How to Prevent Ransomware from Locking your PC

The Quick Heal Threat Research Lab has been detecting increased numbers of ransomware infections over the last few weeks. We have recently reported on the notorious Dridex ransomware. These incidents depict a clear trend that malware authors are steadily shifting to serious money making ransomware variants.

The rise in these ransomware variant detections can be attributed to the following primary reasons:

• Ransomware has proven itself as a highly effective money extortion mechanism over the last year.
• Ransomware has become much easier to develop due to the availability of source code and the emergence of ‘Ransomware-as-a-service’ products in the black market.
• Ransomware is increasingly being used along with other successful and penetrative malware propagation techniques such as spam campaigns, ‘Malvertising’ and ‘Social Engineering’.
• Ransomware has become efficient due to the presence of Bitcoins, a digital currency that enables cybercriminals to collect money anonymously.

Stats for Ransomware Detection by Quick Heal

This graph shows the number of ransomware detections by Quick Heal for the 7 weeks starting from February 1st, 2016. In this time period, our lab has detected nearly 450,000 ransomware samples, which work out to approximately 9,000 ransomware detections every single day. These figures present a considerable rise in the ransomware detections that we have seen in the past, and they highlight the growing threat of ransomware to businesses and individual users.

How to Avoid Ransomware Infections

There are a few foolproof precautions that need to be undertaken to prevent ransomware variants from infiltrating and locking your machine. These safety guidelines are even more relevant for enterprises and small business owners who are often the most sought after victims of ransomware authors.

1. Backup your data often and in different ways

When it comes to data security, the first step is data classification. It is essential for data owners to segregate their data into crucial, moderate or dispensable categories and then devise ways to secure their most sensitive information. We recommend the 3-2-1 rule – maintain 3 different copies of data, in 2 different formats, with 1 format available offline.

2. Update your OS and other applications & utilities

Malware developers typically exploit vulnerabilities in applications and the OS to breach system security. To prevent incidences it is highly recommended to automatically download OS updates, and apply regular security patches for other applications on the system. Commonly targeted applications are Java, Adobe Acrobat Reader, Adobe Flash Player, MS Office and web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer and more.

3. Be cautious of suspicious emails and attachments

Spam emails have become one of the most effective ways for ransomware to enter vulnerable systems. Through social engineering techniques or by disguising emails to appear as authentic ones, attackers cause victims to click on fraudulent links or download malicious attachments. When it comes to email security, we suggest the following security measures:

• Always check the email senders information
• Always verify the content of the email properly
• Never click on the links embedded within suspicious emails
• Never open or execute attachments received from unknown senders

Some More Ransomware Prevention Techniques

• Personalize spam settings for your email inbox and your installed security solution.
• Use the native Windows functionality of ‘Show File Extensions’. This shows the extensions of unknown files before opening them.
• In case of breaches or infections, immediately disconnect the Internet connection.
• Keep the Windows Firewall switched on at all times and regularly monitor its settings.
• Enable your installed security software to scan compressed and archived files when they enter the system.
• Turn off AutoPlay for USB devices, so that they do not immediately open the files within them.
• Consider installing an add-on which blocks automatic pop-ups on your browser.

Recently, ransomware infections have begun spreading via JavaScript codes on websites as well. So there are multiple avenues through which ransomware can be delivered into vulnerable systems. Quick Heal defends against the latest malware samples with generic and heuristics-based detections that are discovered through our global virus signature database on a daily basis. Moreover, Quick Heal security products also provide multiple lines of defense such as Virus Protection, Email Protection, DNAScan and Advanced Behavior Detection System for complete system security.

Locky Ransomware on the Lose

‘Locky’ is the latest addition to the ransomware family. It has an interesting name and carries the same nastiness. Read more from the post below.

What is the Locky Ransomware?

Locky is a new file-encrypting ransomware malware. It does two things:

• Encrypts the files it finds in the PC it infects.
• Changes the extension of the encrypted files to .locky

And as most of us know, the encrypted files can be decrypted only with a key available with the cyber crook and for a price.

Who all are in the red zone?

Locky ransomware is known to target Windows users.

How does it infect a machine?

The ransomware seems to be using different spam email campaigns to spread and infect its target victims.

In one campaign, it’s been noticed that the email seems to be from a popular organization, and asks the user to download an invoice attachment (MS Word doc).

The document contains text that looks incomprehensible or unreadable. And to make the text readable, the user needs to enable ‘macros’.

If the user falls for this trick and enables the ‘macros’, a series of automatic processes is triggered which finally results in installing the Locky Ransomware on the machine.

Once inside the system, the ransomware begins encrypting whatever files it can find.

What happens next?

Once Locky is done encrypting the files, it displays a message to the user on the desktop. The message informs what has happened, and that decrypting the files is only possible by purchasing a private key from the hacker; the cost could be up to Rs26,558/- ($400).

What do we suggest?

• Back up your important files regularly, and have the backup encrypted. This will make sure that the data does not misused by anyone.
• Do not trust any email that asks you to download an attachment, a software, survey forms or anything that you were not expecting; no matter how professional, urgent, or grand the email may look or sound. If you think the email is genuine, have it verified with the sender over a call or personally.
• Avoid using your computer with an ‘Administrator’ account unless necessary. Logged in as an administrator and being attacked by a malware can cause irreparable damage to your PC. Always log in as a standard User for day-to-day usage. Here is a post that explains more about why you shouldn’t run as admin?
• Keep your Windows OS and all other programs/applications up-to-date with the latest security updates/patches. In most cases of ransomware infections, the malware takes advantage of security vulnerabilities present in the user’s system.

How Quick Heal helps?

We have released an update to Quick Heal desktop products that prevents the attack of Locky Ransomware. Besides this, our multilayered defense mechanism helps prevent all types of malware attacks including new ransomware infections.

Email Security blocks emails carrying malicious links and attachments.

Web Security blocks websites containing hidden malware and viruses, and websites designed for phishing attacks.

Advanced DNAScan stops new and unknown malware that can cause the most damage.

Anti-Ransomware stops ransomware from encrypting any data. The feature works in multiple ways to prevent a potential ransomware attack.

• Scans every downloaded file whose components could become a potential ransomware attack.
• Analyzes how a program behaves in real-time, so that it can be stopped before it does any damage.
• Proactive backup prevents data loss even in cases where certain files might get encrypted by a ransomware.
• Helps user keep a track of files that have gotten encrypted.
• Alerts user immediately to take a corrective action.
• Isolates detected ransomware infections; stops them from spreading and doing any damage.

We are keeping a track of the Locky Ransomware and its developments. We will keep you posted in case we come across anything important. Stay safe!

Sanjay Katkar, MD & CTO, Quick Heal Technologies Limited