Fein-Lines: Virus, Phishing, Ransomware…Oh My!
Malware, the collective name for viruses, Trojan horses and other malicious software that can infect your computer, has been in the news lately, probably more than at any time I can remember. Over the years, malware has evolved; it can affect smartphones and tablets as well as all computers. No matter what you hear from the fake news outlets, no computer, no brand, and no type is 100% safe. Malware on a computer is as old as the first computers. In fact, the first computer virus was called Elk Cloner and was found on an early Apple Mac in 1982.
Back in the day, a few years after I first started using a personal computer (an Apple II+ in 1979-80), the first virus strains were spread by infection obtained through inserting a contaminated floppy disk into your computer. Viruses spread globally but this took many months, sometimes years. Now we have the Internet and a zillion more PC users, and the incentive for those who produce malware is no longer mischief or experimentation. There is now a large financial incentive as seen with the explosion of the latest ransomware, the WannaCry malware.
I will cover malware in more depth overall in articles over the next few months, but for now, let’s focus on the two most widely and commonly seen contaminations, and the most dangerous and expensive to eradicate today—at least once you have been infected—and the browser lock-up junior version which can be frightening but which is much easier to fix.
By now I am sure that most of our readers know what ransomware is. Briefly, it is malicious code that, once it gains access to your computer or your network, can lock up all files on your computer as well as all computers on the network it is connected to and all drives, including back-up drives connected to any computers on your network, be they your home, work or even a public network you are connected to. Once it is established and it has locked your files, it gives you a very stern notice that it has locked your files and that to get them back you must pay a ransom. Not only that, you must go out and buy bitcoin to pay it, as bitcoin is untraceable. In addition, you only have a relatively short period of time to pay or the ransom increases. If you still do not pay, all of your files will be destroyed.
I know that all of you do back-ups of your computer’s data on a regular basis, right? Right? After all, if you do not, you will eventually lose your data anyway from a number of other accidental or malicious events such as hard drive failure (they all can fail eventually, some quicker than others), loss or theft of the device or many other forms of malware. Doing back-ups is a critical and easy-to-do form of insurance. However, in the case of the latest ransomware, once you are infected a standard back-up that is always connected to your computer may not save you as your back-up drive may also have become infected.
OK, so what to do? Here are your best choices, in order of preference, IMHO.
- Avoid and/or block the ransomware so that you do not get infected in the first place.
- If you fail to avoid or block and you become infected, you can reload your computer from a good, non-infected back-up.
- If you do not have a non-infected back-up, reformat everything and start over or buy a new computer, regretfully losing all your data (files, pictures, videos, your Great American Novel that you have been writing for years). Or you can pay the ransom (you still may not get your data back or you may still have the infection that can be reactivated by the hacker at another time).
So, a little more about ransomware, and then let’s discuss how to do the above choices in order of preference.
The most widely known ransomware variant, due to the recent outbreak is WannaCry (actual name: .wncry) This latest ransomware attack has become so extensive because it abuses various security holes in Windows SMBv1 and SMBv2, which most users have left unpatched or do not even know about. This is prevented by the critical update released by Microsoft in March 2017. In addition, Microsoft has just announced that they have just made available an update that blocks WannaCry for Windows 7 and, amazingly, also one for the obsolete Windows XP. Many people, however, do not do or let their computer do updates on a regular basis. Big mistake unless you are using legacy software that may not be compatible with some updates. If that is the case it may be time to stop using QuickBooks 1998 and get an updated version.
There are other ransomware versions; some even newer and more resistant ones have been introduced. In the last few days (as of 5/18/17) another ransomware variant, Uiwix, has appeared and has now begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Uiwix can be an even bigger threat than WannaCry ransomware because it does not include a kill switch such as exists in most versions of WannaCry. This kill switch is a domain which, when blocked, can contain its distribution. And in fact the latest round of ransomware was essentially halted by doing just that. With no dial-back option to block, the only way of protecting against Uiwix for now is to patch the affected operating systems. Of course, if the operating system updates had been installed in the first place, you would not have a problem.
I expect that this is only the latest of many versions that we will see that will try to exploit this vulnerability or vulnerabilities on other operating systems and infect as many devices as possible. Just this week Malwarebytes announced a new ransomware aimed at Macs (see their executive summary from a seminar they gave this week as well as their projections for the next few months).
You will not be safe until you at least update your operating system and apply the necessary patch. Also remember that it is possible to contaminate any computer. While WannaCry does not affect Macs or Linux there are other versions of ransomware that are written just to target Apple and those do not affect PCs.
Just like a bank robber, the criminal will try to rob the bank with the most money, and with about 90% of the world’s computers running a version of Windows, they are the big target. With Apple’s market share approaching 10% globally, however, they are also vulnerable and finally they are starting to admit it.
Please note: If you get an elementary form of malware, one that just locks up your browser and tells you that you should call the fake Microsoft number for help, this is NOT true ransomware and it can be dealt with. When this happens, you then cannot close your browser and even if you restart your computer and then reopen your browser it comes back to that same webpage or browser tab. Do not worry; that is a cheap and dirty form of ransomware. If you call that number, the criminals will say they are with Microsoft and ask to take control of your computer, and if you are really stupid enough to do that, then you have a much bigger problem. There is an easy fix, however, as long as you do not contact them. All you have to do is make a different webpage active. You can do that by doing a search for a known site such as bing.com or Google.com, then close the offending tab then close and restart your browser, and all should be well. Another way is to just close your browser. I can hear you saying, “It will not let me close it.” OK, so do a CTRL-Alt-Del hot key, and then you will have the option to open Task Manager. Once Task Manager is open, select your browser then in the lower right-hand corner of the Task Manager window choose “end task.”
The browser will close, so close Task Manager and then you can open your browser again and all should be well. Again, remember that this fix applies only if you are contaminated by a malicious site that you happened upon—not by true state-of-the-art ransomware.
Now, let’s go on the offensive and look at your options.
Option 1: Avoid or block the ransomware so that you do not get infected in the first place.
Just as with any malware, ransomware is dependent to a great extent on the ignorance or just plain stupidity of the user. Most ransomware infections start with a user clicking on a link in an e-mail. “Click here and I will show you how to get a million $,” or “Your e-mail account must be updated, click here to do so,” or “This is your bank, we have noted an issue with your account, please click here to…"
I am sure you get the idea. If you get such an e-mail and you are concerned, call the institution and inquire. You can also “mouse over” (put the mouse pointer over the link), but do NOT click, and observe the URL that pops up. I bet it will not be from your bank. Remember that Bankofamerica1.com is NOT bankofamerica.com. The first thing to do is to not click on links in phishing e-mails and if you are not sure if they are phishing links, then call your bank. Be careful.
The next thing to do is to be sure your computer is up-to-date. Look, Windows XP was a great OS back in 2003, but it is time to relegate it to the scrap heap. Windows 7 was an excellent OS in its day also but it is outdated and can NOT be made as secure as Windows 10. If you have an older computer, however, and you are happy with Win 7, then stay with it but be aware that you are more vulnerable and also that you are missing out on some great performance and feature enhancements. After all, even Win 7 is now an eight-year-old program.
Be sure that you are running an anti-malware utility; there are a number of good ones, both paid and free. Norton, Kaspersky, AVG, and Avast are examples of the good ones. The one I use and have found to be effective and reliable is Windows Defender; it comes with and is designed for Windows 10. And I find it to not be a resource hog. Whichever one you choose, be aware that none of them are 100% no matter what you see on TV. In addition to Windows Defender I recommend adding a second layer of protection by using a second line of defense utility such as Malwarebytes Pro. It is compatible with most other antivirus programs and it has recently been updated to provide good defense against WannaCry ransomware.
In addition, for those of you who are tech-savvy and willing to venture into the more advanced settings arena, you can disable SMB 1.0 file sharing support. This makes most of the present ransomware unable to corrupt your computer. The Server Message Block (SMB) protocol is an old network file-sharing protocol; when implemented in Microsoft Windows it is known as Microsoft SMB Protocol. Basically, it assists old software run in a modern operating system or a very old antique printer with 20th century firmware do a scan. SMB1 isn’t modern or efficient and when you use SMB1, you lose key performance and productivity optimizations, and 99% of you will never need it. I disable it on my computers as I am a freak for maximum performance,
It is easy to disable and if for some reason, you are running a 20-year-old piece of software that will not run without it you can always turn it back on. Let me state that if this is beyond what you are comfortable doing then just ignore this section.
If you wish to disable it go to control panel, then go to programs and features, then in the upper left there is an option to turn Windows features on or off. Click that, then in the small window that opens scroll down to SMB 1.0/CFIS File Sharing Support and uncheck it. Choose OK, then close the control panel and reboot your computer, done. If you ever need to, you can always turn it back on.
Let’s move on to Option 2: If you fail to avoid or block and you become infected, you can reload your computer from a good, non-infected back-up.
Assuming you have done none of the above and you have become infected, you can either do a complete reinstall of your computer drives from a clean back-up or if you only have backed-up file history in Windows 10 or just backed up your data you can reformat your drives, reinstall Windows and your programs/apps and then put your data back in from the clean, non-infected back-up. Yes, that will take a few hours, but there are other advantages to doing a full clean reinstall, and you will then be free of the malware. You will be able to give the ransomware developers the one-finger salute.
OK, I hear you. I said earlier that some ransomware corrupts not only your computer but also your back-up drives. This means that a back-up, while valuable in case of other types of malware of hardware failure, will do you no good in the case of WannaCry-type ransomware.
The solution is easy. I always recommend more than one back-up just in case; I use a second external drive. After all, they are relatively inexpensive now. Get yourself a 2 or 4 Tb external drive, copy your file history or do a back-up to it and then disconnect it, unplug it, put it on the shelf and redo it every week or so. Yes, you may not have the absolute latest files on it depending on how often you connect it and do the extra back-up but you will probably have 98% of your valuable pictures, files and data totally safe and insulated from any malware that may come in contact with your computer. Do a reformat and reinstall from the separate drive that was not connected at the time of infection.
It really is a shame that we must go through this but it is also a shame that we have to lock our doors, have an alarm system, and do all the things that are necessary to protect our family and belongings. It is just the world we live in.
If you did not protect yourself and you became infected and you do not have a back-up, then the last two options come into play and neither of them are good.
Option 3: If you do not have a non-infected back-up, reformat everything and start over, regretfully losing all your data.
The only thing good about this is that it is easy. You reformat your drive, reinstall you operating system and then your programs and apps and you basically have a new computer. You can of course also just buy a new computer.
And then, there is Option 4. You can go figure out how to buy bitcoin or you can mine for it for a few months and pay the ransom and take a chance that they will in fact release your files—quite often they do not—and you can also live with knowing that somewhere in your computer that ransomware still may exist just waiting to be reactivated.
For this article, we have focused on ransomware as it is the hot topic but there are other forms of malware out there. Some of scariest ones include new versions of Rootkit malware, persistent malware (advanced persistent threat malware), and firmware-based malware, in addition to the seemingly more pedestrian viruses and hacks.
We will be publishing a series of articles regarding computer maintenance and security in the coming months and we will cover some of these other threats as well as provide an update on ransomware. As I often say, stay tuned.