Tag Archives: Locky

Adobe Releases Flash Security Update Due To New Exploit

Yesterday Adobe released an emergency security update for Flash Player that they had previously announced earlier this week. This update was released ahead of the next Update Tuesday since the Magnitude Exploit kit(defined) is exploiting a zero-day vulnerability (defined) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The update address 24 critical security vulnerabilities (more formally known as CVEs (defined) one of which (as mentioned above) is currently being exploited and has been since at least the 31st of March according to the security firm Proofpoint.

=======================
Update: 13th April 2016:

Microsoft issued their security update for Windows 8.1 (Internet Explorer) and Windows 10 users (Microsoft Edge and Internet Explorer, respectively). Further details are available in their security bulletin.

Thank you.
=======================

(Please see update above): At the time of writing Microsoft had not yet made available the relevant updates for Microsoft Edge or Internet Explorer. They now do so by releasing a separate security bulletin. The full list of security bulletins is available from this page. Google reacted quickly releasing version 49.0.2623.112 of Chrome which includes the updated Flash Player v21.0.0.213.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). As explained by Sophos the automatic updater of Flash Player updates systems in phases in order to avoid too much congestion on Adobe’s servers.

As always I would recommend that if you have Flash Player installed to install the necessary update as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Blog Post Shout Out March 2016

With the growing prevalence of ransomware; it’s prudent to take steps to avoid becoming infected with this malware and losing your data as well as being able to recover quickly without paying the ransom.

For these reasons I wanted to provide a respectful shout-out to the following blog posts that provide practical advice to businesses and consumers/personal users on how to protect yourself from ransomware and the “Locky” variant of ransomware:

The Simple Way to Stop your Business from Being Extorted by Ransomware by Graham Cluley (writing for Bitdefender)

“Locky” ransomware – what you need to know by Paul Ducklin (Sophos Security)

Update: 12th March 2016:
Got ransomware? What are your options? by Paul Ducklin (Sophos Security)

Massive Volume of Ransomware by Rodel Mendrez (SpiderLabs) : Details how to defend against the Locky ransomware being spread using JavaScript within spam messages.

Further information/discussion on ransomware is provided in a previous blog post. I hope that you find the above posts useful. Thank you.

Defending Against Ransomware

What is Ransomware?

Ransomware is malware that stops you using your computer in some way. This can be either by showing a lock out screen (not allowing you to login) or by encrypting your personal data. For each of these possibilities a ransom is demanded in order to use your computer or recover your (now) lost data.

Ransomware has been around for many years becoming most prevalent from late 2011 onwards with Reveton being one of the most well-known variants from approximately 3 years ago. Despite this category of malware being several years old, newer variants such as CryptoLocker, TeslaCrypt and most recently Los Pollos Hermanos continue to cause disruption, stress and cause financial loss to their victims. Further information on ransomware is provided in this blog post and explained further in this podcast.

Should you pay the ransom?

Since paying the ransom convinces the malware authors that their scheme is working and funds a black market economy, you should not pay the ransom. I realize that if the ransomware has encrypted irreplaceable data that is not backed up you may have no choice to pay it, but there is no guarantee that you will get your data back. The human impact of ransomware is detailed in this analysis by FireEye. One possible outcome is that the ransom is paid but the files cannot be decrypted.

How To Remove an Existing Ransomware Infection?

If you have an existing ransomware infection I would suggest following the advice from this short Sophos blog post. That blog post also references an explanatory YouTube video. The Sophos Bootable Antivirus CD mentioned in the above blog post can be created using the steps in this knowledge base article.

An alternative approach is detailed by Mark Russinovich of Microsoft in this blog post (see the section titled “The Hunt”). He provides further easy to follow steps to remove the malware should scans with Microsoft Security Essentials or Windows Defender Offline fail.

If the above advice is not successful in removing the ransomware infection, please consider using one of the 3rd malware removal services mentioned in this Symantec forum post. Please note this forum post does not list services that Symantec wishes to promote or advertise, these services are provided by trusted and highly successful 3rd parties independent of Symantec.

Preventing A Ransomware Infection:

In order to prevent a ransomware infection I would recommend the following steps:

  1. Keep your operating system and web browser up to date. I detail how within this page.
  2. Install and use anti-malware software (ensure that it offers real time protection (continuous monitoring)).
  3. Don’t open attachments from an untrusted source or attachments you weren’t expecting from someone you do trust (their email account could have been hijacked).
  4. Backup up your data regularly. At least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.
  5. Further advice is also provided by FireEye in the blog post that I mentioned above (please see the final section titled “Individuals and Small Businesses Should Consider Basic Steps to Protect Themselves”).
  • Note: Please ensure that if you use cloud storage e.g. Google Drive, Dropbox etc. to not have the cloud drive accessible (in the same way as a standard folder) on your computer when you are not actively using it. If you get a ransomware infection it could also encrypt the backup cloud drive (since it works just like another folder on your computer) and this makes restoring your data more difficult.

Update: 29th May 2015:
If you are using an edition of Windows (compatible editions listed here) that incorporates AppLocker (for Windows 8.0 and later only corporate versions of Windows incorporate AppLocker), please enable it to Enforce executable rules to prevent ransomware and other malware from running on your PC.

Update: 10th November 2015:
This detailed post from Susan Bradley provides easy to understand further advice on defending against ransomware.

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it.

Update: 31st January 2016:
This Computerworld article provides further defensive tips e.g. restricting mapped network drives and knowing the users of your devices.

Since AppLocker is another name for application white listing only executable files that you pre-approve (i.e. files that run code, usually applications) will be allowed to run. AppLocker can also prevent unauthorized Windows Installer files (*.msi and *.msp) and scripts e.g. PowerShell and batch files (among others, more details provided here) from running without prior approval. Further resources for configuring AppLocker are provided in this article and this series of articles.

Update: 6th March 2016:
For advice on preventing a ransomware attack from affecting your business, please see this more recent blog post. This post also provides a resource to defend against the “Locky” variant of ransomware and provides an excellent explanation of your options/what to do when ransomware has already infected your computing device (complimenting the existing information in this post) and how to defend against the Locky variant of ransomware being spread via spam messages.

Update: 17th March 2016:
In February 2016 very large numbers of websites powered by WordPress (a blogging tool/content management system) were compromised and used to spread ransomware to those who visited the websites. This threat and recommendations to remove/prevent it are also available in a previous blog post.

In early March 2016, Apple Mac OS X systems that had the Transmission BitTorrent client version 2.90 installed were at risk from a ransomware infection. Further discussion and recommendations are provided in a more recent blog post.

Update: 26th March 2016:
This more recent blog post provides further advice on preventing ransomware (not previously documented within this blog). Please review it to further defend yourself against this increasingly prevalent threat.

Thank you.