Recommendations to prevent infection by malicious encryption ransomware such as Vault and others

Computer Emergency Response Team KZ-CERT alarms the users about recent massive distribution of letters with malicious attachments able to encrypt data of popular formats: office documents (Word documents, Excel spreadsheets, 1C databases, images, archive files and others).

As a rule, the letter contains file in attachment or reference to it (the format might be different, we met exe, scr files (programs) and js scripts). In theory, the methods of format masquerading might be used, e.g. double extension: Счет на оплату.doc.exe. The user thinks that he opens Word document. However, in reality, the file is malware. Immediately after execution of attachment PC’s infection by encryption ransomware occurs. In recent times in most cases, the malicious object creates files with Vault extension. In order to decrypt the data the fraudsters extort the money.

We need to highlight that for now in most cases the decryption of data is impossible!

The samples of letters:

--------------------------------

Приветствуем! Мы со своей стороны понимаем, что на дворе кризис, но все же мое начальство распорядилoсь подписать с Вами акт сверки (см. приложение) и отобразить актуальный долг. Будьте добры просмотреть приложенный акт и сориентировать по срокам оплаты.

--------------------------------

Сообщите, пожалуйста, как долго нам придется ждать перечисления средств за услуги, оказанные в позапрошлом месяце? Нашей канцелярией еще в сентябре высылались Вам оригиналы счетов. Если же в связи с какими-либо обстоятельствами Вами они получены не были, я высылаю сканы - см. приложение. Большая просьба ответить.

--------------------------------

Письмо без текста (только вложение, либо ссылка) с темами: Счет фактура на оплату, Счет на оплату от 30.10.2015 и похожие.

--------------------------------

We ask to exercise caution and avoid execution of unknown applications in emails gotten from unknown sources.

In addition, it is important to notify in advance and explain the situation to people who works with critical to company information: accountants, lawyers, economists, managers, sales department etc.

The fraudsters intentionally choose the topics and contents of letters that able to attract aforementioned specialists, since information located in computers of managers and key stuff of company is most valuable (and sometimes, critically important, e.g., files of 1С:Enterprise when missing the backups on other PCs), in this case the probability of getting the ransom is higher.

Please inform about this threat your family and acquaintances, especially elders since they not always have the skills to detect malicious letter and might accidently encrypt their data.

Recommendations from antivirus companies to prevent encryption of your data by fraudsters (information gotten from open sources).

Dr. Web:

http://download.geo.drweb.com/pub/drweb/windows/workstation/9.0/documentation/html/ru/main_preventiveprotection.htm

http://download.geo.drweb.com/pub/drweb/windows/workstation/9.0/documentation/html/ru/main_preventiveprotection.htm#dataloss

Video about customization of Dr.Web Security Space: part Proactive protection, only for versions 9 and above: http://support.drweb.com/video/security_space/?lng=ru

Kaspersky Lab:

Protection against encryption ransomware in Kaspersky Endpoint Security 10 for Windows Workstations (for corporate versions) http://support.kaspersky.ru/10905

Protection against encryption ransomware in Kaspersky Internet Security 2015 http://support.kaspersky.ru/11151

Protection against encryption ransomware in Kaspersky Total Security 2016 http://support.kaspersky.ru/12427

Information for antivirus companies: If your products have proactive (heuristic) methods to prevent encryption using behavior analysis, please inform us via email info@kz-cert.kz and point out the links to the articles where the description of these technologies and instructions to customize the products are given, and after analysis we will be able to add your products to this document.

Remarks: we unable to publish the detection of known samples by signature based methods since the user will not be protected in case of issue of new modifications.

General recommendations to protect data from encryption by ransomware (including files with vault extension):

1. Avoid execution of email attachments from unknown sources.

In most cases encryption ransomware are distributed via email attachments. The objective of fraudster is to enforce the user to open email attachment, that’s why the letters have ominous titles: send urgently, approve, check.

2. Make in time update of antivirus base, operating system and other software.

Update you antivirus in regular base. Together with antivirus bases update of software components, improvement of existed functions and adding of new one occurs. Also, make in time updates of operating system and other software you use.

3. Create backups of files and save them outside the PC.

Store backups outside the PC (e.g. on removable drivers or cloud storage) and in encrypted form. Thus, you protect files not only from encryption ransomware but also from hardware failures.

4. Customize the access to public network folders.

If you use public network folders, we recommend creation of separate network folder for each user. At this, only the owner of the folder have the rights to write. Thus, in case of infection of one computer, file encryption occurs only on one network folder. Otherwise, the infection of one computer might lead to encryption of all documents within all network folders.

Similar problem we see in other countries.

Please inform us about any suspicious letters, pages in Internet via short number 1400 or via email info@kz-cert.kz.