You’ve been granted free access to this subscribers only article.
Pay the ransom or lose your files
Ransom demands such as this may indicate a malware or ransomware infection.
By Brian Gaspard and Robert C. McDonald
Brian Gaspard is the owner of Image Networks in San Antonio, which provides IT and computing solutions for companies throughout San Antonio and Wilson County. Gaspard recently aided a local business in recovering from a ransomware attack and shares his insight here.
Computer attacks are nothing new, but a new class of malware known as “ransomware” may have people questioning just how secure their business and personal computer systems really are. This particular malware is spreading rapidly, and at least one local business has discovered how destructive it can be.
Jack Rice, president of the Texaloy Foundry Co. in Floresville, confirmed that such an attack recently occurred with his company’s computer network. Rice said that two computers were infected, and while he paid the first ransom of $500, he refused further such demands. In Texaloy’s case, paying the first ransom retrieved about 70 percent of the company’s files, while the remaining 30 percent were left encrypted.
Ransomware is a class of malware that holds certain aspects of a computer “hostage,” and demands a payment. It works through email attachments. The old style of ransomware many people may have seen displayed bogus alerts from the FBI, CIA, or other government agency. They stated that the computer was used for illegal activities, and thus had been locked. The alerts demand a payment as a “fine” to unlock the computer and return control to the user. While these infections have been around a long time, they are rarely destructive, and can generally be removed by any good antivirus software.
A few years back, the developers of these applications figured out how to use the same type of infections to encrypt files on the computer. While the antivirus software could remove the infection, it could not decrypt the files. Users were often stuck paying the ransom to decrypt the files.
About a year ago, a new class of ransomware, known as “cryptolocker” or “cryptowall,” started to make the rounds. These programs work in much the same way, encrypting a computer’s files and then displaying a message that demands a payment. The biggest difference with these newer types is that they have a prebuilt application. This means anybody with an Internet connection can become a ransomware vendor. That means infection rates are much higher. Another big difference is that these newer applications not only encrypt files on the victim’s computer, but also on any computer attached to the same network.
Unfortunately, antivirus software has become easy for virus writers to work around. Symantec, a leading antivirus vendor, even declared antivirus software “dead.” This means that relying on antivirus software alone will not work in most cases.
Ransomware infections work through email attachments. These emails usually appear to come from a user within the company, and the attachment looks like a simple PDF. After the program has done its damage and has encrypted all the files on the network, the user is presented with the demand page. They often go on to display a clock, and indicate that after a period of time -- the rate will double. Eventually, if nothing is done, the criminals will delete the encryption keys from their servers, and fire recovery becomes impossible.
In addition, because each infection is unique, it’s possible for multiple network users to be infected. This means that the files on the network can be encrypted twice or more. So while the company or user may decide to pay for one decryption, getting everything back may require additional ransoms.
Prevention is usually pretty easy, though, if users pay attention to what they are doing, and do not open attachments unless they are expecting them.
The vast majority of infections are geared toward Windows-based computers, so running a computer without Windows is usually a good way to prevent attacks. The Macintosh operating system is one way, but can be costly to those not already running Macs. In addition, most business software today runs only on Windows. This makes converting to Mac unfeasible for many businesses.
There are many other ways to combat such attacks, though, ranging from simple to complex. Texaloy now utilizes a complex system, including both Windows- and Linux-based computers meant to isolate email and web traffic from the rest of the company’s network. While this may not be a solution for everyone, there are some simple preventive measures anyone can take.
To help combat these attacks, and the ensuing loss of data, companies and individuals should be diligent about backing up their files. It’s a good idea to make backups on multiple devices that are both physically and logically disconnected from the network, at least periodically. External hard drives that are swapped out regularly are also good. Cloud backups can work, but since a cloud backup usually stays connected to the network, it’s possible for the backup software to actually overwrite good files with encrypted ones. It’s also advisable to have multiple people check the backups periodically to ensure they are working.
Malware is not going away anytime soon, and everyone should be mindful of the damage it can do. Educating users about the dangers of opening attachments, while remaining diligent about backing up files, are two simple first steps in the right direction.
Look for more on this in a coming issue of the Wilson County News.
Your Opinions and Comments
August 2, 2014 4:30pm
Share your comment or opinion on this story!
You must be logged in to post a comment.
Section A: General News Archives
Agencies uncover $400K in stolen vehicles, parts (February 3, 2016)
China Grove begins vote on tax rollback (February 3, 2016)
Clock running out for Floresville recall issue (February 3, 2016)
Connally expands high-tech health care (February 3, 2016)
Council action changes boards (February 3, 2016)
Court Update (February 3, 2016)
Deputies charge Floresville spurned lover with arson (February 3, 2016)
Deputies investigate recent thefts (February 3, 2016)
Editorial: The demand for villains (February 3, 2016)
Editorial: What’s in a city charter? Is it like a … Constitution? (February 3, 2016)
Eight-liner opponents face deadline (February 3, 2016)
FELPS pools tornado damage claim with city, Floresville ISD (February 3, 2016)
Floresville USDA accountant resigns (February 3, 2016)
Free CERT disaster course (February 3, 2016)
Get a free heart health screening in Kenedy Feb. 12 (February 3, 2016)
Greater LV Chamber to meet (February 3, 2016)
H-E-B recalls cookware (February 3, 2016)
Hold on for now (February 3, 2016)
It’s all happening at Nixon-Smiley Elementary (February 3, 2016)
Kicaster area will have fire coverage (February 3, 2016)
Landfill welcomes China Grove junk (February 3, 2016)
Letter: Apple Pie author extends thanks (February 3, 2016)
Letter: Gonzales differs with writer’s conclusion (February 3, 2016)
Letter: Talamantez truly a man of the people (February 3, 2016)
Life Line Screening event set in Floresville Feb. 28 (February 3, 2016)
Mock Republican Debate Feb. 20 (February 3, 2016)
Nixon-Smiley livestock show set for March (February 3, 2016)
One dead in game-room robbery (February 3, 2016)
Pioneer Award honors Burnside (February 3, 2016)
Pirates Cove in Poth offers after-school care service (February 3, 2016)
Police Blotter (February 3, 2016)
Save the date for Lincoln Dinner (February 3, 2016)
School district cops ink deal with city, county (February 3, 2016)
Second responders to meet (February 3, 2016)
Stockdale, La Vernia units respond to back-to-back fires (February 3, 2016)
Tanneberger is top agent (February 3, 2016)
Weigh in on Loop 410 changes (February 3, 2016)
Wilson County Hermann Sons lodges meet new-member goal (February 3, 2016)
‘Loving’ heart-shaped treats are for the birds (February 3, 2016)