I’ve been away for a while. A big part of the reason was that, for the first time in my 20 years online, I got a computer virus. This nasty bit of malware, Cryptowall 2.0, strolled right past ESET, my highly-rated antivirus and firewall and beganencrypting all my data files. (Crypto has also been known to beat Norton, Kapersky and most of the others.) So I have spent the last month learning about ransomware prevention.
The old malware prevention strategies
Here’s the kind of paranoid user I am:
- I don’t click email links.
- or open attachments unless I’m expecting them
- I never visit porn or warez sites (which are loaded with malware)
- I don’t download pirated software or music (also loaded with malware)
- or download apps without researching them first
- and I don’t click the Adobe updater popup (because there’s a fake malware version of it). Instead, I use auto-updating.
For 20 years, my strategy – “be paranoid, run a good AV and firewall, and always have up-to-the-hour backups so you can start over from scratch” – has kept me safe, but not anymore. Ransomware targets backups, too.
Paranoia isn’t enough anymore
Had I not noticed my computer fan running more often than normal, this malware would have wrecked my life. Seriously: it would have removed or encrypted all of Windows’ “shadow copies” plus the backups I make constantly in the background on an attached external drive. I would have been left with nothing. And that’s what the criminals want.
Thanks to “malvertising” and trojans like Gumblar, just visiting a legitimate site can download malware. All your old strategies just aren’t good enough anymore, and the whole situation is only going to get worse. And yes, ransomware is starting to target Macs, too.
If you’re wondering how I got it, despite all my paranoia? I was running a Lenovo with the built-in Superfish vulnerability. Who knew a manufacturer would add in software to compromise the operating system?
As webmasters, I feel we have a special responsibility to keep our own systems clean. If your computer is infected, someone could get access to your websites and use them to spread malware. This could devastate a small business.
A new anti-malware strategy
I spent a lot of hours researching this nasty at BleepingComputer and other websites. My goal was both to protect my own PC and to do all I can do make sure my websites never infect some unfortunate visitor. In this post, I’m going to show you everything I did for ransomware prevention.
What ransomware does
In the background while you’re using your computer, Cryptowall does the following.
- Encrypts all your data files with military-grade encryption that no one has managed to break yet. If your files are encrypted, that’s how they’ll stay unless you pay the ransom. And the criminals don’t always come through with the encryption, either.
- Deletes all your “shadow copies” (version backups Windows automatically makes of each file).
- Deletes all your restore points.
- Also encrypts the files on any attached backup drive you are using.
- Once this is all done, when you try to open an encrypted file, it pops up a message informing you you’ll have to pay several hundred dollars to criminals to get a decrypt key.
In short: it encrypts all your data, and all your attached backups of said data, and encrypted they will stay unless you obtain Bitcoins and pay criminals who may or may not send you a working decryption key.
What could have happened
Fortunately, I caught the infection early and my version of Cryptowall chose one of my backups of a backup (oh, yes, I do) to start its encrypting. But that was pure luck, and what might have happened scares the heck out of me.
I had noticed my PC was using a lot more CPU power than usual. Because it was a few years old, I was suspecting hardware failure. Then ESET notified me that it had found a suspicious file called “DECRYPT_INSTRUCTION.HTML”. In this sense, ESET did better than a lot of other AVs. Curious, I searched online for the file name and found BleepingComputer’s fantastic information page. I ran Malwarebytes and it found the actual virus, but because Cryptowall also edits your registry, I felt reformatting was the only way to be sure it was gone. And since I’d already been planning to buy a new PC in the next few months, I just went ahead and did that so I’d also gain the benefit of a more secure version of Windows.
How to prevent it
If running a top-notch AV doesn’t catch this, and it attacks your backups too, what can you do for ransomware prevention?
The information page at BleepingComputer recommends changing a lot of your security and permissions settings in Windows. That way, even if you get infected, Cryptowall and similar malware can’t actually execute. This is a challenging task for most users, and the advised settings today may not be good enough six months from now. Fortunately, John Nicholas Shaw at FoolishIT created CryptoPrevent. It’s a small, free utility that automatically makes those system changes for you. And if you pay for the premium version, it will automatically update itself as the malware evolves. No matter what AV and firewall you run, this will provide a terrific second layer of defense in your ransomware prevention strategy.
I did a lot of research about this tool and its creator, and he’s well-established as a developer of effective, trustworthy security apps. I’ve running CryptoPrevent Premium in default mode for years, and it hasn’t caused a single hiccup on any of my systems.
Antivirus with behavioral blocking
You could also switch to a better AV.
I’m not sure why so many top AVs and firewalls miss this piece of malware. But my research found that a few catch it – and even if they somehow miss a brand new version of it, they block CryptoWall from encrypting your files. This is called “behavioral blocking”, and it’s the best protection against “zero-day threats” (brand new malwares that the AV companies haven’t even had time to add to their libraries yet). Again, I did a lot of research and came up with Emsisoft Internet Security (AV + firewall) as the best paid option. Comodo Internet Security is the best free option. I put Emsisoft on my main PC and put Comodo on a very slow, old computer for a relative who isn’t at all tech-savvy. I used to use Comodo exclusively way back when, and my only criticism is that it sometimes advises you to call a tech expert to help remove something it’s quarantined when that’s really not needed. Just ignore that.
I also run Malwarebytes’ Premium along with Emsisoft. It’s another AV real time scanner, and both it and Emsisoft are designed to work alongside other AVs. Malwarebytes looks for exploits just like Emsisoft. I figure two programs are better than one for ransomware prevention, and the free version of Malwarebytes did find the Cryptowall trojans on my computer. That’s more than other AVs did.
Safeguarding your browser
I also did a ton of reading about which browser is safest. I found one website claiming Firefox is the least safe, but most experts still regard it as safest. As far as I can make out, Firefox with the right add-ons is your safest option. So whether you use Firefox or not, be sure to install an ad-blocker like AdBlock Plus. I hate to say that because, obviously, I make some of my living by running ads on my sites and so do a lot of you. I do turn AdBlock off on some sites that depend on ad revenue and stick to higher-quality ads.
LastPass or another password keeper
There are two reasons why it’s vital to use LastPass or a similar program. First, it enables you to have incredibly strong passwords, different ones for every site, without needing to memorize them. You need to remember one strong password to log into LastPass, and it remembers the rest for you. It’s all encrypted so even LastPass employees can’t read your passwords. Second, if you ever get a keylogger trojan on your system, it will sit quietly in the background sending everything you type to criminals. LastPass fills in the logins without you having to type them, so the keylogger would miss them. It also generates strong passwords for you on the fly.
And now it performs a “security audit” automatically, showing you any logins you have that are weak or are duplicates of others. LastPass is free, but $12/year buys some additional features such as the ability to use it on tablets and phones.
VirusTotal.com is a brilliant website that lets you can check a link to a page you want to visit or an actual download link before you visit/download it. It runs about 60 scans on each file. Now when I download apps or fonts, even from sites I’ve trusted for years, I double check them in VirusTotal first just to make sure they’re clean. It only takes a few seconds.
My new backup strategy
I no longer leave a USB drive hooked up to the computer to do hourly backups, since Cryptowall takes out any mapped drive (one that has a drive letter). You have a couple of options here.
- Cloud backup that does NOT appear as a lettered drive on your PC.
- Only connect your USB backup drive periodically to backup the latest changes, thus minimizing your chances of having it connected at the exact moment malware would be targeting it.
- Take system images whenever you make significant changes to your applications.
My personal choice for backup
- All my frequently updated data files are in the cloud. I currently use DropBox for this, but I used to use Zoho Sheets and Zoho Writer, and still recommend them.
- I do a backup every week with the Windows built in system. I don’t do it more often than that because sometimes you discover malware has been lurking in your system for weeks. Then you’ll need an older backup to restore. (And, again, my most critical, frequently updated files are in the cloud).
- Keep a current system image by Macrium Reflect Free. This image can restore your apps and settings, but not your data files. I prefer to back up apps and data separately.
- CrashPlan for Small Business or Carbonite. I happily used Carbonite until I bought a NAS to archive old files. Carbonite charges a lot to back up a NAS. CrashPlan for Small Business does it all for $10/month.
How to protect your website visitors
I cover this topic more in depth in How to Secure WordPress Blogs.
Protect your logins
Your first line of defense is to make sure criminals can’t just log into your website. LastPass protects your FTP, admin page and control panel logins from criminals, even if you’re working on an infected system.
Get an HTTPS certificate. They’re free nowadays, and many hosts will install them for you. These encrypt your logins, thus protecting them in a similar way to what LastPass does.
Reputable ad networks these days do their best to screen out malware-infected ads, but no system is perfect. I recommend AdThrive, Adsense, and Sovrn. But I’ve been doing this since before networks were very good at screening it out, so the following tips apply if you work with networks you’re not sure about:
- Set your “floor” to at least 15 cents on any ad network. Most malvertising comes through really cheap ads, which are also usually ugly and repulsive to your readers, anyway.
- Block “3rd party” ad feeds if your networks offer them. These are remnant ads over which the network has limited control and limited ability to screen.
- I block ads for gambling, pharmaceuticals, weight loss, “adult” ads, and “snake oil” ads for the latest miracle fruit or whatever. Those are categories in which malvertising has been found most often.
- Ask any ad network you’re considering working with what they do to screen out malvertising. If they don’t have an answer, run away.
Educate yourself on ransomware prevention
I also recommend reading about how malware behaves. I routinely visit the Security forum and front page at Bleeping Computer. I also read Krebs on Security. Bleeping Computer does a great job testing new virus samples and giving detailed descriptions of their behavior and how to fix them. Krebs tends to wait a bit and then report more in depth, with a focus on the criminals, their motives, and suggestions of what they might try next. Between the two, I have a fair idea where to start if my computer starts behaving oddly or if a reader tells me my site did something odd on her computer.
As I find more helpful links on this malware, I’m posting them here.
- The Cisco Blog – lots of technical research on CryptoWall 2.0, especially with regard to how Cisco server products can help protect businesses. [Added 1-7-15]
- Computer World – really nice “in English, please” version of the Cisco article, detailing exactly what Cryptowall does to evade defenses.