New Self-Replicating Ransomware Poses Threat to Corporate Networks
However, at least for now, some security software, including antivirus software from Sophos and Malwarebytes' anti-malware, can detect the malware and prevent infection; the Sophos AV can extract the original data and erase the virus. It remains to be seen how effective this will be as new versions of this malware roll out. Meanwhile, there are things you can do to help keep malware like this at bay. Sjouwerman provided a series of actions that enterprises can take to help either prevent or limit the damage caused by this malware:Fortunately, this malware can be eliminated and your files restored if you're backing your hard drives up. But be aware that if you're simply copying data to a network drive mapped with a drive letter, those backups may also be infected. This is why care has to be taken that you access the uninfected data in another way. Normally a cloud-based backup system will not be affected by this malware. However, you need to inspect your backup files, and restore from backups made before the infection took place. One way to tell whether the files on the remote backup are infected is to look at the file names of those backups to see if they have an EXE file extension. If they do, then look for an older backup. This new malware is a particularly nasty product, but it'll likely get worse. The only choice you have to keep running is to employ the best antivirus and anti-malware software, keep it up to date, train your employees how to recognize phishing emails and otherwise follow good computing practices. Then you can survive this latest wave of ransomware infections that are sure to break out.
- Test the restore function of your backups and make sure it works and have a full set of backups off-site.
- Start thinking about asynchronous real-time backups so you can restore files with a few mouse clicks.
- Get rid of mapped drives and use UNC (universal naming convention) links for shared folders.
- Look into whitelisting software that only allows known-good executables to run.
- Update or enforce security policy best practices, such as thorough effective security awareness training to prevent these types of infections to begin with since the infection vector is your end-user opening up an attachment or clicking on a link.
The infection vector that Sjouwerman mentions is the infected phishing email or other means that might have come along to introduce the malware into your network. It's worth noting that the ransom message will likely show up appearing to be a message from your local or national law enforcement agencies, such as appearing to be from the FBI. If the computer isn't connected to the Internet, then you'll see a generic message asking for a fine to be paid in Bitcoins, and threatening arrest.