Here is a powerful piece of ammo to get (more) IT Security budget.
SophosLabs reported of a new ransomware strain with a difference - this one is a true self-replicating parasitic virus! They call it VirRansom.
This new strain is a hybrid that combines CryptoLocker and CryptoWall functionality with active self-replicating virus infections of all files it can find. And like the cybercrime Reveton family of malware, it locks the PC's main screen demanding 0.619 Bitcoin to let you back in. Yikes.
Let me quote Sophos for a moment: "Worms vs. Parasitics: Most worms leave you with one, or perhaps a handful, of infected files that weren't there before and need to be deleted.
"Parasitic viruses, in contrast, may leave you with hundreds of infected files on each computer, or thousands, or more. If you leave even one of those infected files behind after a clean-up, the infection will start up all over again.
"Worse still, the infected files can't just be deleted, because they are your own files that were there before the infection started. That makes cleanup much trickier."
The good news: The file encryption is not as advanced as CryptoWall, as the key to decrypt the files is contained in the malware itself. Your antivirus should soon be able to decrypt the files and restore them, unless the bad guys are constantly changing the encryption keys in which case it may take a while before your AV does anything.
The bad news: This is a full fledged virus which will spread across your network and doing a less than perfect job on the disinfection can easily lead to reinfection of your whole network.
CryptoWall-encrypted files that you can't or don't decrypt are harmless garbage forever, but you can delete it. With VirRansom, files that you don't decrypt are still recoverable, but also still actively infectious.
It gets nastier all the time. You can expect a VirRansom 2.0 soon where they might implement "new features" like industrial-strength encryption like CryptoWall where you only get the decryption keys after payment, and things like infection of your email server, where emails are converted to a worm for maximum dissemination of their malcode. (Think about the legal ramifications of something like this.)
You can mitigate these types of threats through both technical measures and enforcing security policy. First some technical approaches:
- The very first thing you need to do is test the Restore function of your backups and make sure it works. And have a full set of backups offsite.
- Start thinking about asynchronous real-time backups so you can restore files with a few mouse clicks.
- Get rid of mapped drives and use UNC links for shared folders.
- Whitelisting software, which only allows known-good executables to run, starts to look more attractive by the month.
From the security policy angle, it's time to enforce best practices, and one of those is of course prevent these types of infections to begin with, through effective 5-th generation security awareness training, as the infection vector is your end-user opening up an attachment or clicking on a link. Find out how affordable this is for your organization. Get a quote now: