Malware THAT TAKES YOUR FILES HOSTAGE

5 things you need to know about malware that takes your files hostage

multiple_ransomware_warnings

1. Online criminals are using our sense of shame to rob us.
According to the F-Secure Labs:

Ransomware’ is a type of malware that attempts to extort money from a computer user by infecting and taking control of the victim’s machine, or the files or documents stored on it. Typically, the ransomware will either ‘lock’ the computer to prevent normal usage, or encrypt the documents and files on it to prevent access to the saved data.

The ransom demand will then be displayed, usually either via a text file or as a webpage in the web browser. This type of malware leverages the victim’s surprise, embarrassment and/or fear to push them into paying the ransom demanded.

Ransomware may arrive as part of another malware’s payload, or may be delivered by an exploit kit such as Blackhole, which exploits vulnerabilities on the affected computer to silently install and execute the malware.

2. It can infect you regardless where you live whether you’re on your PC or mobile device.
The internet erases geography.  If you often install applications from third-party Android markets and happen to download a Trojan:Android/SLocker app, then you can get infected.  If you stay within the official markets then this risk is minimized.

3. Prevention is better than the cure.
Make sure you have updated security protection for all your PCs and devices. Practice good computing habits on your PC and your mobile.

 Be very cautious when installing any application on your device.  Although official markets have served up malware, the risk is minimized heavily. Always keep your phone’s OS and apps up-to-date.

Once a malware is able to encrypt your data, there’s usually very little chance to decrypt them yourself so regularly backup important files with either offline or online/cloud solutions.

4. Once your files are encypted, you probably won’t get them back.
For instance Trojan:Android/SLocker uses AES for encryption, which is a really strong encryption. You can try to use our removal tool but remember number 3.

5. Don’t pay.
Giving into the scheme only encourages the bad guys.

Cheers,

Jason

[Image by rawdonfox via Flickr]

More posts from this topic

iot

The big things at CES? Drones, privacy and The Internet of Things

F-Secure is back from CES -- where the tech world comes together in Las Vegas to preview some of the latest innovations – some which might change our lives in the coming years, others never to be seen or heard again. Inside the over 200,000 square meter exhibit space, Drones flew, and made a fashion statement; hearing aids got smartphone apps; and 3-D printers printed chocolate. We made a stir of our own with Freedome. Our David Perry reminded the industry professionals that the mobile devices nearly all of them were carrying can do more than connect us. "I want you to stop and think about this," he told RCR Wireless News as he held his smartphone up on the event floor. "This has two cameras on it. It has two microphones. It has GPS. It has my email. It has near-field detectors that can tell not only where I am but who I'm sitting close to. This is a tremendous amount of data. Every place I browse on the internet. What apps I'm running. What credit cards I have. And this phone doesn't take any steps to hide my privacy." In this post-Snowden world, where professionals are suddenly aware of how much their "meta-data" can reveal about them. Privacy also played a big role in the discussion of one the hottest topics of 2015 -- the Internet of Things (IoT). The world where nearly everything that can be plugged in -- from washing machines to light bulbs to toasters -- will be connected to the internet is coming faster than most predicted. Samsung promised every device they make will connect to the net by the end of the decade. If you think your smartphone holds a lot of private data, how about your smarthome? "If people are worried about Facebook and Google storing your data today, wait until you see what is coming with #IoT in next 2-5 years," our Ed Montgomery tweeted during the event's keynote speeches, which included a talk from US Federal Trade Commission Chairwoman Edith Ramirez that tackled privacy issues on the IoT. Newly detected attacks on home routers suggest that the data being collected in our connected appliances could end up as vulnerable to snoops and hackers as our PCs. Some fear that these privacy risks may prevent people from adopting technologies that could eventually save us time, effort and energy. At F-Secure we recognize the promise that IoT and smart homes hold and we’re excited about the coming years. But we also understand the potential threats, risks, and dangers. We feel that our job is to enable our customers to fully enjoy the benefits of IoT and that is why we’re working on new innovations that will help customers to adopt IoT and smart home solutions in a safe and controlled way. It will be an exciting journey and we invite you to learn more about our future IoT solutions in the coming months. We at F-Secure’s IoT team would like to hear from you! Are you ready to jump on the IoT? What would your dream connected home look like? Or have you perhaps already set up your smart home? What are you worried about? How could your smart home turn into a nightmare? Read the rules and post your thoughts below for your chance to win one of our favorite things -- an iPad Air 2 16 GB Wi-Fi. [Image by One Tech News | via Flickr]

Jan 21, 2015
SONY DSC

Authentication is a two way street!

In computer security, we throw around the word authentication all the time. It means a process or mechanism that is used to prove that you are you, (or that someone else or something else proves to you that they are they). Imagine yourself in a wartime  encampment. Someone approaches the sentry and the sentry calls out "Flash" The approaching soldier replies, "Thunder". This is a classic sign and countersign password set from World War II. The answer doesn't make any sense, and that's entirely on purpose. This was to prove to the soldier that he was at the right camp, and to the sentry that he was one of his own. There is a lot of chatter about signs and countersigns at one of my favorite blogs, and you can find it here. In the age of computers, things get a lot more complicated, but it's basically the same process. The website wants to know who you are, that you are the right person, and that is authentication. Now there are three methods of authentication, and they are: 1. Something you have, such as your driver's license, credit card, etc. 2. Something you know, such as a password. 3. Something you are, such as your fingerprint, retinal scan, or facial structure. This is called biometric authentication. On a computer, you actually have other things that can be known about you. There is your IP address (the address assigned to your computer on the internet), and your computer itself has a unique identifying serial number that isn't too difficult to read. Your operating system identifies itself, so do many other pieces of hardware and software on your computer, all unique, and all traceable back to you. One of the things that we use to protect ourselves is a kind of authentication called a password. This creates a lot of confusion in our lives, and small wonder--what follows is abstracted from my personal blog: Hackers are into lockpicking.  Every year at DEFCON there are lock picking contests and demonstrations, and you can buy the various tools (picks, bump keys, etc.) at Black Hat and DEFCON and many other such events. Now,  Timo Hirvonen tells me that this is a legitimate extension of learning Penetration testing, and I believe that that he is absolutely correct. I actually took up lockpicking in the summer of 1965, long before I ever dealt with a computer, but that's a story for another day. This is actually relevant, so you might want to stay with me, here. Take a look at the typical key pictured above. This is a key to a pin tumbler lock, and is the most common kind. Notice that the little notches in the key is at a different depth. The key would insert into the keyhole, which is in the part of the lock called a cylinder. When all the notches on the key line up properly, the pins line up so that the cylinder can turn. They have to be very accurate. Our example here is a five pin lock, so this key would only need notches cut in five places. The pins each have a number of discrete settings, and just to make it easy, let's imagine that there are five different settings for each pin. So how many possible combinations is that? Five times five is 25, but that's not it. Neither is five times five times five, or 125, correct. This would be a very simple lock, but it would carry a grand total of 3,125 combinations (five to the power of five). If each pin had six possible positions, you could raise that to 15,625 different combinations. With a pin tumbler lock, like the one shown here, there is also a restriction that the key has to be the right keyway (that's what they call all the channels and grooves that let the key fit into the lock). Each brand of lock uses a unique keyway which is why the key shop has hundreds of different key blanks hanging on a big rotating display. This is a very close model of an internet password. The number of pins is equivalent to the number of characters, and the number of possible positions is equal to the number of possible characters. This is why people keep telling you that a password is either strong or weak.  Let's look at it. Imagine a very short password of only two characters. If you use only numbers, then there are only ten possibilities for each character position. (0-9) so with that limitation, a two digit password using only numerals in base ten would give you only 100 possible combinations. If you had to type that in by hand it might be too much trouble, but a computer could feed those hundred combinations in less than a single second. The same two character password, if it used alphabetical characters, instead of numbers, would give you 676 possible combinations, instead of a hundred. Going to more places, or more pins, would give you an even greater combination, such as noted below. Well, you don't have to. You can get a program known as a password manager. The one we make here at F-secure is called KEY. We will take a look at that in just a little bit. First we want to make a couple of things clear.So, as you can see, it becomes much more difficult to crack a longer password, or a password with more available characters. That is not the end of the story. If you use a password made up of words that can be found in any dictionary, then a hacker could attack your password with a dictionary. Really. It's actually called a dictionary attack. So the best password would be gibberish.  How would you ever remember such a thing? 1. Passwords are extremely valuable, they are the online version of your keys, and eventually your car will start and your door will open to a password, rather than to a physical key. (I am very tempted to run off on a tangent, here)  You need to pay some attention to your passwords, because they are getting stolen left and right and because they open the door to your email, to your reputation and to your bank account. RUNNING OFF ON A TANGENT Car keys have gotten much more complicated over the last decade. First we added electronic door locks to the car, and the key acts as a remote control. Other functions come with that, including trunk release, and some kind of an alarm system. On top of all that, there is a secondary locking mechanism included with your key, where the car will only open for a key with both the proper physical keyway and tumbler pattern (( as described above)) AND the proper electronic signature.  So, in my car, for example, a new key needs to be cut and then programmed, and a new key costs almost $300! Now they tell you that's because it takes extra programming, but it's really because you NEED a car key, and based on the brand of car you drive, and I drive a Lexus, they hit you up for the highest price the traffic will bear. The circuitry isn't worth nearly that much, and neither is the 'programming'.  This is indicative of the state of the world. Drive a 1961 Buick, and you can buy a key for a buck, drive a 2001 Lexus, and the key is $300---the newest models skip the physical key entirely, and cost even more. They only charge what the traffic will bear. 2. It is very important that you not use the same password for everything. If you do, when somebody cracks one of your passwords they can find all of them. Some people use simple, same passwords for things they don't really care about (your Cookie Bakery discount code coupon, for example) but use stronger, unique passwords for more important things, like missile launch codes. 3. Do not use passwords that can be derived from the names of your pets, or the name of your spouse, or your boat, or anything that could ever be found out about you from a thorough analysis of your Facebook page. 4. Back up your data!  I use two different backups on everything, and a third backup on the most important data. I back up to a NAS (network attached storage) device, and to the cloud, and the third method is secret. Never put yourself in a situation where somebody could hack into your account and steal or delete anything you are going to need. Having said that, I want to say that too many things are authenticated these days (that's what a password is all about, authentication--it's when you prove that you are you) If you are doing a lot online you might actually be known via hundreds of passwords and who can possibly keep up with that? Nobody, that's who. It's just another example of FUTURE SHOCK, brilliantly predicted in 1971 by Doctor Alvin Toffler. My point? Maybe we are authenticating too much. Does your nephew's Bar Mitzvah really need me to get a password to reply to the evite? Do I really need a strong password to protect my registration to a trade show? The universal and always increasing demand for new passwords kind of cheapen the image they have to the public. If you need to keep track of a hundred passwords, then you might not put so much effort into managing them. Here at F-Secure we have a solution and it is called KEY. I use it on all my devices and I think it handles things very well indeed. It synchronizes all your passwords to all of your devices under a single master password. The keys are safely encrypted and cannot be extracted from either the install nor the cloud. It can and will generate new and stronger passwords for your most valuable data. You might want to look into it. Persevere, David Perry Huntington Beach, California 10/29/2014

Jan 8, 2015
BY