We have started to see an Internet fraud/threat getting more and more widespread recently. The fraud/threat tries to make people open malicious e-mail attachments by tricking the recipients by mentioning personal and/or relevant information in the e-mail (like actual phone numbers, various service user IDs, real postal addresses, etc.).
If the recipient, or the software the recipient uses to read e-mail, opens the attachment, the attached malicious code is executed and all documents, spreadsheets, drawings, presentation files etc. are encrypted and the user is prompted to pay a ransom to obtain the decryption key.
Unfortunately there is no way to recover the files because the criminals are using state of the art encryption algorithms. Please also note that paying the ransom will only encourage the criminals.
The most important protective action against mail attached malicious programs is not opening attachments unless you are certain that the attachment is not an executable.
MS Windows executable files have extensions (not an exhaustive list) are EXE, COM, JS, JSE, JAR, MSI, PIF, WS, WSF, SCR, SCF, REG, HTA, CPL, MSC, BAT, CMD, VB, VBS.
Before opening an attachment, make sure that the file(s) do(es) not have one of the above extensions. Please also note that, MS Windows operating systems usually hide file extensions and displays a file’s name as “openme.doc” rather than its real name “openme.doc.exe”.
To list a few precautions:
1. Never open unexpected attachments and if not sure, please contact the apparent sender to ask whether this is real.
2. Windows users: Uncheck the “hide extensions” option for your Explorer. Please refer to Microsoft support site for the procedure pertinent to your OS version. Google keywords are “microsoft.com: Windows explorer disable hide extensions”
3. never open an attachment by double clicking it. Always save them to a directory and try to examine the contents.
4. Use Mozilla Firefox or Chrome to browse the web and make sure that either one of these is your default browser.
5. Use Mozilla Thunderbird as your e-mail client software.
These ransomware has once again proved the importance of backing up data files.
We want to remind our users to make frequent backups of their important files.
A few suggestions:
1. Use USB memory sticks or external USB disks (or alike) to copy your important files.
2. Never overwrite existing backup files/directories while making backup copies on to an external device.
3. Every time you want to make a backup, create a new directory, named with the date of backup (e.g: 2015-03-23) and copy the files into that directory. If space is needed on the external device, remove the oldest directory and then start the new backup.
4. NEVER LEAVE THE EXTERNAL STORAGE DEVICE (USB MEMORY, EXTERNAL DISK) CONNECTED TO YOUR COMPUTER. When the backup process is complete, unmount the device (safe removal) and disconnect the device from the USB interface.
5. If you are a MS-Windows user, make sure that the actual files are copied onto the external device rather than their shortcuts. The most reliable way to confirm this is checking the size of the copied files and trying to open a few of the backed up files on a different computer.
6. You can use cloud storage services (like DropBox, GoogleDrive, etc.) to store your backup files. If you do so, NEVER USE THE CLIENT APPLICATIONS THAT MAKE YOUR CLOUD STORAGE APPEAR AS A DRIVE ON YOUR COMPUTER. USE THE CLOUD STORAGE SERVICE ONLY and ONLY THROUGH THEIR WEB INTERFACE. If you have installed the client cloud software which makes your cloud storage appear as a disk drive of your computer; the ransomware will encrypt your files on the cloud as well. If you are a cloud storage user and have the service’s client software installed; we strongly recommend you to uninstall it NOW.