They can remove the hard drive, connect it to another system and recover any files not already encrypted or otherwise damaged.