Ransomware -- Should You Pay?

It’s been barely 19 months since the CryptoLocker virus started infecting computers around the world, but in that relatively brief time it has made a significant impression on thousands (some say millions) of computer users.  It has also spawned a whole new category of cyber-criminal activity, known as encrypting ransomware.

My First-Ever Virus Alert

In the 12+ years I’ve been operating as The Virus Doctor™, I have never issued a general Virus Alert to all of my clients and subscribers to my e-mail list – until now.  In the past week I have learned of a very widespread virus outbreak that could ensnare even the most cautious users of the Internet and e-mail.

This outbreak crippled a major hospital in the Texas Medical Center, in Houston, and surely many other computer users around the United States.  But unlike some viruses you may have heard about on the evening news, this one has gone mostly unreported in the news media.

CryptoLocker -- Game-changing malware

One of the most widespread pieces of malware making the rounds these days is an updated version of a payload that first appeared quite a few years ago.  This malware, known as CryptoLocker, is a form of "ransomware," a program that holds the user's data files hostage until that user pays to have those files released.  I wrote about this type of malware in my book, Bug-Free Computing:  Stop Viruses, Squash Worms, and Smash Trojan Horses, original Copyright 2005.  But CryptoLocker is a much more sophisticated variant of this attack.

All of the major anti-virus software vendors are aware of CryptoLocker, and many have written about it.  There has also been a lot of misinformation and bad advice on the subject from various sources, even some that would normally be considered reputable.  Rather than attempt to reinvent this wheel here, I will offer my general observations and recommendations, followed by a link to a blog post that I believe does an excellent job of presenting the facts about CryptoLocker.

How did that computer get infected? Not the way you think!

When a computer is infected with a virus today, many IT support technicians assume the user contracted that infection as a result of visiting a pornographic web site.  In fact, that represents a small percentage of the infections that are occurring with the current generation of malware.  That was a much more common infection vector in years past, but not so much in 2013.

Before going into a list of ways a computer can become infected, it may be productive to state the obvious -- no rational computer user deliberately sets out to do anything that will lead to a virus infection on their computer.  Some may engage in what they know is risky behavior, but will usually heed a warning that clicking on a link or downloading a file may cause their computer to become infected.

How do you deal with the latest FBI virus?

The latest variant of the widespread FBI Moneypak virus has become one of the most difficult malware challenges facing the IT support tech in recent years.  The main source of this difficulty is the fact that the malware disables the boot options on the infected computer.  Thus the tech is unable to boot into Safe Mode or Safe Mode with Command Prompt.

Following extensive research and communications with some of the leading anti-virus vendors in the world, The Virus Doctor™ has developed a simple, mostly automated procedure that cleans these infections in about 10 minutes.  This procedure and the tools necessary to carry it out are now included in the Virus Remediation Training workshops.

In the absence of a procedure such as this, most technicians have been dealing with this malware in one of three ways:

Should you Clean a Virus Infection, or Wipe and Reload Everything?

This is a question that is frequently asked by IT support technicians, and it generates strong opinions on both sides of the argument. Usually those discussions in online forums generate more heat than light, with a lot of “mine is bigger than yours” and “you’re just lazy” themes.

To save you the suspense of reading to the end, I will give you the definitive answer to this question right now. It is never in your best interest, and rarely in the client’s best interest, for you to wipe and reload the system. Clear enough?

What to do about Java?

In recent months the programming language Java has been in the news a lot, mainly because of its association with virus infections. By most reliable accounts, over one-half of all recent malware infections have been accomplished by exploiting vulnerabilities in Java.

Java was first released by Sun Microsystems in 1995, which was subsequently acquired by database software company Oracle. According to the Oracle web site, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

The Downside of Adobe Reader

Adobe Reader is one of the most popular programs in the computing universe. Almost every computer has some version of this free program installed, whether it's a PC, a Mac, or virtually any other computer and Operating System.

In a stroke of marketing genius, Adobe established this program early on as the standard for producing documents that look identical across any platform. They accomplished this objective by giving the Reader program (also known as Acrobat Reader) free of charge to anyone who requests it.

The Changing Faces of Rogue Security Programs

One of the most common forms of malware today is the Rogue Security Program, or simply "Rogue." These programs pop up on the user's computer, usually at the time of Windows startup, and claim to have found problems on that computer.

Early rogues represented themselves as anti-virus programs and typically displayed a list of threats allegedly found on this computer. In many cases they would appear to be running a scan, complete with a moving progress bar and a count of malware items detected.