Ransomware is already bad enough, but if you’re careful, and quick, it can be eliminated from a computer without paying a ransom.
And, of course, virus software is controllable if you know what you’re doing. But what about malware that contains characteristics of both? In other words, this is ransomware that spreads like a virus and it includes features that make removing it extremely difficult.
This new malware was tagged by SophosLabs researchers with the name W32/VirRnsm-A, and it’s a doozy. The malware can spread by normal means, such as by opening an infected email or by going to a malware-infected Website.
Once the malware is downloaded, it begins by infecting data files, which could be anything from PDF files to JPG photo files. From a single computer, the infection can spread on its own throughout a corporate network.
After infecting a suitable data file, which could be almost anything, it wraps the infected file into an encrypted shell that also contains the decryption key, and gives itself an EXE file type. Then, it reattaches the original document file icon. If the computer user has file extensions turned on, it turns them off as a way to hide the fact that it changed from being a data file and then it gives itself a registry entry so it will restart reliably.
Finally, it launches two malware images into memory, each keeping an eye on the other, so that if one of them is shut down, it’s restarted. Once it’s done all of this, the malware launches a ransom notice and locks up the computer so it can’t do anything else.
The next step is for the malware to infect every other data file it can find on the computer, on the mapped network and on removable drives. If even one of those infected files remains behind after a clean-up effort, it can re-infect the computer all over again.
Sounds bad, doesn’t it? But it’s about to get worse. According to Stu Sjouwerman, CEO of security awareness training company Knowbe4, the current version of the malware contains the decryption key, but he expects the next version to use an external key.
What this means is that a good, up-to-date antivirus or anti-malware program can remove the infection and unlock the file using the built-in decryption key. Soon it won’t be able to do that.
“This is obviously version one since it carries the key in it,” Sjouwerman said. “Version two will likely have the key external.” But things are already changing. For now, your existing protection may still be able to handle this virus, but maybe not easily. “If you have anti-malware-antivirus, it will have a problem keeping up with this,” he said.
New Self-Replicating Ransomware Poses Threat to Corporate Networks
However, at least for now, some security software, including antivirus software from Sophos and Malwarebytes’ anti-malware, can detect the malware and prevent infection; the Sophos AV can extract the original data and erase the virus. It remains to be seen how effective this will be as new versions of this malware roll out.
Meanwhile, there are things you can do to help keep malware like this at bay. Sjouwerman provided a series of actions that enterprises can take to help either prevent or limit the damage caused by this malware:
- Test the restore function of your backups and make sure it works and have a full set of backups off-site.
- Start thinking about asynchronous real-time backups so you can restore files with a few mouse clicks.
- Get rid of mapped drives and use UNC (universal naming convention) links for shared folders.
- Look into whitelisting software that only allows known-good executables to run.
- Update or enforce security policy best practices, such as thorough effective security awareness training to prevent these types of infections to begin with since the infection vector is your end-user opening up an attachment or clicking on a link.
The infection vector that Sjouwerman mentions is the infected phishing email or other means that might have come along to introduce the malware into your network. It’s worth noting that the ransom message will likely show up appearing to be a message from your local or national law enforcement agencies, such as appearing to be from the FBI. If the computer isn’t connected to the Internet, then you’ll see a generic message asking for a fine to be paid in Bitcoins, and threatening arrest.
Fortunately, this malware can be eliminated and your files restored if you’re backing your hard drives up. But be aware that if you’re simply copying data to a network drive mapped with a drive letter, those backups may also be infected.
This is why care has to be taken that you access the uninfected data in another way. Normally a cloud-based backup system will not be affected by this malware. However, you need to inspect your backup files, and restore from backups made before the infection took place.
One way to tell whether the files on the remote backup are infected is to look at the file names of those backups to see if they have an EXE file extension. If they do, then look for an older backup.
This new malware is a particularly nasty product, but it’ll likely get worse. The only choice you have to keep running is to employ the best antivirus and anti-malware software, keep it up to date, train your employees how to recognize phishing emails and otherwise follow good computing practices. Then you can survive this latest wave of ransomware infections that are sure to break out.