Let’s return to one of the most dangerous and aggressive threats of the last years: ransomware, aka crypto-viruses: harmful software that encrypts or steals user data and asks for a ransom.

What is changing? How these viruses are evolving? Are there any reliable solution to get protected? It’s not easy to answer to all these questions, but a sysadmin, a technician or an IT manager today must know very well this topic and study all the possible strategies to protect data, be it on premises or outside the company.

Unfortunately the situation is getting worse as far as the features and capabilities of these software are concerned. Indeed, the most recent ransomware versions:

• Ransomware no longer attacks just local disks and mapped network shares, but can encrypt the content of all shares whose credentials are stored or available
• It allows only a few days to pay the ransom: data is remotely deleted after a week or just 10 days
• It can keep the system running and grant access to files as long as the encryption job is not complete, so that the user can’t recognize the infection and immediately power-off the computer
• Ransomware is multiplatform: now it spreads not just on Windows but also on Linux and Mac.

Another dangerous trend that can worsen the situation is the availability of kits for the creation of ransomware to be autonomously distributed, such as Ransom32, thus ending up in the growth of the number of people that can exploit this criminal technique.

The other bad news is the decreasing efficiency of some data retrieval techniques that have been successfully applied up to now. Those “bugs” found in some of the initial releases of, for instance, Cryptolocker, which could offer a way to decrypt data, are now fixed so this remediation method cannot be used any longer. At the same time, criminals are more and more clever and astute to delete private keys after attacking the victim, making unuseful any retrieval effort when servers are confiscated by american and european polices.

How to behave if infected

Some behaviour rules are quite elementary, still we’d like to reiterate them as we often speak with sysadmins or so-called experts that give useless advice.

1. Immediately power off the computer, or computers, that are infected and disconnect any network cable.
2. Check every network shares (servers, Nas) and verify they aren’t infected.
   If so, immediately disconnect them from the network and verify that the infection is limited to just those folders. Move infected files on an external disk and change the share content with the last backup before reconnecting.
3. Verify that no other PC on the network is infected.
4. Remove disks from the infected PC and connect them to a computer without any personal data and equipped with an updated antivirus and all the tools to retrieve files that haven’t been encrypted yet. Separately archive encrypted data, at least if you don’t have an up to date backup: they could be later decrypted should any bug be discovered or the police find keys of the criminals’ servers. If disks can’t be easily removed (for instance, it’s the case of certain laptops), then use a bootable Linux distro.
5. Don’t pay the ransom
6. Format infected PCs and reinstall Windows from scratch or from a complete image of an uninfected backup. Copy every needed document from the latest backup.

Continues: how to make efficient backups and tools to block ransomware