Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    New Self-Replicating Ransomware Poses Threat to Corporate Networks

    Written by

    Wayne Rash
    Published December 9, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Ransomware is already bad enough, but if you’re careful, and quick, it can be eliminated from a computer without paying a ransom.

      And, of course, virus software is controllable if you know what you’re doing. But what about malware that contains characteristics of both? In other words, this is ransomware that spreads like a virus and it includes features that make removing it extremely difficult.

      This new malware was tagged by SophosLabs researchers with the name W32/VirRnsm-A, and it’s a doozy. The malware can spread by normal means, such as by opening an infected email or by going to a malware-infected Website.

      Once the malware is downloaded, it begins by infecting data files, which could be anything from PDF files to JPG photo files. From a single computer, the infection can spread on its own throughout a corporate network.

      After infecting a suitable data file, which could be almost anything, it wraps the infected file into an encrypted shell that also contains the decryption key, and gives itself an EXE file type. Then, it reattaches the original document file icon. If the computer user has file extensions turned on, it turns them off as a way to hide the fact that it changed from being a data file and then it gives itself a registry entry so it will restart reliably.

      Finally, it launches two malware images into memory, each keeping an eye on the other, so that if one of them is shut down, it’s restarted. Once it’s done all of this, the malware launches a ransom notice and locks up the computer so it can’t do anything else.

      The next step is for the malware to infect every other data file it can find on the computer, on the mapped network and on removable drives. If even one of those infected files remains behind after a clean-up effort, it can re-infect the computer all over again.

      Sounds bad, doesn’t it? But it’s about to get worse. According to Stu Sjouwerman, CEO of security awareness training company Knowbe4, the current version of the malware contains the decryption key, but he expects the next version to use an external key.

      What this means is that a good, up-to-date antivirus or anti-malware program can remove the infection and unlock the file using the built-in decryption key. Soon it won’t be able to do that.

      “This is obviously version one since it carries the key in it,” Sjouwerman said. “Version two will likely have the key external.” But things are already changing. For now, your existing protection may still be able to handle this virus, but maybe not easily. “If you have anti-malware-antivirus, it will have a problem keeping up with this,” he said.

      New Self-Replicating Ransomware Poses Threat to Corporate Networks

      However, at least for now, some security software, including antivirus software from Sophos and Malwarebytes’ anti-malware, can detect the malware and prevent infection; the Sophos AV can extract the original data and erase the virus. It remains to be seen how effective this will be as new versions of this malware roll out.

      Meanwhile, there are things you can do to help keep malware like this at bay. Sjouwerman provided a series of actions that enterprises can take to help either prevent or limit the damage caused by this malware:

      1. Test the restore function of your backups and make sure it works and have a full set of backups off-site.
      2. Start thinking about asynchronous real-time backups so you can restore files with a few mouse clicks.
      3. Get rid of mapped drives and use UNC (universal naming convention) links for shared folders.
      4. Look into whitelisting software that only allows known-good executables to run.
      5. Update or enforce security policy best practices, such as thorough effective security awareness training to prevent these types of infections to begin with since the infection vector is your end-user opening up an attachment or clicking on a link.

      The infection vector that Sjouwerman mentions is the infected phishing email or other means that might have come along to introduce the malware into your network. It’s worth noting that the ransom message will likely show up appearing to be a message from your local or national law enforcement agencies, such as appearing to be from the FBI. If the computer isn’t connected to the Internet, then you’ll see a generic message asking for a fine to be paid in Bitcoins, and threatening arrest.

      Fortunately, this malware can be eliminated and your files restored if you’re backing your hard drives up. But be aware that if you’re simply copying data to a network drive mapped with a drive letter, those backups may also be infected.

      This is why care has to be taken that you access the uninfected data in another way. Normally a cloud-based backup system will not be affected by this malware. However, you need to inspect your backup files, and restore from backups made before the infection took place.

      One way to tell whether the files on the remote backup are infected is to look at the file names of those backups to see if they have an EXE file extension. If they do, then look for an older backup.

      This new malware is a particularly nasty product, but it’ll likely get worse. The only choice you have to keep running is to employ the best antivirus and anti-malware software, keep it up to date, train your employees how to recognize phishing emails and otherwise follow good computing practices. Then you can survive this latest wave of ransomware infections that are sure to break out.

      Wayne Rash
      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a content writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.