|Image from Malwearbytes|
Files Stolen Directly From Your System
When this ransomware hits your company's computers, it will be disguised as a trusted software upload from such companies as FedEx or Blackberry. They often look like a customer support email. If you open this email it results in all your files becoming encrypted with asymmetric encryption that will make retrieving your files impossible. You will then receive a ransom email demanding a payment to receive the key to release your files, within a set deadline. Be aware that generally even paying the ransom will not get your files released and we don't recommend paying the fee. You can get complete details on how this encryption works from the folks at Malwearbytes.
Ransomware - ShadowProtect Backup is Vital
The best way to recover from this attack is to restore from backup. At the time we first saw it there was no Anti-Virus that was real time protecting you from it however Sophos are now reporting protecting people since the 6th Sept. I asked Trend Micro when they would have protection but they wanted a sample and we have found them to be missing a lot of attacks recently. ShadowProtect takes incremental backups through the day to minimise data loss. When the attack hits you will see a large spite in your incremental backup size as all the files are encrypted.
Other than open files your files are destroyed unless they were currently open at the time of the attack or offline as a backup. Just about every extension was hit. For a list of the most current known extensions, check the link to Malwearbytes report.
Once you have ensured that your backups are in place, you can protect your system by locking down any directories that may become infected. Be sure that you do not disable security in windows or office as this will leave your system vulnerable. It may be somewhat inconvenient, but not as inconvenient as having your files held for ransom. You can follow the instructions for locking down directories from Symantec by using this link.
Bottom Line on Protection
We highly urge all of our clients and vendors to be prepared for this current outbreak. To help fight this make sure you:
- Backup all files regularly and off the network.
- Lock down directories.
- Make sure you have a business grade UTM firewall device with current subscriptions
- Keep all virus protection software up to date.
- Make sure all employees are aware of this danger, trained in response and know to not open attachments without first talking to the IT department.
If error messages or other signs of an infection happen, shut down immediately and contact support.
Obviously we want all of our clients, customers, vendors and friends to be aware of just how dangerous this ransomware can be for their business. If you suspect that you have been hit, follow these directions and contact us immediately. A little knowledge can go a long way towards keeping all of us safe from this latest ransomware infection.