What is it exactly, how to distribute itself and what kind of mails would not be opened?
This is a crypto viral code, mainly it infects by electronic mailing, like you get a mail with following:
- You inherited from Grandma'
- Got a letter in your mailbox at London
- Your Insurance is expired
- Your provider changed the contract
- You caught with a hot girl who isnt your wife
- You dont understand coz, its written in different language
- You win a lottery
- You have been choosen
- Earn 6000€ per day
Usually it has an attachment, but its not a sure thing, possible extensions: docx, xlsx, pdf, jpg, bmp, bat, png from macroed word to a nice empty picture, but sometimes more enough to just read the mail.
Lot of people asking me what kind of mails are unsafe, the answer is not exists. Possibly if you got a mail from email@example.com then please try to not open.
Accept some things: You possibly not won a lottery, and you dont have a rich "unknown" relatives. Who want to earn 6000€ per day I think he is not living in this earth.
So there is no standard way to detect these harm. Maybe you get a letter from your fax or printer/scanner, or just from your room mate.
Its possible that the mail is written in your language, but usually english the most.
Is it really harmful?
About 200-300 thousands of machines infected yet since a couple of months and they earn about $5,000.
Its a business and they are good with it.
Numbers of banks, hospitals, insurance companies, lawyer and accountant offices are compromised, its a war against the leadership and the loss of datas are critical.
Can I just paying?
Yes, once you are thinking about paying I assume your IT infrastructure is bad, and you have a lot of very very important data to recover.
You have about 90% chance to get your data back after paying. Since if they are lying about recovery process then who wants to pay to them?
What is BitCoin?
The BitCoin is a crptocurrency and also a secured decentralized peer-to-peer network.
It has some capabilites like nearly impossible to track transactions and everything is crypted well.
The ransomewares uses BitCoin protocol.
Only Windows affacted?
Not only but the most, Linux and OSX also can be infected.
The best protection is a preparing
- Snapshoting / Backup Servers and NAS
- Backup and/or store critical and sensitive datas in cloud
- SQUID Transparent Proxy with Anti-Virus
- Postfix / Exim AV Protection (LDA)
- Use Antivirus software
- Upgrade/Update your operating system
- Design and use a BCP/DRP Plan
What you do when you are infected (as home user)
- If you have an important data on it, just plug out or eject a battery.
- Why agressive shut down? some viruses can detect your attempt and on poweroff they can cause more damage.
- You have to seek some IT company to backup the whole system with crypted or infected files (for future decrypt once the key available) and untouched files. Then Reinstall.
What you do when you are infected (as employee)
You should follow with a tech guy's orders even if he is dumb, he has the responsibility not you.
If you dont have any contact and the world ending is coming and you are the only one:
- Find any network switches and devices, poweroff them to stop network spreading
- If you can access to NAS or Server shutdown them, but nicely
- After every machine which have an access to network plugout (important, so many devices automatically turn on after A/C loss)
- Wait for any IT assistance
What you do when you are infected (as IT Tech)
- The ransomeware is a simple virus, its encrypting all files included network places and integrated with system.
- Cleaning is a bit hard, because you should not boot the machine except from LiveUSB:
- Since it can spread out not bad way to following commands (as employee, above)
- If you can, you should see the logs which machine writing thousands of files.
- Lets begin with servers and nas, backup everything to place which cannot be accessed by others.
- Before we launch back the network, clean any infected machines, notebooks, pcs even tablets.
- "Oh give me a sec, I can decrypt that shit..." forget it, you dont have any luck to guess SHA256, SHA512, AES-CBC keys.
- Not a bad idea keep all files included the crypted ones, its possible in a future to get a public key which can recover your files by community project within months or years.