Published 05/12/2017

If you are not yet familiar with ransom ware and its potential to close your business completely, consider yourself very lucky and then read all the information below so you can continue to be safe from ransom ware destruction....otherwise, you may become infected and the next several days will be days you will remember for a very long time.

How does it get into my system?
Ransom ware is malware that is usually introduced into your network by someone clicking a malicious link in an email, without knowing it is malware. It could be an email from your boss, your mother, your wife, or even someone like me! Or it can be released by someone opening an attachment to an email. If the person who clicks the link or the attachment has administrative rights to the computer they are using, pray for mercy, even if you don't believe in God since very little else will help you if you have not taken the time to implement my recommendations as outlined below to prevent this type of attack. Ransom ware works by running a program that is unknowingly released by someone clicking a malicious link or attachment on their computer. It immediately begins to encrypt all the data files (.pdf, .doc, .docx., .dat, pcfg, .jpg, .bmp, etc) on the host computer and all the files on computers that are accessible via the local network. A small text document will be placed in each of the encrypted folders and it will have a strange name such as "haha you have been hacked" or something similar. That small file will tell you that all your files have been encrypted and you must pay a ransom, usually within 24 to get them unlocked and usable. It will give you an email address to use and an account number in a virtual wallet someone on the web where you should send the bitcoin you will use to pay the ransom.

What does it do to my computer?
It will immediately begin to encrypt all the files on your computer and every file on every computer you are connected to on your network. This includes your server, your kids computers, your work associates computers, external drives connected to anyone's computers, etc. You will discover you have been attacked only when you begin to notice that you cannot open files you use every day. If you look in the folders where those files are stored, you will find a text file that has some sort of dubious name like "Ha Ha! You have been hacked!" If you open the file, it will contain information about how to restore your files to their original unaltered condition and it will give you an email address to use and an account number in a virtual wallet someone on the web where you should send the bitcoin you will use to pay the ransom. Luckily (up to now anyway) the malware changes the name of the file when it is encrypted. This is very much to your advantage if you have a good recent backup from which to recover your data. If you do not have valid backups, plan to be working late for a while!

How much is the ransom and how do I pay it?
The criminals are smart enough to know that most companies will not pay extremely high ransom amounts, so they usually only demand amounts around $500 or so (or the price of one bitcoin, which changes from day to day). The issue that complicates the ransom payment is, you cannot pay it with a credit/debit card or check. They only take bitcoins....and unless it has changed lately, they can only be purchased from bitcoin ATM machines. And as far as I know, there is only one bitcoin ATM in north Texas and it is located in a bar in the Deep Ellum area of Dallas (click here for details). The owner of the bar where the ATM is located said he has people flying in from all over the western US to buy bitcoins every day! However, there are many large organizations who have been attacked whose ransom amounts are in the hundreds of thousands of dollars! I have spoken with authorities personally and they have all told me the only way to get your data back if you don't have a back up is to pay the ransom....

You should also be aware that purchasing a bitcoin is a very difficult, tedious process. By nature, they are designed to allow everyone to exchange money anonymously, so there are several layers of protection to go through and the process is very difficult, to say the least.

And be aware there is usually a 24 hour time limit on the ransom payment at which time the ransom amount will double or even triple in amount demanded. Once you have the bitcoin number, you will find instructions in the text document placed in all the encrypted folders telling you how to send the bitcoin to the criminal. There will be instructions to send them an email with one of the encrypted files attached so they can apply the encryption key and send it back to you un-encrypted to prove they can do it.

How do I protect my system from attack?  (Click here to print the user friendly checklist in .pdf format)

  1. Never operate your computer with administrative rights even if you own that computer and every other computer in the building! If you don't have those rights, you cannot infect your system with this malware! But be careful! If you do click the malicious link or open the infected attachment, a box may appear asking for the administrator's password. I always change the administrator's account to a different name so there is never an account called "administrator" or "admin". I change it to a friendly common name, something like Mary or George (I actually use the same friendly name on all my systems but will not publish that here for obvious reasons). This creates one more layer of security since the software can then only guess who has admin rights.

  2. Be absolutely certain you have an offsite backup that is working correctly to send your files to an offsite datacenter every day! Nothing is more important than this! But you MUST assign someone to be responsible for checking it daily to be sure it is working correctly.

  3. Be absolutely certain you have an ON SITE backup that is working correctly to send your files to a LOCAL BACKUP DRIVE! You could restore all your files from your offsite cloud backup, but depending on the quantity and size of the files and the speed of your internet connection, it could take several weeks for the restore to be completed. If you rely only on your on site backup for this purpose, You MUST assign someone to be responsible for checking it daily to be sure it is working correctly. I use a very inexpensive program called Second Copy. It costs less than $30 and can be purchased by clicking here. You can download a fully functional 30 day trial version without any credit card to get your protection started right away. The backup software should be used to backup all your important data to a portable (usb) drive. It is important that you use at least TWO different drive for this process! If you don't there is a good chance the portable drive will be encrypted just like all the other attached drives if you are attacked. If this happens and you have two different drives being rotated, you will only loose one days work by restoring from yesterday's drive. And that one day of work can be restored from your offsite backup that runs every day. Having an employee take the second backup drive home with them every night also protects you from data loss due to theft or damage caused by fire, etc.

  4. Be sure you leave your computers on at night so the necessary critical updates from Microsoft can be installed and your anti-virus software can scan your system regularly. It would also be a good idea to manually check to be sure those updates are current. Click here for information about installing updates for Windows 7. Or click here for Windows 10.

  5. NEVER click on links in emails or open attachments unless you are specifically expecting that email to arrive after having a verbal conversation with the sender. The criminals who spread the malware can easily create an email that would appear to be coming from a close friend, relative, co-worker, your bank, or anyone else!

If you have questions or need assistance, call Bobby at 214-773-7377 or email me: bobby@kendrickit.com.


KIT Homepage 

2017 K.I.T.