All Blogs

Business Downtime: Ransomware’s Biggest Cost

Ransomware, such as CryptoLocker, is based on extorting money from computer users in order to regain access to their documents. Contrary to conventional thought, business downtime is ranked as the biggest cost associated with ransomware, not the ransom itself. An outbreak such as this creates two hard choices for businesses: either spend multiple days recovering locked files from backups or pay ransom to criminals. In either scenario, businesses are likely to face major downtime that far outweighs the cost of the ransom.  With such high stakes, how do you keep you and your business safe?

Ransomware Email Example

It’s extremely important to have a good backup system for critical files, which will help lessen the damage caused by the infection. Knowing what to look out for, however, is crucial in keeping ransomware from taking over your files in the first place. This infection is typically spread through emails that appear to be customer support related issues, like the one below:

—–Original Message—–
From: John Doe [mailto:John@mydomain.com]
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form – Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

These emails usually include a zip attachment which contains executable files disguised as PDF files and are named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and users often open them. Once the PDF is opened, the virus saves itself to a folder in the user’s profile and adds a key to the registry to allow it to run every time the computer starts up. It then encrypts files stored on local and network drives. The virus then displays a message offering to decrypt the data if a payment is made.

Known CryptoLocker Email Subjects

It’s easy to see why ransomware is so widespread. The emails look legitimate and urge people to take some form of action. Stay protected by being particularly wary of emails from senders you don’t know, especially those with attached files. Below is a partial list of known CryptoLocker email subjects. This list is not complete, but shows examples of what to look out for.

  • USPS – Your package is available for pickup ( Parcel 173145820507 )
  • USPS – Missed package delivery
  • ADP Payroll: Account Charge Alert
  • ADP Reference #09903824430
  • Important – Attached Form
  • McAfee Always On Protection Reactivation
  • Scan from a Xerox WorkCentre
  • Annual Form – Authorization to Use Privately Owned Vehicle on State Business
  • My Resume
  • Voice Message from Unknown (675-685-3476)
  • Important – New Outlook Settings
  • FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]
  • New contract agreement
  • Notice of underreported income
  • Payment Overdue – Please respond
  • Payroll Invoice
  • Corporate eFax message from random phone # & number of pages
  • FW: Case FH74D23GST58NQS
  • USPS – Missed package delivery (“USPS Express Services” <service-notification@usps.com>)
  • FW: Invoice <random number>
  • ACH Notification (“ADP Payroll” <*@adp.com>)
  • Payroll Received by Intuit
  • FW: Last Month Remit
  • Scanned Image from a Xerox WorkCentre
  • Scanned from Xerox
  • Fwd: IMG01041_6706015_m.zip
  • New Voicemail Message
  • Voice Message from Unknown Caller (344-846-4458)
  • Scan Data
  • Payment Advice – Advice Ref:[GB2198767]
  • Important Notice – Incoming Money Transfer
  • FW: Check copy
  • USBANK
  • Past Due Invoices
  • Symantec Endpoint Protection: Important System Update – requires immediate action

Contact MidnightBlue

If you have more questions or fall victim to ransomware, please call us at 412.342.3800. Our team will answer all your questions and work with you to get you back up and running!

Sources:
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#files
https://www.intermedia.net/press-release/report-identifies-ransomwares-biggest-cost-to-be-business-downtime