Randsomware – the ‘new’ virus type

HelpLocky encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files.  Though the ransomware sounds like one named by my kids, there is nothing childish about it.  It targets a large number of file extensions and even more importantly, encrypts data on unmapped network shares.  If you don’t have a backup your data is gone, unless you pay and hope they payment isn’t yet another scam.

Those of you with a server are pretty safe.  Backups, Shadow Copies and the like but stand-alone computers are at risk.  The virus (usually run as a script or macro from an email attachment) will disable your shadow copy (removing backups) and sometime hunt the backups down wiping them out.

So far I’ve seem 5 infections of this virus and only 1 had data loss (that client at least remembers me specifically telling them.. “Seriously, you really need a backup of some type, you know, just in case”).  Each infection differed in the targeted files.  Sometimes it was MS Office files, image files or PDFs but there is no limit to what it COULD encrypt.. it just happened to have a priority before we stopped it.

Why did the anti-virus get it?  Because the user ran it, not as a virus but a function with their security and authorization.  Much trickier, to limit what the user can do a file (like saving & deleting) than limiting access to the same file.  It sound like a fine point but the micro-management required means you need a server and if you had one this virus is only inconvenient event, not a source of data loss.

The real victims are home users and ‘server less’ environments.  The most recent off-line backup could be the only fall back.

So if you see a .locky file on your machine, reboot.. NOW!  Pull the power cord if you need to it’s only in memory (usually) and that stops the encryption process.  If you are on a network you can look at the file properties of the newly created ‘How to fix’ file in the same directly (could be a few names but you’ll know it when you see it) and the under the Details of the file properties it’ll tell you the user/system infected (the one that created the new file).  Reboot that machine ASAP.

Google can offer you some help recovering, so can Malwarebytes.org (in finding any viral leftovers).  Your server and backups are your best hope, failing those a few bitcoins and some trust in the makers of the virus are all you might have left.

Backup often, trust no email attachments.

“Hi, this is you computer company”

“Hello, this is your computer company and we are making this free call because you have a computer virus spamming the net.”

Oddly enough you don’t recognize the voice, and they don’t seem to know anything about your computer or anything else.  They tell you it’s really bad and just need to help you fix the problem.  The final hint.. their english is really bad and heavily accented.

It’s a scam.  Most people know it in seconds but those that are less farmiliar with computers tend to fall for it.  Tricked into giving out information that can result in signing up for useless services, programs or at worse let hackers into their machines.  People feel enough the fool after these misadventures to not tell others about their experience, thus hiding how often this really happens.

Warn your folks/kin/parents (the elderly are especially vulnerable) and be vigilant.  It’s an old trick with a new twist and Telus is no help at stopping these scammers from calling (you’d think they’d block the call-centers from calling into Canada at all).

If in doubt, call me.. but you already knew that.