A while back we received a Windows server that lost its data due to a particular type of malware designed to extort money by holding the data ransom, and we thought this would be a good time to update you on this virus to further protect you from it.

Ransom malware is manually installed by the attacker on Windows systems running Remote Desktop or Terminal Services, which is common for remotely maintained Windows servers. It falsely presents itself as something from the “Anti Cyber Crime Department of Federal Internet Security Agency” or “ACCDFISA.” Such an agency does not exist, and the FBI has warned against similar viruses. It then requests a payment be made to regain the data that is no longer accessible.

There is a thorough look at how this malware works here, but in short, it relies on common user accounts, such as “admin,” “support,” “Administrator,” “server,” and several others, on down to “john” and “robert.” Then it guesses a staggering number of passwords, using words found in the dictionary, and variants of them, in what’s known as a brute force attack.

Once the attacker has discovered valid user credentials, the attacker can disable any anti-virus or any anti-malware that may be in the way and then download and execute the malware, which has several forms and seems to keep evolving. Some of the more prevalent ransomware viruses are Cryptolocker, Cryptowall and Reveton. Each ransomware virus can infect your computer differently, but they all share three basic commonalities and objectives according to this look at the ACCDFISA.

  1. A screen locker that shows the ransom notice and locks out the user.
  2. A crypto malware that backups and encrypts files found on the system.
  3. A decryption tool that the user is supposed to use to decrypt the data on the system after the ransom is paid.

In other words, it creates encrypted backups of your files and then leverages a legitimate third-party tool to delete the original copies in a manner that makes them unrecoverable. The encryption is very strong and the password is a lengthy string of characters generated at random. In the case we saw in our data recovery lab, we found the file definitions for the deleted files, but the file contents were completely destroyed

Most of these ransomware viruses will show up in compromised attachments, websites, advertisements and spammed emails. To protect yourself from ransomware, you must use your best judgement in opening up websites and emails. Don’t open up suspicious emails or click on unusual advertisements. It is also important to check you spam filtering and set stronger filters.

Photo Credit: Dennis Skyley https://flic.kr/p/pcuZNx
Photo Credit: Dennis Skyley https://flic.kr/p/pcuZNx

With all that being said, the best protection against this type of malware is to have good password protocols, in addition to using no common user names.

Be careful as you develop “strict password protocols.” Password security can be counter intuitive, and the common requirement of having a number and a special character is an improvement over a simple word or sequence of number or letters, but it still leads to often fairly vulnerable passwords compared to other techniques that are usually easier for the user to remember.

For example, passwords such as Grapefru!t1, [email protected], Sundae#1, P!zza:-) have fewer elements for a brute force attack to work through and eventually crack than passwords such as bankloanerfridayholidaytrip. And a combination of five or more words is generally easier for users to remember without writing down or recording some place where it could be stolen.  A last name and a common word will make a unique user ID that is probably easy enough for its owner to remember, such as hamiltonflower.

So, if you have an “admin” or a “Robert” username on your Windows server, go change it. Get rid of every common user ID, including “guest.” And make sure your credential protocols are requiring passwords that can’t be guessed by generating dictionary word variants.

A hardware solution is also a good idea: use a firewall, which can be sold as is an inexpensive piece of hardware that connects between your server and its internet access. That will allow only users with certain IP addresses to access remotely.

If you were to get a ransomware virus, immediately disconnect your computer from your network and shut it down to prevent it from spreading to the rest of the network.

To prevent data loss, you should consider four things. First, you should have automated strong backups in case all else fails and you need to restore your lost data. Second, always make sure that your backup has the ability to keep a revision history, so you have a version to go back to if everything gets encrypted. Third, anti-malware is critical in a situation like this. Anti-malware will be able to detect these infections early. Lastly, IT admins should constantly be taking a look at ways of monitoring massive amounts of changed files within a certain time-frame as well as limiting administrative privileges of users to prevent downloads of infected materials.

XKCD's take on password security
(Reproduced from XKCD under a Creative Commons Attribution-NonCommercial 2.5 License.)