I’ve been away for a while, and a big part of the reason was that for the first time in my 20 years online, I got a computer virus. This nasty bit of malware, Cryptowall 2.0, strolled right past ESET, my highly-rated antivirus and firewall (the Crypto viruses also beat Norton, Kapersky and most of the others), and began encrypting all my data files. Had I not caught it early, it would have removed or encrypted all of Windows’ “shadow copies” plus the backups I make constantly in the background on an attached USB drive. *This post contains affiliate links.
I’m the kind of paranoid user who doesn’t click email links, doesn’t open attachments unless I’m expecting them, doesn’t visit porn or warez sites, doesn’t download pirated software or music, doesn’t download apps without researching them first, doesn’t click the Adobe updater popup but rather goes to the Adobe site to make sure there’s a real update which I download direct from them (until they developed the new option of auto-updating, which I now use). For 20 years, my strategy – “be paranoid, run a good AV and firewall, and always have up-to-the-hour backups so you can start over from scratch” – has kept me safe, but not anymore. Experts even predict it’s only a matter of time before these viruses will target Macs. Thanks to “malvertising” and trojans like Gumblar, just visiting a legitimate site can download malware. All your old strategies just aren’t good enough anymore, and the whole situation is only going to get worse.
As webmasters, I feel we have a special responsibility to keep our own systems clean. If your computer is infected, someone could get access to your websites and use them to spread malware. This could devastate a small business.
A new anti-malware strategy
I spent a lot of hours researching this nasty at BleepingComputer and other websites. My goal was both to protect my own PC and to do all I can do make sure my websites never infect some unfortunate visitor. In this post, I’m going to show you everything I did.
What Cryptowall does
In the background while you’re using your computer, Cryptowall does the following.
- Encrypts all your data files with military-grade encryption that no one has managed to break yet. If your files are encrypted, that’s how they’ll stay unless you pay the ransom – and that’s not perfectly reliable, either.
- Deletes all your “shadow copies” (version backups Windows automatically makes of each vile).
- Deletes all your restore points.
- Also encrypts the files on any attached backup drive you are using.
- Once this is all done, when you try to open an encrypted file, it pops up a message informing you you’ll have to pay several hundred dollars to criminals to get an decrypt key.
In short: it encrypts all your data, and all your attached backups of said data, and encrypted they will stay unless you obtain Bitcoins and pay criminals who may or may not send you a working decryption key.
Fortunately, I caught the infection early and my version of Cryptowall chose a backup of a backup to start its encrypting. But that was pure luck, and what might have happened scares the heck out of me.
I had noticed my PC was using a lot more CPU power than usual, and because it was a few years old, I was suspecting hardware failure. Then ESET notified me that it had found a suspicious file called “DECRYPT_INSTRUCTION.HTML”. In this sense, ESET did better than a lot of other top-rated AVs, which let the encryption process go unchecked. Curious, I searched online for the file name and found BleepingComputer’s fantastic information page. I ran Malwarebytes and it found the actual virus, but because Cryptowall also edits your registry, I felt reformatting was the only way to be sure it was gone. And since I’d already been planning to buy a new PC in the next few months, I just went ahead and did that so I’d also gain the benefit of a more secure version of Windows.
How to prevent it
If running a top-notch AV doesn’t catch this, and it attacks your backups too, what can you do?
The information page at BleepingComputer recommends changing a lot of your security and permissions settings in Windows so that even if you get infected, Cryptowall and similar malwares can’t actually execute. This is a challenging task for most users, and the advised settings today may not be good enough six months from now. Fortunately, John Nicholas Shaw at FoolishIT created CryptoPrevent. It’s a small, free utility that automatically makes those system changes for you. And if you pay $15 for the premium version, it will automatically update itself as the malware evolves, and one license lets you install it on every PC in your household. No matter what AV and firewall you run, this will provide a terrific second layer of defense.
I did a lot of research about this tool and its creator, and he’s well-established as a developer of effective, trustworthy security apps. I’ve been running CryptoPrevent Premium in default mode for close to a month, and it hasn’t caused a single hiccup on any of my systems.
Antivirus with behavioral blocking
I’m not sure why so many top AV softwares and firewalls miss this piece of malware. But my research found that a few catch it – and even if they somehow miss a brand new version of it, they block CryptoWall from encrypting your files. This is called “behavioral blocking”, and it’s the best protection against “zero-day threats” (brand new malwares that the AV companies haven’t even had time to add to their libraries yet). Again, I did a lot of research and came up with Emsisoft Internet Security (AV + firewall) as the best paid option, and Comodo Internet Security as the best free option (in general, it tests close to equally with Emsisoft, which is really impressive – it’s just a little less user-friendly than Emsisoft). I put Emsisoft on my main PC and Comodo on a very slow, old computer for a relative who isn’t at all tech savvy. I used to use Comodo exclusively way back when, and my only criticism is that it sometimes advises you to call a tech expert to help remove something it’s quarantined when that’s really not needed. Just ignore that.
I installed Malwarebytes’ Anti-Exploit, the free version, which comes from the same people who make Malwarebytes, a highly regarded free malware scanner and cleaner (which I’ll mention in a moment). Anti-Exploit is supposed to stop any exploit that comes through your browser – kind of like CryptoPrevent, but for browsers – and it also shields Java, which is very commonly exploited by malware. The paid version ($24.95) adds PDF readers – another common exploit – media players and Microsoft Office, and allows you to custom add shields. I’ve been using it for well over a year now, and it’s caught several attackers. It tends to freeze up your whole browser when something happens, and then when you force the browser to shut down, the Anti-Exploit window pops up to tell you it stopped an attack.
Safeguarding your browser
I also did a ton of reading about which browser is safest. I found one website claiming Firefox is the least safe, but most experts still regard it as safest. As far as I can make out, Firefox with the right add-ons is your safest option. So whether you use Firefox or not, be sure to install an ad-blocker like AdBlock Plus. I hate to say that because, obviously, I make some of my living by running ads on my sites and so do a lot of you. I do turn AdBlock off on some sites that depend on ad revenue and stick to higher-quality ads. So a second add-on I use is WebOfTrust. It lets you know if the site you’re visiting is trustworthy, and if it’s not it will block you and ask if you’re sure you want to proceed.
Run the occasional Malwarebytes scan
Get Malwarebytes – the free version will do – and run regular scans. Malwarebytes did find the Cryptowall trojans on my computer, which is more than other AVs did. Recently it also found a PUP – not actual malware, but a bit of code advertisers use to install toolbars and stuff like that – which Emsisoft had missed (though this proves Emsisoft’s behavior blocking is working as promised, because this PUP hadn’t done anything). No AV catches everything, and that’s why Malwarebytes scans are a great second layer of protection.
LastPass or another password keeper
There are two reasons why it’s vital to use LastPass or a similar program. First, it enables you to have incredibly strong passwords, different ones for every site, without needing to memorize them. You need to remember one strong password to log into LastPass, and it remembers the rest for you, and it’s all encrypted so even they can’t read your passwords. Second, if you have a keylogger trojan on your system, it will sit quietly in the background sending everything you type to criminals. LastPass fills in the logins without you having to type them, so those will be safe even on an infected system. It also generates strong passwords for you on the fly.
And now it performs a “security audit” automatically, showing you any logins you have that are weak or are duplicates of others. LastPass is free, but $12/year buys some additional features such as the ability to use it on tablets and phones (
there’s a bit of hassle setting it up on iPhones and iPads, but once you do, it works like a charm actually, this is now very easy).
VirusTotal.com is brilliant website on which you can check a link to a page you want to visit or an actual download link before you visit/download it. It runs about 60 scans on each file, and you can see if the link has been scanned by another user recently to save yourself the trouble. Now when I download apps or fonts, even from sites I’ve trusted for years, I double check them in VirusTotal first just to make sure they’re clean. It only takes a few seconds.
My new backup strategy
I no longer leave a USB drive hooked up to the computer to do hourly backups, since Cryptowall takes out any mapped drive (one that has a drive letter). You have a couple of options here.
- Cloud backup that does NOT appear as a lettered drive on your PC.
- Only connect your USB backup drive periodically to backup the latest changes, thus minimizing your chances of having it connected at the exact moment a trojan would be targeting it.
- Take system images whenever you make significant changes to your applications.
My personal choice?
- All my frequently updated data files are in the cloud, mostly on Zoho. That’s spreadsheets, documents, etc. I’ve used Zoho for 5 years with maybe 30 minutes of server downtime altogether and none of my documents ever getting corrupted the way Excel frequently does over time. Zoho’s apps have nearly identical functionality to Microsoft Office and Google Docs.
- Through the day, I keep notes of any files I changed or added on my PC hard drive, and at the end of the day I plug in my USB backup drive and update them manually. You could do this with an auto solution, including Windows’ built-in system, but I’ve been failed by auto backups before, which can be corrupted by failing hard drives or lurking infections you don’t know about until later, and just prefer rockin’ it old school.
- Keep a current system image by Macrium Reflect Free. This image can restore your apps and settings, but not your data files. I prefer to back up apps and data separately.
- I need to get a cloud backup solution, too – just because it’s best to have both on-site and off-site backup, in case something happens to both your PC and your local backup drives – and will update this post once I’ve chosen and tested one.
The one sticking point for me right now is, how to backup my system images to the cloud? System image files are huge, and cloud storage for them is expensive. Some people recommend sending a drive with image files to a family member or friend, but I don’t have anyone nearby that I trust that way and really don’t want to have to wait for someone to ship it to me. I’m determined to find a cloud solution and will let you know when I do (unless you let me know of one first!). Also, one of the guys at BleepingComputer is working on a backup software package that beats the malware so far in all his tests, so I’m looking forward to a whole new type of solution like that – then I could go back to my hourly-updating USB attached drive.
How to protect your website visitors
Protect your logins
Your first line of defense is to make sure criminals can’t just log into your website. LastPass protects your FTP, admin page and control panel logins from criminals, even if you’re working on an infected system.
If you have a group site in which other writers may be using weak passwords and/or infected systems, it’s worth investing in an HTTP certificate. They’re not that expensive these days and many hosts will do all the work for you. These encrypt your logins, thus protecting them in a similar way to what LastPass does.
Reputable ad networks these days do their best to screen out malware-infected ads, but no system is perfect. I’ve been doing this since before networks were very good at screening it out, so the following tips come from experience:
- Set your “floor” to at least 15 cents on any ad network. Most malvertising comes through really cheap ads, which are also usually ugly and repulsive to your readers, anyway. I’ve found 15 cents works pretty well to screen out the ickiest ads without losing you money.
- Block “3rd party” ad feeds if your networks offer them. These are remnant ads over which the network has limited control and limited ability to screen. Yes, this may lose you a bit of revenue, but nothing like what you’ll lose if Google blocks access to your site after detecting malware on it.
- I block ads for gambling, pharmaceuticals, weight loss, adult ads, and “snake oil” ads for the latest miracle fruit or whatever. Those are categories in which malvertising has been found most often.
- Ask any ad network you’re considering working with what they do to screen out malvertising. If they don’t have an answer, run fast.
I also recommend reading about how viruses behave. I once had a reader email me that my site was redirecting her to porn sites. I knew that there are viruses that can cause any site you visit to redirect to something else, so I knew exactly what to test for. I had my host run a scan. I checked for iframes in my WordPress pages (that’s what Gumblar used). I downloaded every WordPress plugin that scanned for malware, and ran scan after scan. Once the host and I both came up empty, and the host agreed with my “diagnosis”, I informed the reader of what we’d done to make sure the site was clean, and that most likely it was an infection in her system. She expressed appreciation for my efforts and the information I gave her.
So I routinely visit the Security forum and front page at Bleeping Computer to see what’s the latest. I also read Krebs on Security. BC does a great job at rapidly testing new virus samples and broadcasting detailed descriptions of their behavior and how to fix them. Krebs tends to wait a bit and then report more in depth, with a focus on the criminals, their motives and suggestions of what they might try next. Between the two, I have a fair idea where to start if my computer starts behaving oddly or if a reader tells me my site did something odd on her computer.
As I find more helpful links on this malware, I’m posting them here.