Let’s return to one of the most dangerous and aggressive threats of the last years: ransomware, aka crypto-viruses: harmful software that encrypts or steals user data and asks for a ransom.

What is changing? How these viruses are evolving? Are there any reliable solution to get protected? It’s not easy to answer to all these questions, but a sysadmin, a technician or an IT manager today must know very well this topic and study all the possible strategies to protect data, be it on premises or outside the company.

mappa virus by bitdefender

Unfortunately the situation is getting worse as far as the features and capabilities of these software are concerned. Indeed, the most recent ransomware versions:

  • Ransomware no longer attacks just local disks and mapped network shares, but can encrypt the content of all shares whose credentials are stored or available
  • It allows only a few days to pay the ransom: data is remotely deleted after a week or just 10 days
  • It can keep the system running and grant access to files as long as the encryption job is not complete, so that the user can’t recognize the infection and immediately power-off the computer
  • Ransomware is multiplatform: now it spreads not just on Windows but also on Linux and Mac.

Another dangerous trend that can worsen the situation is the availability of kits for the creation of ransomware to be autonomously distributed, such as Ransom32, thus ending up in the growth of the number of people that can exploit this criminal technique.

The other bad news is the decreasing efficiency of some data retrieval techniques that have been successfully applied up to now. Those “bugs” found in some of the initial releases of, for instance, Cryptolocker, which could offer a way to decrypt data, are now fixed so this remediation method cannot be used any longer. At the same time, criminals are more and more clever and astute to delete private keys after attacking the victim, making unuseful any retrieval effort when servers are confiscated by american and european polices.

How to behave if infected

Ransom32: la finestra di infezione

Some behaviour rules are quite elementary, still we’d like to reiterate them as we often speak with sysadmins or so-called experts that give useless advice.

  1. Immediately power off the computer, or computers, that are infected and disconnect any network cable.
  2. Check every network shares (servers, Nas) and verify they aren’t infected.
    If so, immediately disconnect them from the network and verify that the infection is limited to just those folders. Move infected files on an external disk and change the share content with the last backup before reconnecting.
  3. Verify that no other PC on the network is infected.
  4. Remove disks from the infected PC and connect them to a computer without any personal data and equipped with an updated antivirus and all the tools to retrieve files that haven’t been encrypted yet. Separately archive encrypted data, at least if you don’t have an up to date backup: they could be later decrypted should any bug be discovered or the police find keys of the criminals’ servers. If disks can’t be easily removed (for instance, it’s the case of certain laptops), then use a bootable Linux distro.
  5. Don’t pay the ransom
  6. Format infected PCs and reinstall Windows from scratch or from a complete image of an uninfected backup. Copy every needed document from the latest backup.

Continues: how to make efficient backups and tools to block ransomware

About the Author

Filippo Moriggia

After more than 10 years of experience in the technical journalism with PC Professionale (the italian version of PC Magazine) and other newspapers of Mondadori group, Filippo Moriggia founded GURU advisor, the reference website for IT professionals, system integrators, cloud providers and MSPs. He has a Master of Science in Telecommunications Engineering and works as a independent consultant and contractor for different firms. His main focuses are software, virtualization, servers, cloud, networking and security. He's certified VMware VCA for Data Center Virtualization.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1